Anda di halaman 1dari 5

Journal of Conflict & Security Law Oxford University Press 2016; all rights reserved.

For permissions, please e-mail:

Advance Access published on 19 October 2016

Special Issue: Non-State Actors and Responsibility in

Cyberspace: State Responsibility, Individual Criminal
Responsibility and Issues of Evidence

Russell Buchan* and Nicholas Tsagourias

1. Introduction

Over the course of the last three decades, cyberspace has been woven into the
fabric of daily life1 and now permeates all aspects of modern society. Most
recent figures indicate that by the end of June 2016, 48.7% of the worlds popu-
lation were users of the Internet, an increase of 890.8% since 2000.2
Notwithstanding the enormous benefits and opportunities offered by cyber-
space, cyberspace has also become a source of threats and vulnerabilities. The
threat landscape in cyberspace is multifaceted and can range from hacking,
cybercrime, cyber espionage to far more serious attacks on computer systems
and networks that support critical national infrastructure and which can cause
significant disruption, destruction or even lead to human loss.3 The agents of
threats are also diverse involving not only states, but also non-state actors.
Cyberspace offers a fertile environment for non-state actors to operate because
of its borderless character, the anonymity it offers, the low entry barriers and the
low operational costs. With non-state actors we mean entities that are not states,
but are visible and active on the international stage. They include individuals as
well as entities, such as groups, corporations, organisations and non-governmen-
tal organisations.4
States and individuals look to the power of international law to regulate
cyberspace, deter and suppress unwanted or injurious cyber activities and hold
those responsible to account. The institution of responsibility is at the heart of

* University of Sheffield, email:

UNGA Report of the Secretary General 69/112: Developments in the field of infor-
mation and telecommunications in the context of international security (2014) UN
Doc A/69/112 5 accessed 1 August 2016.
Internet World Stats: Usage and Population Statistics (June 2016) 5www.internet- accessed 1 August 2016.
N Tsagourias and R Buchan, Cyber-Threats and International Law in M E Footer et
al (eds), Security and International Law (Hart 2016) 365ff. See also The UK Cyber
Security Strategy: Protecting and Promoting the UK in a Digital World (UK Cabinet
Office 2011); The White House, Cyberspace Policy Review: Assuring a Trusted and
Resilient Information and Communication Infrastructure (Washington DC 2009).
M Wagner, Non-State Actors (2013) Max Planck Encyclopedia of Public
International Law, 5
law-9780199231690-e1445?rskey=ebdBnc&result=2&prd=EPIL4 accessed 1 August
Journal of Conflict & Security Law (2016), Vol. 21 No. 3, 377381
378 Russell Buchan and Nicholas Tsagourias

international law and is part of the constitution of the international community.5

This being said, cyberspace poses numerous challenges to international laws
central objective of ensuring responsibility.
An especially important challenge is represented by the fact that the regime of
international responsibility limits the category of subjects that incur responsibil-
ity to states and to international organizations, whereas individuals can be held
responsible in international law only if they commit conduct that amounts to an
international crime. Yet, as was said, the unique features of cyberspace produce
an ideal environment for various non-state actors to act and possibly cause
damage or injury to states, individuals or other non-state actors that is usually
below the threshold of international crimes.
If responsibility is the corollary of law, to deny or evade responsibility for
wrongful acts threatens the existence of the international legal order itself. In
this context, important questions arise, such as: what are the conditions under
which acts by non-state actors in cyberspace can be attributed to states? What
are the obligations of states with regard to non-state actors? Who is held re-
sponsible when non-state actors operate from ungoverned spaces? Regarding
individual criminal responsibility, pertinent questions are: can non-state actors
commit international crimes through cyberspace or through cyber means? Can
commanders be held responsible for international cyber crimes committed by
their underlings? Can the International Criminal Court (ICC) exercise jurisdic-
tion over such international crimes?
To establish responsibility, evidence is critical. However the nature of cyber-
space, and in particular the fact that it is a virtual domain, the anonymity and
speed of activities in cyberspace, the possibility of spoofing and the potential
for multi-stage action, poses serious challenges to the collection, analysis, au-
thentication and evaluation of evidence. This fact leads to further questions
about the requisite standards of proof for criminal or state responsibility.
In view of the above, the objective of this Special Issue is to assess the effect-
iveness of international law in responding to these challenges and in ensuring
responsibility when non-state actors engage in injurious transboundary cyber
operations. In pursuit of this objective, this Special Issue is divided into three
Part I addresses questions concerning the responsibility of states in relation to
injurious cyber acts committed by non-state actors.
Tim Maurers article focuses upon the meaning of the term proxies and, in
particular, its meaning in the cyber setting. In doing so, he presents the diverse
array of proxy relationships in cyberspace and identifies the different distinc-
tions and levels of detachment between a state and a non-state actor by also
comparing international law and international relations approaches to proxies.
Kubo Macaks contribution focuses upon Article 8 of the International Law
Commissions (ILC) Articles on State Responsibility 2001 and examines the
J Crawford, The International Law Commissions Articles on State Responsibility:
Introduction, Text and Commentaries (Oxford, OUP 2002).
Non-State Actors and Responsibility in Cyberspace 379

