Cybersecurity and International Law: Defining State Responsibility for Cross-Border Cyberattacks

Corresponding Author Email: sakib.law@diu.edu.bd

DOI : https://doi.org/10.51470/BITS.2024.03.01.10

Abstract

Keywords

Download this article as:

1. INTRODUCTION

The emergence of cyberspace as a central domain of global interaction has radically altered the landscape of international law. States increasingly rely on digital infrastructure for governance, commerce, and defense, while simultaneously facing unprecedented vulnerabilities to malicious cyber operations. Cross-border cyberattacks—whether in the form of espionage, disruption of critical infrastructure, or disinformation campaigns—raise profound questions about how international law regulates responsibility and accountability. Unlike traditional kinetic warfare, cyber operations operate in a domain characterized by anonymity, speed, and transnational reach, complicating both the identification of perpetrators and the assignment of state responsibility. [1]

This complexity situates the problem within a broader debate: to what extent existing doctrines of international law, developed primarily in an analogue and territorial context, adequately govern state conduct in cyberspace? The challenge of attribution, the blurred thresholds between mere cyber intrusions and the use of force, and the unsettled scope of due diligence obligations underscore the theoretical uncertainty. [2] While treaties such as the Budapest Convention and normative frameworks like the Tallinn Manual provide useful guidance, they lack universal acceptance and binding authority. [3] The result is a patchwork of norms that leaves substantial ambiguity regarding when and how states incur legal responsibility for cross-border cyberattacks.

1.1 Identified Theory Gap and Doctrinal Challenges

At the core of this inquiry lies a significant theory gap. Traditional doctrines of attribution, as codified in the International Law Commission’s Articles on State Responsibility (2001), were not designed with the unique technical and operational features of cyberspace in mind. The requirement of “effective control” over non-state actors, as articulated in Nicaragua v. United States (1986, para. 115), is notoriously difficult to demonstrate in the cyber domain, where operations can be decentralized, anonymized, and plausibly deniable. This makes the transposition of attribution standards from conventional to cyber contexts doctrinally inadequate.

Similarly, the application of the prohibition on the use of force under Article 2(4) of the UN Charter faces doctrinal hurdles when confronted with cyber operations. Determining whether a cyberattack reaches the “armed attack” threshold under Article 51 is fraught with uncertainty: can the disabling of critical financial systems or power grids be equated with kinetic destruction, or does it occupy an ambiguous middle ground? [4] The lack of consensus on this issue highlights a fundamental theoretical gap in defining thresholds of unlawfulness in cyberspace.

The doctrine of due diligence presents yet another doctrinal ambiguity. While international law generally obliges states to prevent their territory from being used to cause harm to other states, as in the Corfu Channel case (1949, p. 22), the extent to which this obligation applies to cyber operations remains unsettled. [5] Should states be required to police private actors operating within their jurisdiction? What standard of monitoring or prevention is reasonable given the scale and technical sophistication of cyber threats? These open questions demonstrate the inadequacy of existing legal theories in capturing the realities of cyberspace.

1.2 Need for Doctrinal Refinement

Addressing this theory gap necessitates doctrinal innovation. One possibility is to adopt more flexible standards of attribution that take into account the distinctive evidentiary and technical challenges of cyberspace, perhaps shifting from the stringent “effective control” model to a spectrum-based approach that considers degrees of state involvement or acquiescence. [6] Another area requiring refinement is the clarification of state obligations regarding private actors: states may need to recognize more explicit duties to monitor, regulate, or sanction malicious cyber activities emanating from their jurisdiction. Finally, the growing body of state practice and soft-law initiatives points toward the gradual crystallization of lex specialis for cyberspace—a normative framework tailored to digital operations, complementing but not replacing existing international law. [7]

1.3 Research Aim

This article situates itself within this doctrinal uncertainty. By applying a dogmatic, theoretical research method, it examines how principles of state responsibility can be interpreted, adapted, or supplemented to address the unique challenges of cross-border cyberattacks. The central argument is that international law, while not entirely inadequate, requires refinement in attribution standards, clearer articulation of due diligence obligations, and potentially the development of specialized norms for cyberspace. The following sections will develop this claim by first establishing the conceptual and legal foundations of state responsibility, then analyzing attribution, breaches, and remedies in the cyber context, before returning to the identified theory gap and suggesting pathways for doctrinal advancement.

