When a state seeks to defend itself against a cyberattack, must it first identify the perpetrator responsible? The US policy of “defend forward” and “persistent engagement” in cyberspace raises the stakes of this attribution question as a matter of both international and domestic law.
International law addresses in part the question of when attribution is required. The international law on state responsibility permits a state that has suffered an internationally wrongful act to take countermeasures, but only against the state responsible. This limitation implies that attribution is a necessary prerequisite to countermeasures. But international law is silent about whether attribution is required for lesser responses, which may be more common. Moreover, even if states agree that attribution is required in order to take countermeasures, ongoing disagreements about whether certain actions, especially violations of sovereignty, count as internationally wrongful acts are likely to spark disputes about when states must attribute cyberattacks in order to respond lawfully.
Under domestic US law, attributing a cyberattack to a particular state bolsters the authority of the executive branch to take action. Congress has authorized the executive to respond to attacks from particular countries and nonstate actors in both recent cyber-specific statutory provisions and the long-standing Authorizations for Use of Military Force (AUMFs) related to 9/11 and the Iraq War. Attribution to one of these congressionally designated sources of attack ensures that the executive branch need not rely solely on the president’s independent constitutional authority as commander in chief when responding, but instead can act with the combined authority of Congress and the president.
Common across international and US law is the fact that cyberattack attribution serves as both a potential source of empowerment and a potential constraint on governmental action. In both systems, attribution of a cyberattack to another state bolsters the US executive branch’s authority to respond, and conversely, the absence of attribution can place the executive on less certain legal footing.
This essay proceeds in three parts. It first explains cyberattack attribution and attribution’s interaction with existing international law on the use of force and state responsibility. The next section turns to the US “defend forward” policy and explores how it may spur disagreements about when states must attribute cyberattacks, even if they agree on the general legal framework set out in the first part. The essay then briefly addresses US domestic law and explains how congressional authorizations for certain military actions depend on attribution. The conclusion discusses how attribution can shape, not just be shaped by, the international and domestic legal systems.