State-sponsored cyber-attacks are on the rise and show no signs of abating. Despite the threats posed by these attacks, the states responsible frequently escape with impunity because of the difficulty in attributing cyber-attacks to their source. As a result, current scholarship has focused almost exclusively on overcoming the technological barriers to attribution.
This Note suggests that a legal approach, rather than a technological one, can solve the attribution problem. First, despite the barriers to attribution, computer scientists have developed a range of tools to trace cyber-attacks, and empirically, large-scale state attacks tend to leave behind enough footprints (or circumstantial evidence) to lead forensic experts to their source. Second, the law does not demand guaranteed certainty, but only a sufficient degree of certainty that someone is responsible; the question of what counts as a sufficient degree of certainty is an answerable, purely legal question. Thus, the question is no longer whether cyber-attacks can be attributed; instead, it is how the international community might configure a system of law to do so.
By surveying the scope of existing procedural rules—including the features of adversarial and inquisitorial systems, burdens of proof and persuasion, state responsibility doctrines, and rules governing evidentiary production—this Note explains how a system of law can be created to address the seemingly unique problem of identifying the source of cyber-attacks. In doing so, this Note lays the groundwork for envisioning an international tribunal and procedure for states to address the threats posed by state-sponsored cyber-attacks.