In late 2018, the U.S. Secretary of Homeland Security suggested that “cyber-attacks now exceed the risk of physical attacks.” Yet the law has not kept pace with this reality. In particular, identifying who is responsible for a cyberattack makes it difficult to regulate this conduct. A state often cannot practically respond to a threat unless it knows from where the threat emanates and potentially who is responsible. Attribution of cyber conduct is critical from a legal perspective because the unlawful act must be attributable to another state for state responsibility to be engaged.

This essay provides an overview of this attribution problem in the context of cyberattacks that might qualify as armed attacks for purposes of the jus ad bellum. These attacks are especially grave and, as such, ones that states will most want to respond to decisively. Understanding the availability and limits of a lawful response is therefore critical. The essay begins by briefly reviewing the current state of international law concerning armed attacks and self defense, and whether and how cyberattacks fit within this framework. It then examines the attribution problem, noting that there are both technical and legal hurdles to overcome when attempting to reconcile conventional approaches to attribution with the unconventional characteristics of a cyberattack. Finally, it proposes amore contextually appropriate model for attribution that states could use in the case of cyber armed attacks to address the attribution problem.


international law, cyberattacks, cyber armed attacks, responsibility problem, attribution problem

Link to Publisher Version (URL)


Find in your library

Included in

Law Commons