circumstances under which an internationally wrongful act committed by a non-

state actor, in or through cyberspace, can be legally attributed to a state. By
revisiting the drafting history of the ILCs Articles, Macak argues that, contrary
to the mainstream view, there are actually three autonomous standards of attri-
bution built into Article 8, namely, instructions, direction and control. After
examining the application of these standards to actual and hypothetical cyber
operations, Macak concludes that the Article 8 test for attribution imposes an
overly high threshold, which will result in states avoiding responsibility where
they encourage and support non-state actors to commit unlawful cyber
Following on from Macaks conclusions, Russell Buchans article argues that
the responsibility deficit that inevitably results from the strictness of the attri-
bution formula, can be ameliorated by the customary international law obliga-
tion incumbent on states to prevent their cyber infrastructure from being used in
a manner injurious to the international legal rights of other states. Buchan re-
veals that the obligation to prevent imposes a dual duty upon states: first, to
possess, on a permanent basis, laws and institutions capable of preventing ma-
licious cyber operations and, secondly, that states must exercise due diligence in
using these laws and institutions in responding to known threats. Buchan then
goes on to explore the content of these two duties in relation to malicious
transboundary cyber operations emanating from a states cyber infrastructure.
Nicholas Tsagourias article examines the challenges that the cyber activities
of non-state actors operating from ungoverned spaces pose to the institution of
state responsibility. Tsagourias concludes that there is a responsibility deficit
because none of the ingredients of the law of state responsibility applies in
such situations. Because this may delegitimise international law, the author
puts forward a framework, according to which, non-state actors that exercise
effective control over territory and people can be held responsible for their
injurious cyber activities and discusses the scope of their obligations, issues of
attribution and how their responsibility can be implemented. The cyber activ-
ities of ISIS and of pro-ISIS cyber groups provide the background to the
David Fidlers article examines the ability and effectiveness of international
law in deterring and suppressing the use of cyberspace for terrorist purposes. His
article is divided into two sections. The first section focuses upon cyber attacks
committed by terrorists and identifies the plethora of international law regimes
(including international agreements, Security Council Resolutions and custom-
ary rules) that states can potentially utilise to protect themselves from such
activity and assesses their effectiveness. The second section of the article turns
its attention to the role of international law in preventing the use of the Internet
by terrorists for the purposes of recruitment, propaganda and incitement, an
important issue given that ISIS has frequently exploited the Internet for such
purposes. Fidler identifies the human rights concerns raised when states attempt
to censor the use of the Internet and then considers how international law can
380 Russell Buchan and Nicholas Tsagourias

