Attributing computer network intrusions has grown in importance as cyber penetrations across sovereign borders have become commonplace. Although advances in technology and forensics have made machine attribution easier in recent years, identifying states or others responsible for cyber intrusions remains challenging. This essay provides an overview of the attribution problem and its international legal dimensions and argues that states must develop accountable attribution mechanisms for international law to have practical value in this sphere.

When the responsibility of more than one state is engaged in relation to a wrongful cyber operation, the relevant states share responsibility for it. Shared responsibility can arise, for instance, when multiple states jointly conduct a cyber operation or when one state is involved in the cyber operation of another state (e.g., by providing assistance or exercising control). In view of the persistent difficulties associated with attribution of cyber conduct, shared responsibility can be a useful analytical framework to broaden the net of possible responsible states in relation to a cyber operation.

In late 2018, the U.S. Secretary of Homeland Security suggested that “cyber-attacks now exceed the risk of physical attacks.” Yet the law has not kept pace with this reality. In particular, identifying who is responsible for a cyberattack makes it difficult to regulate this conduct. A state often cannot practically respond to a threat unless it knows from where the threat emanates and potentially who is responsible. Attribution of cyber conduct is critical from a legal perspective because the unlawful act must be attributable to another state for state responsibility to be engaged.

The challenges of attributing malicious cyber activity—that is, identifying its authors and provenance with a sufficient degree of certainty—are well documented. This essay focuses on a phenomenon that I call “attribution by indictment.” Since 2014, the United States has issued more than a dozen indictments that implicate four foreign states in malicious cyber activity: China, Iran, Russia, and North Korea. Ten of these indictments were issued in 2018, suggesting that this practice is likely to continue and even intensify in the near term. Attribution by indictment uses domestic criminal law, enforced transnationally, to define and enforce certain norms of state behavior in cyberspace. This essay analyzes the U.S. practice of attribution by indictment as a response to malicious cyber activity.

Attribution of state-sponsored cyberattacks can be difficult, but the significant uptick in attributions in recent years shows that attribution is far from impossible. After several years of only sporadic attributions, Western governments in 2017 began attributing cyberattacks to other governments more frequently and in a more coordinated fashion. But nongovernment actors have more consistently attributed harmful cyber activity to state actors. Although not without risks, these nongovernmental attributions play an important role in the cybersecurity ecosystem. They are often faster and more detailed than governmental attributions, and they fill gaps where governments choose not to attribute. Companies and think tanks have recently proposed centralizing attribution of state-sponsored cyberattacks in a new international entity. Such an institution would require significant start-up time and resources to establish efficacy and credibility. In the meantime, the current system of public-private attributions, decentralized and messy though it is, has some underappreciated virtues—ones that counsel in favor of preserving some multiplicity of attributors even alongside any future attribution entity.