Would current thinking have made a difference in the way states – and other actors in the normative field – could (and would) judge these attacks should they happen today? Do the new norms and interpretations of laws and norms that states and other actors have formulated make a difference in calling out cyber operations?

Taking recent normative developments and emerging state practices as primary points of refence, this publication investigates how the current normative landscape can shed light on the nature, (il)legitimacy, and (un)lawfulness of these past operations. For each case, the analysis engages with: i) the elements triggering the violation of norms, principles and international law; ii) the legal and normative significance of recent sources of norms and interpretations of international law; and iii) the legal and political obstacles still lying beyond their application. Taken together, the reassessment of these cyber operations reveals how, in hindsight, the international community has come a long way in calibrating its normative language and practices in calling out irresponsible behaviour in cyberspace. With states taking small, but unprecedented, steps through public attributions and statements on international law in cyberspace, most of the past cyber operations analysed here would arguably feature an attribution in the current climate. At the same time, substantial differences in national interpretations of international law continue to stand in the way of clarity on the terms of its application. In light of this, this article ultimately suggests that cyber norms and the interpretations of international law require further granularity to become ‘lines in the sand’.

Public attribution

This study aimed to see whether recent efforts to formulate and interpret legal and/or normative lines of significance to judge the (un)lawfulness and (il)legitimacy of cyber operations could lead to a different legal and normative evaluation of a number of notorious cyber operations that occurred between 2010 and 2017. 

In the current climate, some of the cyber operations analysed would almost certainly not go without a public attribution if they happened today and, in the case of some of the more damaging attacks (Stuxnet, the Ukrainian power grid and NotPetya), these would now be more likely to be called out in terms of international law and norms of state behaviour. Recent public attributions of the SolarWinds operation indicate that even states’ patience with high-level cyberespionage cases becomes more limited. If the website defacements in Georgia are condemned as a violation of sovereignty in 2020, it would be hard to call out a cyberattack on the power grid of a sovereign state as anything less, should it occur today. In that sense, states are slowly raising the stakes for attribution and the legal and normative lines of significance to call out irresponsible state behaviour in cyberspace. Public attribution thus paves the way for international law to play a role, but only states can make it a reality.

• cyber norms
• cybersecurity
• diplomacy
• international law