A NÁLISIS DE APLICABILIDAD EN CASOS DE PROYECTOS DEL SECTOR ENERGÍA

In the instant context, it is necessary to distinguish the concept of harm from that of internationally wrongful conduct. To put it simply, under the ARS, an internationally wrongful act does not have to result in actual harm. The internationally wrongful act itself is what engages the ARS for the purposes of establishing international responsibility.

However, other theories of CIL which will be discussed infra require a harm to engage the state for purposes of holding the state accountable for those actions. For example, the duty to do no harm theory requires a harm for the CIL prohibition to engage as a matter of international law and for the purposes of the violation being an internationally wrongful act.

This study will briefly discuss the idea of harm so as to demonstrate its applicability to the issue presented, as the evidence of harm may be necessary to link the internationally wrongful act to a state. Evidence of harm caused by state A to state B may be needed to engage a specific rule of CIL; the violation of that rule on behalf of a state may then be seen as an internationally wrongful act. This discussion will serve as a means of clarification to ensure a better-shared understanding and to establish a baseline of understanding going forward.

The harm from malicious cyber-attacks is wide-ranging, from economic harm to physical harm, and it may include harm to private and public property. Malicious cyber-attacks that

200 Matthew J. Sklerov, Solving the Dilemma of State Response to Cyberattacks: A Justification for the Use of Active Defenses Against States Who Neglect Their Duty to Prevent, 20 Mil. L. Rev. 1, 14 (2009).

201 See, International Law Commission, Draft Articles on the Prevention of Transboundary Harm from Hazardous Activities, gen. cmt. § 1-5, U.N. GAOR, 53rd Sess. at 148, U.N. Doc. A/56/10 (2001).

137 cause harm cover a wide spectrum of potential malicious cyber-attacks. The range of malicious cyber-attacks may encompass such items as common spam emails that cost businesses money and productivity, to commercial espionage and traditional cyber-espionage against a state that causes economic or physical harm.

Harm is the key element for finding violations of the CIL regarding the duty to do no harm.

Attribution questions aside, the issue is at what level the harm from cyber-attacks violates this prohibition. To answer this question, this study will look at malicious cyber-attacks and the theory of transboundary harm. The ILC, Draft Articles on the Prevention of Transboundary Harm from Hazardous Activities (PTHHA) hold that the harm must be significant.²⁰² The PTHHA holds that the harm may be to “person[s], property, or the environment.”²⁰³ The PTHHA, as a pre-cyber document does not address the issue of cyber-attacks in any form. Instead, the PTHHA limits its coverage to harm that causes physical damage. As such, cyber-attacks with a kinetic impact would be covered under the PTHHA, while malicious cyber-attacks are in doubt. As the PTHHA has not been updated since 2001, this study must hypothesize that malicious cyber-attacks could fall within the PTHHA definition of transboundary harm if the PTHHA were brought into the cyber age.

This hypothesis is supported by the comments to Art. 1 of the PTHHA in which the PTHHA promulgates a cause and effect test for determining transboundary harm. The PTHHA states that a “link must connect the activity with its transboundary effects. This implies a connection of a very specific type—a consequence which does or may arise out of the very nature of the activity or situation in question.”204

Although the PTHHA was discussing a physical link, a link may be demonstrated between a malicious cyber-attack and the corresponding transboundary harm; i.e., the consequence

202 Id. at art. 1. Cf., Alexendre Kiss and Dinah Shelton, Strict Liability in International Environmental Law, GWU Legal Studies Research Paper No. 345; GWU Law School Public Law Research Paper No. 345, http://ssrn.com/abstract=1010478.

203 International Law Commission, Draft Articles on the Prevention of Transboundary Harm from Hazardous Activities, art. 2(b), U.N.GAOR, 53^rd Sess. at 148, U.N. Doc. A/56/10 (2001). (This study would broaden this classification to encompass digital and/or cyber damage without a kinetic impact, thus allowing cyber-attacks to be considered transboundary harm.)

204 International Law Commission, Draft Articles on the Prevention of Transboundary Harm from Hazardous Activities, gen. cmt. §17, U.N.GAOR, 53^rd Sess. at 148, U.N. Doc. A/56/10 (2001).