2.     DOCTRINAL BASIS OF STATE RESPONSIBILITY IN CYBERSPACE

The study of international cyber law requires clear definitions of the phenomena under scrutiny. Cybercrime involves unlawful acts against information systems, often for financial or personal gain, and is primarily addressed through domestic criminal law and cooperative treaties such as the Budapest Convention. [8] Cyber warfare refers to hostile operations that may reach the threshold of armed conflict, raising questions under the UN Charter and international humanitarian law. [1] Cyber espionage, by contrast, focuses on the covert acquisition of data, often tolerated as a practice of statecraft, though it may breach sovereignty when conducted across borders. [3]

A defining characteristic of these operations is their cross-border nature, as malicious code may traverse multiple jurisdictions within seconds, complicating accountability. Unlike conventional attacks, cyber operations exploit anonymity and speed, making it difficult to identify perpetrators with legal certainty. [6] The transnational impact of such operations magnifies their legal significance, since the effects of a single cyberattack can simultaneously disrupt critical infrastructure, financial markets, and communication networks across several states. [4]

The doctrinal anchor remains the Articles on the Responsibility of States for Internationally Wrongful Acts (ARSIWA, 2001), which codify customary international law. [5] Under ARSIWA, state responsibility arises when conduct is both attributable to the state and constitutes a breach of an international obligation. [2] The consequences include cessation of the wrongful act, guarantees of non-repetition, and reparation in the form of restitution, compensation, or satisfaction. [9]

However, cyberspace introduces unique challenges to this framework. Attribution is notoriously problematic, as cyber operations are often routed through compromised systems, masking the origin of the attack. [1] The involvement of non-state actors, such as hacker groups or state-tolerated cybercriminals, blurs the line between private and state responsibility. Furthermore, the reliance on dual-use infrastructures, including networks and technologies that serve both civilian and military purposes, complicates proportionality assessments under international humanitarian law and heightens the risk of unintended escalation. [5]

In sum, while the doctrinal basis for state responsibility in international law is well established, its application to cyberspace reveals conceptual and practical difficulties that require further theoretical refinement. [7]

• INTERNATIONAL LEGAL FRAMEWORK APPLICABLE TO CYBERATTACKS

The international legal framework regulating cyberattacks draws on the UN Charter, customary international law, treaty regimes, and soft-law initiatives, but its application remains unsettled. The central debate concerns whether cyber operations that cause severe disruption without physical destruction—such as disabling banking systems, manipulating elections, or shutting down hospitals—amount to a “use of force” under Article 2(4) of the Charter. Article 51 further complicates matters by permitting self-defense in response to armed attacks, yet the scope of this right in cyberspace is highly contested. [10] [1] [11]

• The UN Charter

The UN Charter remains the cornerstone of this debate. Article 2(4) prohibits the threat or use of force against the territorial integrity or political independence of states, while Article 51 preserves the inherent right of self-defense. The ICJ in Nicaragua v. United States (1986) underscored that indirect forms of force, such as arming insurgents, may breach Article 2(4), though only the most grave forms qualify as armed attacks. This raises the question of whether large-scale cyber disruptions fall into either category. [12] The Tallinn Manual 2.0 recommends an “effects-based” test, proposing that cyber operations equating in scale and effects to kinetic attacks should be treated as uses of force. [1] [6] However, several states, including the United Kingdom, have expressed skepticism, noting that not all sovereignty violations amount to prohibited force

3.2 Customary international law

Customary international law contributes additional rules, particularly non-intervention and due diligence. The principle of non-intervention, reaffirmed in the Nicaragua case, prohibits coercive interference in the domaine réservé of another state. Election interference through cyber operations is increasingly cited as a violation of this rule. [7] Due diligence, affirmed in the Corfu Channel case (1949), obliges states not to knowingly allow their territory to be used for harmful acts against others. Its cyber application is controversial: some argue that reasonable measures suffice, while others press for more active monitoring and suppression of malicious actors. [4] [5]

