Attribution of a cyber attack to a state is a, if not the, key element in building a functioning regime. The laws of war require states launching an attack on another state to identify themselves, though this convention is apparently honored more in the breach than in its realization.179 The International Law Commission (“ILC”) Draft Articles elaborate on this basic law by adding that “the conduct of any State organ shall be considered an act of that state under international law.”180 An organ includes “any person or entity which has that status in accordance with the internal law of the State.”181 Such an official body cannot avoid responsibility by claiming that the actor exceeded their authority.182 While this expands the pie of illegal state-sponsorship of terrorist activities, there is a need for a broader interpretation of the use of force to meet contemporary security challenges. Transnational cyberspace activities that affect the internal affairs of a state might breach general legal principles upholding respect for sovereignty and non-intervention.183 A government-sponsored CNA involving transnational networks and telecommunications should trigger legal implications arising from the prohibitions in Article 2(4) if an attack rose to the level of an armed attack.184 But as has been stated, cyber attacks of the type that we have seen and will likely to continue to be prevalent are typically not at the public behest of an official state organ. As such, the international law doctrine of attribution in fact is essential ground for regulating cyber attacks.
179 See Hague Convention No. III Relative to the Opening of Hostilities art. I, Oct. 18, 1907, 36 Stat. 2259, 2271, T.S. 598; Brenner, supra note 40.
180 Draft ILC Articles, Art. 4(1).
181 Draft ILC Articles, Art. 4(2).
182 Draft ILC Articles, Art. 7.
183 Examples of such accords include: 1970 Declaration on Principles in International Law; 1965 Declaration on the Inadmissibility of Intervention in the Domestic Affairs of State.
184 Joyner, supra note 14.