In this policy brief, Dennis Broeders, Els De Busser and Patryk Pawlak discuss attribution of in cyberspace from three different perspectives: criminal law, international law and policy. Published together with EU Cyber Direct.
Attribution can be broadly defined as the process of assigning responsibility for a (malicious) cyber activity to a specific actor on the basis of the available evidence, including all-source intelligence, forensic investigation, and taking into account the political context. Given the sensitive nature of such evidence and the implications that a decision about attribution might have on bilateral relations between the accuser and the accused, states maintain their exclusive right to attribute (or not) a cyber operation based on their own methods, procedures and political interests.
In the relatively short history of attribution of cyber-attacks, states have used different paths. While many attributions are hidden from the scrutiny of public opinion, some states have also opted for more public forms of attribution through indictments under criminal law and political attributions - albeit with a very limited reference to international law and norms that have been violated. These different legal and political regimes however all have their own tale to tell in terms of their internal logic and rules. This policy brief aims to shed some light on how the different stages of the attribution process are addressed in criminal law, international law, and international policy.
The policy brief is a joint publication from The Hague Program for Cyber Norms and EU Cyber Direct. The brief builds on ideas and opinions expressed during two workshops organized in The Hague in May 2019 and Brussels in September 2019. The workshop explored the different approaches to attribution from an international law, a criminal law and a policy perspective. The participating experts were from Europe, Asia, North and South America and had a background in international law, criminal law or policy.