138 of the malicious cyber-attack arises out of the very nature of the states using malicious cyber-attacks, or allowing non-state actors to carry out malicious cyber-attacks, or by not preventing the same. Thus, it is argued that malicious cyber-attacks may constitute harm.

205 This idea is supported by the fact that malicious cyber-attacks do cause physical harm due to the costs associated with the damage done. The damage may be digital, but the loss is physical in regard to the monetary damage suffered and the costs to rectify the damage after the fact. It is therefore argued that malicious cyber-attacks are a harm that a state has an affirmative duty to prevent as long as the harm is significant, impacts persons, property, and/or the environment, and there is a link between the malicious cyber-attack and the transboundary harm.

The proof needed to link the harm resulting from a malicious cyber-attack to a state was put forth in the Trail Smelter arbitration. In Trail Smelter, the arbitrators adopted the United States common law burden of clear and convincing evidence needed to link transboundary evidence of pollution to the offending state. The tribunal stated that “to control the conduct of one state at the suit of another, the threatened invasion of rights must be of serious magnitude, and it must be established by clear and convincing evidence.”²⁰⁶ While the tribunal was applying United States case law to the issue at hand, it qualified this adoption by stating, “no contrary rule prevails in international law and no reason for rejecting such precedents can be adduced from the limitations of sovereignty inherent in the Constitution of the United States.”²⁰⁷

Since the adoption of this rule by the tribunal, the effects and widespread impact of transboundary pollution have grown.²⁰⁸ With the growth, the debate over the evidentiary requirements to prove transboundary pollution has also been called into question. D’Amato

205 Id.

206 Trail Smelter Case (U.S. v. Can.), 3 Rep. Int’l Arb. Awards 1905, 1964 (11 Mar. 1941). (Discussing Kansas v. Colorado, 185 U.S. 125(1902) and Missouri v. Illinois, 200 U.S. 496 (1906)).

207 Id. See also, Thomas W. Merrill, Golden Rules for Transboundary Pollution, 46 Duke L. J. 931 (1997) (Discussing the clear and convincing rule in transboundary pollution cases).

208 Cf. Anthony D’Amato, Transboundary Pollution (2001), http://anthonydamato.law.

northwestern.edu/IELA/Intech08-2001-edited.pdf.

139 discussed Kirgis’ “modified standard of proof approach,”²⁰⁹ which may be stated as the greater the harm done, the less the burden of proof. This approach, while viable for transboundary pollution where evidence is more easily obtainable, is not ideal regarding malicious cyber-attacks where a single incident may trigger a catastrophic event and yet be completely anonymous. As such, prior to acting in such an incident, a state must possess a higher degree of objective evidence. This study would hold that the standard first elucidated by the Trail Smelter tribunal of clear and convincing evidence is needed to attribute a malicious cyber-attack to a state or non-state actor for a violation of customary international and the duty to do no harm.

209 Id. at 113.

140 Chapter Four: Technical Attribution of Cyber-Attacks

This study now turns to an in-depth discussion concerning the technical aspects of the Internet and cyber-attacks. This study does so as to demonstrate the difficulties involved with attributing cyber-attacks and to discuss the Internet and cyberspace as a shared common. This study undertakes this discussion to ensure that the issue of legal attribution of malicious cyber-attacks is viewed through the understanding of how the digital commons works and the difficulties that malicious cyber-attack attribution poses to computer science.

This study operates on the premise that legal theory alone is not enough to deal with the instant issue of this study and must be taken in context along with the technical realities.

Once this study concludes the discussion regarding the technical aspects of malicious cyber-attacks, this study will engage in a discussion regarding hybrid attribution or what some commentators refer to as circumstantial attribution. This form of attribution is probably the most prevalent form of attribution utilized by states when dealing with the attribution of cyber-attacks. This study uses the term probably as states have not disclosed their methods of attributing cyber-attacks. But, as Goldsmith argued,¹ states most likely use a hybrid form of attribution; utilizing traditional intelligence, cyber-forensics, IP traceback, or other various techniques to attribute attacks. It is debatable whether this type of attribution is enough to establish state responsibility. In addition, for this form of attribution to work, states must disclose the means and methods and the evidence derived therefrom for attribution to be accepted by either the public or juridical bodies; information states will be loath to disclose lest potential advisories learn a state’s cyber capabilities.