strike the right balance between effective cyberspace counter terrorism policies
on the one hand and the preservation of human rights on the other.
Part II of this Special Issue addresses questions concerning the commission of
international crimes through cyberspace or through cyber means; who can be
held responsible for such crimes; and whether the ICC can exercise jurisdiction.
Kai Ambos article examines the question of whether cyber aggression can
satisfy the conditions contained in Article 8bis ICC Statute, which defines the
crime of aggression. The author expresses his reservations in this regard, in
particular, the fact that the crime of aggression needs to be committed by a
state. Even if the requisite conditions are satisfied, the author claims that, be-
cause aggression is a leadership crime, the person who launched the cyber attack
will most probably not be held responsible, but possibly his/her superiors.
Elies van Sliedregts article examines the question of whether commanders
can be held criminally responsible under the doctrine of command responsibility
if their subordinates commit cyber war crimes. The author discusses the elem-
ents of the doctrine of command responsibility by looking into international
jurisprudence, including the recent Bemba case, and then considers how they
apply to cyber war crimes by discussing three scenarios. The first concerns cyber
units integrated into the army where command responsibility can be easily es-
tablished. The second scenario involves outsourcing the commission of the cyber
war crime. This raises questions concerning the relationship between the com-
mander and the outsourced individuals and questions as to whether outsourcing
increases the risk of crimes being committed as the ICC held in its Bemba
judgment. The third scenario concerns individuals not linked to the com-
manders unit, in which case command responsibility does not arise.
Michael Vagias contribution examines the question of whether the ICC can
exercise jurisdiction over international crimes committed in and through cyber-
space. The questions addressed by Vagias are: when and where is an interna-
tional crime consummated in cyberspace and does this location fall within the
territorial jurisdiction of the ICC? Concluding that neither the ICCs main in-
struments, nor the preparatory materials to the Rome Statute shed any light on
the issue of territorial jurisdiction, he examines how states have dealt with the
issue of jurisdiction in cyberspace. His finding is that states have generally
tended to adopt a broad interpretation to territorial jurisdiction by assuming
criminal jurisdiction when an aspect of the crime is committed within its terri-
tory, or when its effects are felt within its territory. Vagias then assesses the
advantages and disadvantages of adopting such a generous approach to the
ICCs territorial jurisdiction.
Part III focuses upon the effectiveness of the international law of evidence for
pursuing investigations and obtaining and analysing evidence in the cyber
Marco Roscinis article discusses the use of digital evidence as a means of
proof before the International Court of Justice (ICJ). Roscini maintains that
whilst the majority of existing ICJ rules and procedures do not specifically ad-
dress the use of digital evidence, the Courts general evidentiary rules are
Non-State Actors and Responsibility in Cyberspace 381

nevertheless applicable. The article focuses upon the production of documentary

evidence before the ICJ, as well as of audiovisual evidence. Particularly given
the prevalence of cyber espionage in the contemporary world order, Roscini
usefully considers the use of illegally obtained digital evidence before the ICJ.
In his contribution, Dan Saxon considers evidentiary issues in a criminal law
context. The article identifies the difficulties that prosecutors may face when
investigating and prosecuting the misuse of cyber weapons by non-state actors.
In particular, he notes the evidentiary challenges posed when non-state actors
use cyberspace in a manner incompatible with international humanitarian law
(IHL) and suggests that we need to formulate new approaches to the application
of IHL for this legal framework to continue to achieve its overriding objective of
ensuring accountability.
Jean dAspremonts contribution is an exposition of the argumentative patterns
adopted by international lawyers to place cyber operations within existing legal
frameworks. He labels them problem-finding, administrativist camouflage, con-
sequentialist bending and evidentiary pragmatism. The latter involves the adop-
tion of suitable criteria regarding the standard and burden of proof to maximise the
efficacy of evidence and to justify international lawyers interventionist attitude.
dAspremont contends that even such pragmatic standards are not sufficient to
overcome evidentiary problems, due to the nature of cyberspace, but also due to
the initial argumentative choices made by international lawyers. Different choices
would yield different rules, but, for the author, this would turn international law-
yers into norm-setters, which is an identity transforming enterprise.
Finally, Michael Schmitt and Sean Wattss article contends that although inter-
national law has always been and remains a system designed primarily to regulate
the interactions of sovereign states, international law nevertheless contains rules
and is developing new rules that enable regulation of the conduct of non-state
actors, even when this conduct is conducted in cyberspace. In doing so, their article
provides a useful panorama of the various international legal rules that are impli-
cated when malicious cyber operations are committed by non-state actors and
assesses the effectiveness of these rules in achieving adequate accountability.
With the exception of the last paper, all the other papers contained in this
Special Issue were presented at a conference organised at the University of
Sheffield in September 2015. We would like to express our gratitude to the
Sheffield Centre for International and European Law at the University of
Sheffield for its generous financial support and we would also like to acknow-
ledge Edward Elgars financial support. We would also like to thank the editors
of the Journal of Conflict and Security Law for publishing this Special Issue.
Above all, we would like to thank all the contributing authors for their com-
mitment and stimulating ideas.
We believe that this Special Issue will stimulate further exchanges and dis-
cussions as to whether international law is effective in achieving responsibility
for malicious non-state cyber conduct and, if not, how international law can be
developed or adapted to ensure that any responsibility deficit is avoided or at
least ameliorated.