R ESOLUCIÓN DE C ALIFICACIÓN A MBIENTAL

The ILC first began the study of state responsibility for codification in 1953¹¹⁸ and finally submitted the ARS for consideration to the UNGA in 2001.¹¹⁹ Even after the work of the ILC, the issues the ILC addressed are not, per se, settled, in that the ARS is a representation of the CIL at the time of the ILC’s writing. While the ARS was being drafted, customs and warfare changed very little in international law. However, after the ARS was published in 2001, the ARS has seemingly become, ever so slightly, out of step with the changes in warfare and technology that happened after the ARS was submitted and approvedby the UNGA.¹²⁰

This non-digital distinction regarding the ARS is important as it may be argued that the ARS is representative of the CIL for kinetic, non-digital events, as it did not envision the digital world. This is not to say the ARS is inapplicable to the issues involving malicious attacks; this is to say that custom may have evolved with respect to malicious cyber-attacks for the purpose of state responsibility and attribution other than as posited in the ARS. When the ARS was submitted to the UNGA, only ~8% of the world population had Internet connectivity; as of June 2015, that number had risen to ~44%¹²¹ and is expected to

118A/RES/56/10 at 29 ¶ 30.

119A/RES/56/10 at 42 ¶ 72.

120 U.N.G.A. res. 56/83 (12 Dec. 2001).

121 Internet Growth Statistics, The Global Village Online (15 Sept 2015), http://www.internetworldstats .com/emarketing.htm

67 grow exponentially in the coming years. As access to, and dependence upon, the Internet and cyberspace have grown, so has the state practice (and arguably the opinio juris) of states’ acts in cyberspace. As such, custom may have sprung or is forming, concerning cyberspace since the UNGA approved the ARS.

It must be noted, in support of the above proposition, that the ARS is entirely a pre-cyber document with no reference to cyberspace, the Internet, information systems, information warfare, or even computers. However, the ARS is not alone in this distinction, the main judicial bodies for international law, the ICJ and the ICC, have not yet, as of writing, heard any cases involving cyber warfare, cyber-attacks, or any iteration thereof.

Moreover, international law is reactive. As Professor Michael Schmitt has said, “[l]aw tends to be reactive and responsive to factual context in which it operates. Obviously, this is the case for customary international law, which relies, inter alia, on state practice…”¹²² This reactivity comes into play when events and technology outpace the evolution of the law, forcing the law to regulate ex-post facto. This creates a system of law which relies, in part, on the reactive nature of state practice, yet individual state practice changes as the state reacts to external threats and other stimuli, thus making its application to the issue of state responsibility for malicious cyber-attacks difficult, as states’ practice varies; states themselves change practice depending upon the state they hold responsible for the accused cyber-attack. A prime example of this diverse handling of malicious cyber-attacks is the United States response to disparate cyber-attacks blamed upon Chinese hackers. The United States has sought to hold the purported Chinese hackers individually criminally liable, under domestic United States federal law,¹²³ and hold China as a state responsible in international law by applying sanctions against Chinese officials and state-owned corporations.¹²⁴ The United States practice, if it follows through with sanctions against

122 Michael N. Schmitt, Counter Terrorism and the Use of Force, 5 Marshal Center Papers 2 (2002).

Mark A. Drumbl, Pluralizing International Criminal Justice, 103 Mich. L. Rev.1295, 1304 (2005).

123 Shane Harris, U.S. Poised to Indict China’s Hackers for Cyber Blitz, The Daily Beast, Sept. 9, 2015, http://www.thedailybeast.com/articles/2015/09/09/u-s-poised-to-indict-china-s-hackers-for-cyber-blitz.html.

124 Ellen Nakashima, U.S. Developing Sanctions Against China Over Cyberthefts, Wash. Post, Aug. 30, 2015,

https://www.washingtonpost.com/world/national-security/administration-developing-68 China, is seemingly at odds with the ILC’s ARS, as no direct attribution of malicious cyber-attacks has been demonstrated to date.¹²⁵

Lastly, prior to discussing the ILC’s ARS, a general principle of the traditional understanding of state responsibility needs to be discussed. This traditional understanding of state responsibility is simple: a state is responsible for its own acts, the state’s own nonfeasance, and the actions and nonfeasance of a state’s agents. CIL has created exceptions, recognized by the ILC’s ARS, to this rule through case law from the ICJ, tribunals, and arbitral decisions which, will be discussed infra. However, international law has recognized that due to evolving circumstances, this baseline of state responsibility may be expanded as a matter of international law as discussed previously. This applies to the issues discussed herein; as technology evolves so does the laws governing it.

It is these exceptions to the general rule which are of importance to this study. The difficulty is identifying the exceptions to the general rule and finding adequate legal support for the exceptions so as to argue that the exceptions apply to the issue of malicious cyber-attacks.

To do this, this study, in Chapters Four through Seven, steps away from the ILC’s ARS to identify and discuss applicable rules from other sources of international law and soft law, which, it is argued, assist in developing a framework for holding states responsible for cyber-attacks that originate from within their territory. It should be understood that these exceptions may exist in CIL without impacting the rules put forth in the ILC’s ARS.

This study will turn now to discuss the regime of state responsibility as put forth in the ILC’s ARS. This study utilizes the work of the ILC in the ARS as the ARS has been recognized as part of the corpus of CIL on state responsibility, particularly chapters I-II which this study relies upon. This study will, where necessary, go behind the work of the ILC and discuss germane ICJ case law to assist in the understanding of the instant issue.

sanctions-against-china-over-cyberespionage/2015/08/30/9b2910aa-480b-11e5-8ab4-c73967a143d3_story.html.

125 The United States is seemingly relying upon “circumstantial attribution” to attribute the cyber-attacks to China. See, Jason Healey, Concluding Assessment 273-278, in A Fierce Domain:

Conflict in Cyberspace 1986 to 2012 (2013 Jason Healey ed.) (Discussing circumstantial attribution for cyber-attacks.)

69 It is important to note that the ILC’s ARS posits general secondary rules for state responsibility. The ILC’s ARS does not discuss the primary rules or the evidence needed to show a violation thereof. This means that one needs to identify the primary norm being violated and discern how the violation occurred and what evidence is needed to prove the same. Once these elements are met, then the secondary rules of state responsibility are engaged. This precluded the ILC from having to address the multitude of disparate primary norms and their standards of proof. It should be noted that a single incident, particularly in the cyber context, may violate a multitude of primary norms. As such, each norm standing on its own should be analyzed independently, and the secondary rules of state responsibility applied after one discerns the needed rules of proof and violation thereof for the specific primary norm.

This chapter will begin with a general discussion on the ARS and state responsibility. Once this study completes its discussion concerning the general principles of state responsibility, this study will move to an in-depth discussion on attribution and technical attribution in chapters three and four.

2.4.1.2. The Draft Articles on Responsibility for Internationally Wrongful