Earlier this week, the U.S. Department of Justice unsealed an indictment accusing two men linked to China’s Ministry of State Security of a decade-long campaign of hacking dissidents, human rights activists, and a variety of private sector targets, including most recently entities working on COVID-19 treatments, tests, and vaccines. This cyberattack attribution follows on the heels of last week’s joint U.K., U.S., and Canadian advisory accusing Russian intelligence services of targeting COVID-19 vaccine development “with the intention of stealing information and intellectual property.” Both are part of an uptick in governmental attributions of state-sponsored cyberattacks over the last few years, including internationally coordinated attributions of the WannaCry attack to North Korea, the NotPetya attack to Russia, and October 2019 cyberattacks on Georgia to Russia.
But the relationship of these and other cyberattack attributions to international law is not well understood.
Attributions interact with international law in at least in two ways. First, cyberattack attribution announcements could explicitly say that particular cyberattacks violate international law. To date, however, attributions do not typically call out cyberattacks as international law violations. At most, they characterize cyberattacks as violations of international norms. In a press conference on the latest attribution, for example, Assistant Attorney General John Demers alleged, “state-sponsored theft of intellectual property and knowingly providing . . . safe havens for cyber criminals . . . run afoul of norms of acceptable state behavior in cyberspace.” Although this may represent a missed opportunity to clarify the primary legal rules for state behavior in cyberspace (that is, what states can and can’t do), attributions can influence international law in another way that’s less obvious but equally important. Cyberattack attributions can foster agreement on secondary international law rules about how to accuse states of cyberattacks—should states have to give evidence to support cyberattack attributions or not?
Read the full post at Just Security.