This study utilizes the term “technical attribution” to ensure compliance with terminology utilized in computer science.² Both computer science and legal scholarship utilize the term

1Jack Goldsmith, The Sony Hack: Attribution Problems, and the Connection to Domestic Surveillance, LAWFARE (Dec. 19, 2014), https://www.lawfareblog.com/sony-hack-attribution-problems-and-connection-domestic-surveillance. Cf. Jack Goldsmith, Yet More Thoughts on the DNC Hack: Attribution and Precedent, LAWFARE, (July 27, 2016), https://www.lawfareblog.com/yet-more-thoughts-dnc-hack-attribution-and-precedent. Bears in the Midst: Intrusion into the Democratic National Committee, CrowdStrike (June 15, 2016), https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/.

2 See, Andrew Nicholson, et al., A Taxonomy of Technical Attribution Techniques for Cyber Attacks 188, European Conference on Information Warfare and Security (Jul. 2012). (Discussing technical attribution techniques for attributing cyber-attacks.).

141 attribution in similar but distinct ways. To avoid confusion between the different types of attribution, this study refers to attribution as used by computer science as “technical

Clark and Landau referred to the instant issue as the attribution problem.⁵ Simply stated, the attribution problem refers to the inability of a state that has been the victim of a cyber-attack to technically attribute the cyber-attack due to the inabilities of technical attribution techniques, thus creating an inability to attribute the attacks due to technical and legal

3 David A. Wheeler and Gregory N. Larsen, Techniques for Cyber Attack Attribution 1, Institute for Defense Analysis, IDA Paper P-3792 (October 2003). See also, Jeffrey Hunker, Bob Hutchinson, and Jonathon Marqulies, Role and Challenges for Sufficient Cyber-Attack Attribution 5, Institute for Infrastructure Information Protect (I3P) (January 2008).

4 Id. See also, Alan Cook, et al., Attribution of Cyber Attacks on Industrial Control Systems 2, ICST Transactions (Preprint) (2017). (“Attribution of cyber[-]attacks lacks a universally accepted definition. Proposed definitions have often been limited in their approach, confining each to subsets of attribution...”)

5 David D. Clark and Susan Landau, Untangling Attribution, 25 Proceedings of a Workshop on Deterring Cyberattacks: Informing Strategies and Developing Options for U.S. Policy (2010). See also, Robert K. Knake, Untangling Attribution: Moving to Accountability in Cyberspace, Subcommittee on Technology and Innovation, Committee on Science and Technology, United States House of Representatives 2nd Session, 111th Congress (July 15, 2010); Jason Healey, Beyond Attribution: Seeking National Responsibility for Cyber Attacks, Atlantic Council Issue Brief (2011). Cf. Michael C. Waxman, Cyber-Attacks and the Use of Force: Back to the Future of Article 2(4), 36 Yale J. Int’l L. 422 (2011). (Terming the issue as the “attribution challenge.”) See also, Nicholas Tsagourias, 17 J. Conflict & Security L. 230 (2012) (Describing technical attribution as an attempt “to trace back the cyber-attack to its source and ascribe it to an author against whom action can be taken.”) Jeffrey Carr, Responsible Attribution: A Prerequisite for Accountability 1, Tallinn Paper No. 6 (2014). (“Attribution in cyberspace remains an ongoing challenge due to a series of complicating factors such as the ability of an unknown aggressor to mimic the tools, techniques, and procedures of a better-known aggressor…”) Cf., James Scott, It’s the Russians…Or Is It? Cold War Rhetoric in the Digital Age, ICIT (Dec. 13, 2016), http://icitech.org/its-the-russians-or-is-it-cold-war-rhetoric-in-the-digital-age/. (“Western systems lack the security and resiliency to withstand foreign compromise. Moreover, Incident Response techniques and processes are not comprehensive or holistic enough to definitively attribute an incident to a specific threat actor….”)