In a Wednesday speech at the Royal Institute of International Affairs, a British think tank, U.K. Attorney General Jeremy Wright made the case that the world needs to do more to make sure that international law is enforced when it comes to cybercrime. To that end, he argued that the U.K. and its allies should make attribution a priority.
“Cyberspace is not – and must never be – a lawless world. It is the U.K.’s view that when states and individuals engage in hostile cyber-operations, they are governed by law just like activities in any other domain,” Wright said. “The question is not whether or not international law applies, but rather how it applies and whether our current understanding is sufficient.”
In his speech, Wright went at length to legally justify a state taking countermeasures against another state if it determines that the other state conducted a cyberattack against it.
“Put simply, if a hostile state breaches international law as a result of its coercive actions against the target state’s sovereign freedoms, then the victim state can take action to compel that hostile state to stop,” Wright said.
He also argued that retaliatory measures don’t necessarily have to be symmetrical; they should just be proportional; which he said means “means that the U.K. could respond to a cyber-intrusion through non-cyber means, and vice versa.”
Taking things a step further, Wright made the case that if a cyberattack results in death, it’s not out-of-bounds for the victim state to use force in response to the adversary.
“If a hostile state interferes with the operation of one of our nuclear reactors, resulting in widespread loss of life, the fact that the act is carried out by way of a cyber-operation does not prevent it from being viewed as an unlawful use of force or an armed attack against us,” Wright said.
The problem of attribution
In order for the U.K. to aggressively respond to the scenarios that Wright is painting, the country needs to be able to make proper attributions of cyberattacks. Attribution is often difficult because of the way attacks can transcend borders and how attackers can obfuscate their identities and origins.
“One of the biggest challenges for a state that finds itself a victim of a hostile cyber-operation is determination of who was behind it,” Wright said. “Without clearly identifying who is responsible for hostile cyber-activity, it is impossible to take responsible action in response.”
The prosecutor cited the International Law Commission’s Articles on State Responsibility as justification for naming naming the perpetrators of cyberattacks. Those United Nations rules require a state to take on the legal responsibility for acts that violate international law.
“These principles must be adapted and applied to a densely technical world of electronic signatures, hard-to-trace networks and the dark web,” Wright said. “They must be applied to situations in which the actions of states are masked, often deliberately, by the involvement of non-state actors.”
Wright said that while there’s no legal obligation to publicly disclose how a country determines attribution or to even make the attribution public, the U.K. often does so.
He cited as an example the 2017 WannaCry ransomware attack that affected 150 countries and hit Britain’s hospital system especially hard. The U.K. along with other allies included the U.S. attributed WannaCry to North Korea in December. He also mentioned the NotPetya attack on Ukraine that the U.K. and allies attributed to the Russian military in February.
More countries ought to collaborate on the practice of attribution, Wright said, in order to more confidently name names.
“We will continue to work closely with allies to deter, mitigate and attribute malicious cyber-activity. It is important that our adversaries know their actions will be held up for scrutiny as an additional incentive to become more responsible members of the international community.”