3.3 Treaty Law and Soft Law

Treaty law provides limited but important frameworks. The Budapest Convention on Cybercrime (2001) harmonizes criminal law and enhances cooperation but does not regulate interstate responsibility. The new UN Cybercrime Convention (2024) may expand cooperative obligations, though its focus remains on crime rather than interstate accountability. [13] Regional regimes are more fragmented: the EU’s NIS2 Directive imposes resilience obligations on states, while ASEAN relies on voluntary norms and capacity-building measures. [14]

Soft-law initiatives are critical in filling normative gaps. The UN Group of Governmental Experts (GGE) has affirmed that international law applies to cyberspace but avoided clarifying the use of force threshold. The Open-Ended Working Group (OEWG) continues these efforts, with states submitting divergent views on sovereignty, intervention, and self-defense. [15] The Tallinn Manual remains the most detailed articulation, though it is a non-binding scholarly interpretation. [1]

Although no court has directly ruled on cyber operations, analogies can be drawn from existing jurisprudence. In Nicaragua, [16] the ICJ distinguished between use of force and armed attack. In the Bosnian Genocide case (2007), [17] it clarified strict attribution standards, complicating cyber responsibility claims. The Corfu Channel case remains central for due diligence obligations. Together, these precedents suggest that disruption-only cyber operations may occupy a gray zone: unlawful intervention if coercive, unlawful use of force if severe, but rarely armed attacks unless their effects resemble physical destruction. [18]

The debate over whether serious but non-destructive cyber operations qualify as uses of force highlights the inadequacy of existing frameworks. While the UN Charter provides a foundation, divergent interpretations among states, reliance on analogy, and uneven treaty coverage leave substantial gaps. Until consensus develops, the ambiguity surrounding Article 2(4) in cyberspace will persist, creating risks of escalation and undermining the predictability of international law.

4.     ATTRIBUTION OF CYBERATTACKS TO STATES

Attribution is one of the biggest challenges in applying international law to cyberspace, especially when it comes to deciding which state is responsible for a cyberattack. The main legal basis for this is the International Law Commission’s Articles on the Responsibility of States for Internationally Wrongful Acts (ARSIWA). These articles explain how actions can be linked to a state. For instance, Article 4 says that the behavior of state organs can be attributed to the state, even if officials act outside their authority. Article 5 extends this to private bodies that exercise governmental powers, while Article 8 allows attribution of non-state actors if they act under a state’s “instructions, direction or control” (International Law Commission, 2001). The International Court of Justice in the Nicaragua case (1986) set a strict “effective control” test, meaning a state must have clear and direct involvement. By contrast, the ICTY in Tadić adopted a looser “overall control” approach. This debate matters in cyberspace, where many operations are carried out by proxies or semi-independent groups.

4.1 Challenges in Attribution in Cyberspace

Cyberspace makes attribution even harder. State-sponsored hacking groups, often called “Advanced Persistent Threats” (APTs), operate in a gray zone between official state agencies and independent actors. They may receive funding or protection from governments, but the exact ties are often hidden. [19] For example, APT28 and APT29 have been linked to Russian intelligence, but evidence is usually indirect, relying on technical clues, behavior patterns, or intelligence reports. [20] This gives states the ability to deny involvement while still benefiting from the outcome of the attacks.

The use of proxy groups adds to the problem. Some governments tolerate or quietly support cybercriminals who attack foreign targets. This raises the question: does such tolerance amount to “control” under Article 8 ARSIWA? Some scholars believe that consistent tolerance is enough to create responsibility. Others warn that stretching the rule too far could unfairly blame states that cannot fully control all cyber activity on their territory. [1]

4.2 Real-World Cases and Attribution

Real-world cases show how complex attribution can be. The alleged Russian interference in the 2016 U.S. elections is a clear example. American intelligence agencies reported with “high confidence” that Russian actors carried out hacking and disinformation campaigns. [21] Yet the publicly available evidence was mostly technical and circumstantial, not enough to satisfy the strict legal standards of proof. In practice, attribution depended on intelligence judgments and political interpretation, rather than clear legal findings. [22]

The Stuxnet attack on Iranian nuclear facilities further illustrates the complexities. Widely believed to have been orchestrated by the United States and Israel, the operation caused physical damage to centrifuge at Natanz through malicious code. Despite strong circumstantial evidence, no state has officially acknowledged responsibility. [23] This silence underscores the challenges of attribution when states deliberately maintain ambiguity to avoid legal and political consequences.

