New Technologies in International Law / Tymofeyeva, Crhák et al.

other States ” 647 - Rule 5 of the Manual provides that a State “ shall not knowingly allow the cyber infrastructure located in its territory or under its exclusive governmental control to be used for acts that adversely and unlawfully affect other States ”. 648 Expert opinions differ on the rule’s scope of application, whether it applies to cyber-attacks already underway or to those that are merely prospective. It is also uncertain whether State liability extends only to the territory of origin or also to “transitional” States. The ephemeral nature of cyber-attacks has often been the main obstacle in inference of international liability with regards to the “attribution problem”. It is a multi-faceted problem, encountering possible obstruction at every layer. First, an actor may mask their IP address using obfuscation techniques. Even if the location of the computer used to carry out the cyber operation were known, it does not definitively give away who was operating the computer. And even if the actor were identified, there would still be the obstacle of linking the actor to a State. 649 Notably, the two most prominent cyber-attacks of the early and mid-2000s, namely the Stuxnet nuclear power attack and the Estonian cyber-attacks of 2007 were lacking an official apportionment of the blame, despite both resulting in serious destructive effect for the respective governments. Neither the Iranian nor Estonian governments issued an official statement regarding the incidents as neither had sufficient evidence linking the attacks to the foreign authority in question. 650 Due to the unsatisfactory nature of rigid legal tests, more context-dependent approaches have allowed leeway in gathering and evaluation of evidence. It is generally acknowledged that any allegation that an internationally wrongful act has been committed must be sufficiently substantiated. Evidentiary standards for such substantiation have, however, not been harmonized and methods of proof are subject to individual State legal frameworks. What’s more, many States have officially subscribed to the notion that attribution of internationally wrongful acts engage various political considerations beyond the constraints of legal attribution standards and as such, the States do not bear an obligation to publicly provide the basis on which the attribution is made. 4. Controversy surrounding the Tallinn manual At first glance, it would seem that the underregulated nature of cyberspace invites international legal regulation and the creation of a non-national space, in the vein 647 ICJ, Corfu Channel (United Kingdom of Great Britain and Northern Ireland v Albania) , Judgment [1949] ICJ Rep 4, p. 22. 648 Schmitt M, Tallinn Manual on the International Law Applicable to Cyber Warfare (CUP, 2013), p. 33, similarly the Rule 6 in Schmitt M, Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (CUP, 2017), p. 30. 649 Efrony D and Shany Y, ‘A Rule Book on the Shelf? Tallinn Manual 2.0 on Cyberoperations and Subsequent State Practice’ (2018) 112 American Journal of International Law 583, p. 589. 650 Macak K, ‘Decoding Article 8 of the International Law Commission’s Articles on State Responsibility: Attribution of Cyber Operations by Non-State Actors’ (2016) 21(3) Journal of Conflict and Security Law 405, p. 409.

154