Publication details

Stuxnet vs WannaCry and Albania: Cyber-attribution on Trial

Authors

VOSTOUPAL Jakub

Year of publication 2024
Type Article in Periodical
Magazine / Source Computer Law & Security Review
MU Faculty or unit

Faculty of Law

Citation
web Časově omezený autorský odkaz na publikovaný text výsledku
Doi http://dx.doi.org/10.1016/j.clsr.2024.106008
Keywords Cyber-attribution; Hacker group; State responsibility; Cyberattacks; Stuxnet; Wannacry
Attached files
Description The cyber-attribution problem poses a significant challenge to the effective application of international law in cyberspace. Rooted in unclear standards of proof, evidence disclosure requirements, and deficiencies within the legal framework of the attribution procedure, this issue reflects the limitations of some traditional legal concepts in addressing the unique nature of cyberspace. Notably, the effective control test, introduced by the ICJ in 1986 and reaffirmed in 2007 to attribute the actions of non-state actors, does not adequately account for the distinctive dynamics of cyberspace, allowing states to use proxies to evade responsibility. The legal impracticality and insufficiency of the attribution procedure not only give rise to the cyber-attribution problem but also compel states to develop new attribution tactics. This article explores the evolution of these cyber-attribution techniques to assess whether contemporary state practices align with the customary rules of attribution identified by the ICJ and codified by the ILC within ARSIWA, or whether new, cyber-specific rules might emerge. By analyzing two datasets on cyber incidents and three distinct cases – Stuxnet, WannaCry, and the 2022 cyberattacks against Albania – this article concludes that the effective control test cannot be conclusively identified as part of customary rules within cyberspace due to the insufficient support in state practice. Furthermore, it is apparent that the rules of attribution in the cyber-specific context are in a disarray, lacking consistent, widespread and representative practice to support a general custom. However, emerging state practice shows some degree of unification and development, suggesting the potential for the future establishment of cyber-specific rules of attribution.

You are running an old browser version. We recommend updating your browser to its latest version.

More info