Similarly, the WannaCry ransomware attack of 2017, which disrupted health systems and critical services worldwide, was attributed by several governments, including the United States and the United Kingdom, to North Korean actors. [24] While the attack’s scale and characteristics supported suspicions of state involvement, the evidentiary basis remained contested. The incident raised questions about whether ransomware conducted for financial gain, even if state-backed, constitutes internationally wrongful conduct attributable to a state, or whether it falls under the category of criminal behavior by private actors. [25]

4.3 Challenges in Proof and Standards

These cases show that there are still big gaps, both in theory and practice, when it comes to attributing cyberattacks. One of the main problems is the lack of agreement on what kind of proof is required. International law does not set a single standard, and different states apply different approaches. Some argue that evidence must reach the level of “beyond reasonable doubt,” while others think “reasonable certainty” is enough, especially given how difficult it is to trace cyber operations back to their true source. [4] The International Court of Justice has usually demanded very strict evidence, as seen in the Bosnian Genocide case. [17] But such strictness may not work well in cyberspace, where anonymity and deception are part of the system itself.

4.5 Reliance on Intelligence Reports

Another difficulty is the reliance on intelligence reports rather than evidence that can be verified publicly. Governments often hesitate to share sensitive information about how they gathered evidence, which leads to doubts about bias or lack of transparency. This points to a deeper issue: current rules of attribution have been made for the physical world, where it is easier to see links of control and responsibility. Cyberspace, however, is built on distributed networks, proxy actors, and technical complexity, which makes applying old rules far less straightforward. [3]

4.6 Proposed Solutions

Scholars have suggested several possible solutions. Some call for a more flexible approach, one that allows for circumstantial and behavioral evidence, and considers broader patterns of conduct and political context. [26] Others argue that new standards should be created specifically for cyberspace, perhaps modeled on the “reasonable certainty” test already used in intelligence practice. [6] Another idea is for states to make attributions collectively in multilateral settings, which could improve legitimacy and share the burden of proof. [27]

In the end, attribution remains a major obstacle to applying international law in cyberspace. The framework provided by ARSIWA offers a starting point, but it does not fully capture the realities of digital operations. State-backed groups, the use of proxies, and the built-in opacity of cyberspace allow governments to deny responsibility and create ambiguity. Without common standards for evidence, accountability remains weak, leaving international law struggling to keep up. To move forward, either existing doctrines must be adapted to cyberspace, or new frameworks must be developed that balance the need for credible proof with the realities of the digital environment. Until then, attribution will continue to be one of the most contested issues in international cyber law.

5.     BREACH OF INTERNATIONAL OBLIGATIONS IN CYBERSPACE

The way international law applies to cyberspace has created an ongoing debate about how old legal obligations fit into the digital world. A breach of international law may occur when cyber operations undermine a country’s sovereignty, interfere in its internal affairs, fail to meet due diligence responsibilities, or reach the level of prohibited force. International humanitarian law and international human rights law also provide important standards, but their role in cyberspace is still debated. Because there are no binding global rules made specifically for cyber operations, the legal landscape is fragmented, and states remain divided over how to interpret and enforce existing obligations.

5.1 Sovereignty and Non Intervention

Sovereignty is one of the most fundamental principles in international law and has long been accepted as a customary rule. In cyberspace, sovereignty means that states have exclusive authority over their territory, their networks, and their information systems. Any unauthorized intrusion into a state’s cyber infrastructure—such as hacking government databases or disrupting vital services—may count as a breach of sovereignty. Still, there is no full agreement on this. The United Kingdom argues that sovereignty is more a guiding principle than a binding legal rule in cyberspace, while countries like France and Iran insist that any unauthorized intrusion is a clear violation. This disagreement highlights the uncertainty around applying sovereignty to digital operations.

