Muzyka V. Attribution of cyberattacks against critical infrastructure objects: identification of main problems and ways to solve them

Українська версія

Thesis for the degree of Doctor of Philosophy (PhD)

State registration number

0822U100476

Applicant for

Specialization

  • 081 - Право. Право

24-01-2022

Specialized Academic Board

ДФ 41.086.081

National University «Odessa Law Academy»

Essay

The dissertation is the first complex research on attribution of cyberattacks against objects of critical infrastructure. This dissertation characterizes the nature of cyberspace, which is the environment for the commission of cyberattacks. It also identifies the essential characteristics of cyberattacks. Based on the above mentioned, it has been established that cyberattacks can be carried out against different layers of cyberspace in order to disrupt critical infrastructure. It was found out that defining internationally wrongful behavior in cyberspace is the prerequisite for the attribution of cyberattacks. The lack of legally binding lex specialis significantly complicates this task, thus various forms of opinio juris were analyzed. They indicate a lack of consensus between states in respect to certain issues. At the same time, opinio juris has greatly helped to determine which acts states regard as cyberattacks that violate international law and require attribution. The dissertation identifies objects that fall within the scope of critical infrastructure concept. It insists on the need to develop such a concept of critical infrastructure that would maintain flexibility and take into account national priorities. It is proposed to include transnational (inter-state) critical infrastructure objects in a separate category. This proposal is made because of their increased interdependence and the high risk of more serious and far-reaching consequences in the context of international security. In the dissertation, it is also found out that the process of cyberattacks attribution on critical infrastructure requires technical, political, and legal attribution. Thus, the attribution of cyberattacks impossible without the assessment of technical and political indicators. This conclusion is supported by the position of states on the application of International Law in cyberspace, the conclusions of the Expert Group of the Tallinn Manual 2.0 and the GGE on Advancing responsible State behavior in cyberspace. Legal attribution of cyberattacks, which is an element of international wrongful acts of a state under Article 2 of the 2001 Articles on State Responsibility for Internationally Wrongful Acts, should be a final step in the process of attribution of cyberattacks against critical infrastructure of states. The dissertation reveals the theoretical and practical aspects of the application of norms on attribution to cyberattacks against critical infrastructure in case they are carried out by organs of a state; persons or entities exercising elements of governmental authority; or a person or group of persons operating under the direction or control of the state. The dissertation research for the first time in the Ukrainian legal science provides a comprehensive analysis of cyberattacks against Ukraine`s electric grids systems in the context of the armed conflict. The example of Ukraine proves the need to assess both technical and political indicators during the process of attribution of cyberattacks, in particular in the context of armed conflict. It is argued that cyberattacks in the context of armed conflict are not prima facie accidental. In this particular case, the time chosen for cyberattacks and hostilities in eastern Ukraine indicate the direct or indirect involvement of the Russian Federation. Therefore, the need for technical and political attribution, which would comprehensively take into account all available indicators, is substantiated on the example of these cyberattacks. The work identifies the main practical steps for the effective attribution of cyberattacks against critical infrastructure. The necessity of attribution within the framework of public-private cooperation is proved. The advantages and disadvantages of possible models of interaction had been assessed and the most optimal one was identified, which foresees the involvement of state agents and private sector representatives. The 2020 EU Cybersecurity Strategy, which contains a model of interaction between public and private entities on the basis of the European shield and introduces cyber diplomacy toolbox, has been analyzed. Based on that, it was determined that the cyber sanctions instrument imposed by the Council of the EU is a step toward legal attribution. Prospects for the use of cyber sanctions at the universal level have been also identified, for example, within the UN. At the same time, to increase their effectiveness, it is more appropriate to use sectoral sanctions instead of individual. The dissertation also attempts to assess the prospects of an interstate dispute concerning the attribution of cyberattacks on critical infrastructure within the framework of International Court of Justice. It is concluded that the legal consideration of such an interstate dispute can solve a number of theoretical and practical problems regarding the application of customary norms on attribution to cyberattacks and its peculiarities.

Files

Similar theses