Closely connected to this is the rule of non-intervention. In the Nicaragua case, the International Court of Justice confirmed that coercive interference in another state’s internal affairs is unlawful. Today, this principle is often discussed in relation to cyber operations such as election interference, disinformation campaigns, and attacks aimed at influencing political independence. Even when such acts do not amount to the use of force, they may still break the rule of non-intervention if they involve coercion in matters like political decision-making or economic independence.

5.2 Due Diligence

The principle of due diligence also plays a key role. As stated in the Corfu Channel case (1949), states must not knowingly allow their territory to be used for actions that harm other states. Applied to cyberspace, this means that states are expected to take reasonable steps to prevent malicious cyber activity originating within their borders. What counts as “reasonable” remains debated, but the principle itself shows how traditional international law continues to influence the digital domain. The Tallinn Manual 2.0 suggests that due diligence requires states to respond when they are aware, or should reasonably be aware, of harmful cyber activities. [1] However, states diverge on what constitutes “reasonable measures.” Some argue that due diligence demands only investigation and information-sharing, while others suggest that active suppression of malicious activity is required. [5] [7] This uncertainty leaves significant gaps in enforcement, particularly where state resources or technical capacity are limited.

5.3 Prohibition of the Use of Force

The prohibition of the use of force under Article 2(4) of the UN Charter further constrains state behavior in cyberspace. A cyber operation may qualify as a prohibited use of force if its scale and effects are comparable to kinetic attacks, such as causing physical destruction or casualties. [1] Yet, whether large-scale disruption without physical damage—such as disabling power grids or financial systems—meets the threshold remains hotly debated. The Tallinn Manual experts emphasize an effects-based test, but states remain divided, wary of expanding the scope of Article 2(4) to cover all disruptive operations. [6] The threshold for an armed attack, which triggers the right of self-defense under Article 51, is even more restrictive. The ICJ in Nicaragua distinguished between use of force and armed attack, limiting the latter to the gravest forms. Whether cyber operations causing massive economic or societal disruption, absent physical damage, qualify as armed attacks remain unresolved. [4] [7]

5.4 International Humanitarian Law (IHL)

International humanitarian law (IHL) becomes relevant when cyber operations are conducted in the context of an armed conflict. Principles such as distinction, proportionality, and necessity apply equally to cyber means and methods of warfare. Cyber operations targeting purely civilian infrastructure, such as hospitals, would violate IHL, while attacks on dual-use objects like telecommunications networks pose difficult legal questions. The invisibility and indirect effects of cyber weapons complicate proportionality assessments, as collateral harm may extend far beyond the immediate target. Despite consensus that IHL applies, disagreement persists over the precise interpretation of its rules in cyberspace.

5.5 International Human Rights Law (IHRL)

Beyond security concerns, international human rights law (IHRL) also applies to cyber operations. The rights to privacy, freedom of expression, and access to information are particularly implicated. Large-scale surveillance, internet shutdowns, and content censorship may infringe these rights.  The Human Rights Committee has confirmed that the International Covenant on Civil and Political Rights (ICCPR) applies online as it does offline, though enforcement remains limited. States have increasingly used cyber tools to suppress dissent or restrict access to information, raising questions about compliance with IHRL in the digital age.

5.6 Normative Gap in Cyberspace Governance

Despite the applicability of these frameworks, there remains a significant normative gap in cyberspace governance. Existing legal regimes—whether the UN Charter, customary international law, or IHL and IHRL—were not designed with the digital domain in mind. Their application often relies on analogy, leaving ambiguities in interpretation and enforcement. The absence of a binding treaty specifically addressing state conduct in cyberspace contributes to fragmentation and uncertainty. [18] While soft-law initiatives such as the UN Group of Governmental Experts and the Open-Ended Working Group have affirmed that international law applies, they have not resolved core disagreements on sovereignty, due diligence, and the use of force. Until greater consensus emerges, breaches of international obligations in cyberspace will remain contested, leaving international law vulnerable to strategic manipulation and selective interpretation.

• STATE RESPONSIBILITY: REMEDIES AND ENFORCEMENT

The enforcement of state responsibility in cyberspace presents complex challenges, but the legal framework is grounded in the principles codified in the International Law Commission’s Articles on Responsibility of States for Internationally Wrongful Acts (ARSIWA). When a state commits an internationally wrongful act, three core consequences follow: cessation, reparation, and guarantees of non-repetition. Under Article 30 of ARSIWA, the responsible state is obliged to cease the wrongful act if it is continuing and to offer assurances against recurrence. Article 31 establishes the duty of full reparation, which may take the form of restitution, compensation, or satisfaction. In the cyber context, restitution could involve restoring access to disrupted networks, while compensation might cover the economic costs of attacks such as those suffered during ransomware incidents. Satisfaction, often symbolic, could include acknowledgments of wrongdoing or formal apologies. These remedies, while theoretically robust, face unique difficulties in cyberspace where attribution is contested and breaches often remain unacknowledged.

6.1 Countermeasures

Countermeasures are an additional mechanism through which states may respond to internationally wrongful cyber operations. Under ARSIWA Articles 49–54, countermeasures must be proportionate, temporary, and aimed at inducing compliance, not punishment. Applied to cyberspace, this could include measures such as disabling malicious servers, conducting retaliatory cyber operations, or imposing digital sanctions. [1] However, the legality of cyber countermeasures is contested, especially given the risk of escalation and the difficulty of ensuring proportionality in a domain where consequences can be unpredictable (Tsagourias & Buchan, 2015). Moreover, countermeasures may only be taken by the injured state, limiting collective responses unless endorsed by international organizations. Some scholars argue that flexible interpretations of countermeasures are necessary to deter persistent malicious activity, while others caution that such flexibility risks undermining stability. [28]

6.2 Collective responses

Collective responses provide another dimension to enforcement. The UN Security Council retains primary responsibility for international peace and security, and it has the authority under Chapter VII of the UN Charter to determine whether cyber operations constitute threats to peace, breaches of the peace, or acts of aggression. In practice, however, Security Council action is rare due to the veto power of permanent members, some of whom are accused of conducting offensive cyber operations themselves. [29] Outside the Council, sanctions regimes imposed by the European Union and United States have become important tools for attributing responsibility and deterring malicious behavior. For example, the EU has sanctioned individuals and entities connected to Russian and Chinese cyber operations, framing them as violations of international norms. NATO has also acknowledged cyberspace as a domain of operations and affirmed that cyberattacks may trigger Article 5 collective defense obligations, though thresholds and criteria remain ambiguous. These collective frameworks illustrate the growing recognition of cyber threats but also underscore the absence of binding enforcement mechanisms specifically designed for cyberspace.

6.3 Practical Limitations

Despite these legal and institutional avenues, significant practical limitations undermine the enforcement of state responsibility. Political unwillingness often prevents states from invoking responsibility, particularly where powerful states are implicated. Even when attribution is made, it is frequently based on intelligence assessments that are not publicly verifiable, raising concerns about credibility and politicization. [19] Evidentiary gaps exacerbate these problems, as the technical complexity of cyber forensics makes it difficult to establish conclusive links between operations and state actors. Moreover, enforcement measures such as sanctions or countermeasures may lack deterrent effect if the responsible state is willing to absorb reputational and economic costs.

Ultimately, while the ARSIWA framework provides a theoretical structure for remedies and enforcement, its application to cyberspace remains highly constrained by the unique characteristics of the digital environment. The opacity of attribution, political divisions in collective bodies, and the risk of escalation in countermeasures all undermine the effectiveness of enforcement. These limitations highlight the need for continued development of cyber-specific enforcement mechanisms, greater transparency in attribution processes, and stronger multilateral cooperation to ensure that state responsibility in cyberspace is not merely theoretical but practically enforceable.

CONCLUSION

International law applies to cyberspace, but its doctrines struggle to address the realities of cross-border cyberattacks. Attribution remains the most acute challenge: standards such as effective control or overall control are ill-suited to operations conducted through proxies, anonymization, and plausible deniability. Similar uncertainty surrounds the threshold between unlawful intervention, prohibited force, and armed attack, particularly where cyber operations disrupt but do not physically destroy infrastructure. Due diligence obligations are likewise unsettled, with no consensus on whether states must actively suppress harmful activity or only respond once notified. Enforcement mechanisms under ARSIWA—cessation, reparation, and guarantees of non-repetition—exist largely in theory, as countermeasures risk escalation and collective action is hindered by political divisions. This persistent gap underscores the need for doctrinal refinement or the development of lex specialis for cyberspace. Without such clarity, accountability will remain elusive, and cyberspace will continue to function as a domain of legal ambiguity.

References

[1]         M. N. Schmitt, Tallinn Manual 2.0 on the international law applicable to cyber operations, Cambridge University Press, 2017.

[2]         J. Crawford, State responsibility: The general part, Cambridge University Press, 2013.

[3]         Tsagourias, N., & Buchan, R., International law and cyberspace, Cambridge University Press, 2015.

[4]         Hathaway, O. A., Crootof, R., Levitz, P., Nix, H., Nowlan, A., Perdue, W., & Spiegel, J., The law of cyber-attack, California Law Review, 2012, p. 835.

[5]         K. Mačák, Internationalized armed conflicts in international law., Oxford University Press, 2018, p. 211.

[6]         Schmitt, M. N., & Vihul, L., “The attribution problem in cyberspace,” in Tallinn Manual 2.0 on the international law applicable to cyber operations, Cambridge University Press, 2017, pp. 71-95.

[7]         N. Tsagourias, “Cyber attacks, self-defence and the problem of attribution,” Journal of Conflict & Security Law, vol. 23, no. 1, p. 22, 2018.

[8]         M. Gercke, Understanding cybercrime: Phenomena, challenges and legal response, ITU, 2012, p. 25.

[9]         International Law Commission, “Articles on responsibility of states for internationally wrongful acts,” United Nations, 2001.

[10]       Y. Dinstein, “War, aggression and self-defence,” Cambridge University Press, 2017 .

[11]       L. Kello, “The meaning of the cyber revolution: Perils to theory and statecraft,” International Security, vol. 38, no. 2, pp. 7-40, 2013.

[12]       C. Greenwood, “International law and the NATO intervention in Kosovo,” International & Comparative Law Quarterly, vol. 49, no. 4, pp. 926-934, 1998.

[13]       U. Nations, “UN Convention on Countering the Use of Information and Communications Technologies for Criminal Purposes.”.

[14]       ASEAN, “ASEAN cybersecurity cooperation strategy,” 2018.

[15]       U. N. O.-E. W. Group, “Report on developments in the field of ICTs in the context of international security,” 2021.

[16]       Military and Paramilitary Activities in and against Nicaragua (Nicaragua v United States of America), 1986.

[17]       Application of the Convention on the Prevention and Punishment of the Crime of Genocide (Bosnia and Herzegovina v Serbia and Montenegro), 2007.

[18]       M. E. O’Connell, “Cyber security without cyber war,” Journal of Conflict & Security Law, vol. 17, no. 2, pp. 187-209, 2012.

[19]       Rid, T., & Buchanan, B., “Attributing cyber attacks,” Journal of Strategic Studie, vol. 38, no. 1-2, pp. 4-37, 2015.

[20]       Giles, K., & Hartmann, K., Russian cyber warfare: Unpacking the Kremlin’s toolkit, Routledge, 2021.

[21]       O. o. t. D. o. N. Intelligence, Assessing Russian activities and intentions in recent US election, 2017.

[22]       H. A. H. Dinniss, Cyber warfare and the laws of war, Cambridge University Press, 2018.

[23]       K. Zetter, Countdown to zero day: Stuxnet and the launch of the world’s first digital weapon, Crown, 2014.

[24]       U. F. Office, “North Korea behind WannaCry cyber attack,” UK Government Press Release, 2017.

[25]       C. a. I. S. Agency, “North Korean malicious cyber activity,” FBI Malware Analysis Report, 2018.

[26]       T. Maurer, Cyber mercenaries: The state, hackers, and power, Cambridge University Press, 2018.

[27]       Corn, G. S., & Taylor, E., “Sovereignty in the age of cyber,” Texas National Security Review, vol. 1, no. 3, p. 70–89, 2017.

[28]       H. H. Koh, “International law in cyberspace,” arvard International Law Journal , vol. 54, pp. 1-15, 2012. [29]       U. N. S. Council, “Letter dated 13 April 2017 from the Permanent Representatives of the United Kingdom and the United States of America to the United Nations addressed to the Secretary-General,” 2017.