The knotty issue of holding countries responsible for cyberattacks

Evgeni Moyakine is investigating whether countries can be held responsible for cyberattacks by hacker groups. He believes that the standards set by international law regarding the burden of proof are too stringent. In the war in Ukraine, digital attacks are already in use as weapons of war.

_{Text: Jurgen Tiekstra}

Just months after the Malaysian passenger plane MH17 was shot down over eastern Ukraine in the summer of 2014, Evgeni Moyakine obtained a PhD in International Law from Tilburg University. The plane tragedy affected him deeply, not least because among the 298 passengers who lost their lives that day was a man he knew well: Professor Willem Witteveen, his senior colleague at the Faculty of Law. Witteveen’s wife and daughter also died that day.

‘I had spoken to him shortly before he died,’ explains Moyakine, now Assistant Professor in IT Law and Cyber Security. ‘It was terrible. I couldn’t get my head around it. There I was, studying International Law and working on my doctoral research into state liability, and one of the questions I was trying to answer was how to ensure that countries like Russia can be held responsible when incidents like this take place. What happened with flight MH17 made the whole question even more relevant to me personally.’ And let’s face it, the topic was already pretty close to home, given that Moyakine was born in what he chooses to call ‘the former Soviet Union.’

At the end of 2014, Moyakine defended his doctoral thesis on the responsibility of countries such as the United States under international law when private military companies commit violations of human rights law and international humanitarian law. A notorious example is the American company Blackwater’s lawless behaviour in Iraq and Afghanistan.

Cyber Operations

Moyakine is still studying state responsibility, but now specifically in the context of Cyber Operations (COs), defined as digital attacks carried out by private groups who often have links with state governments. We should note that not all such cyberattacks are carried out by non-Western countries. Take, say, the well-known example of the Stuxnet computer worm that was used to damage a uranium enrichment plant in Iran in 2009. The public secret is that Israel and the US were involved, as well as - in all probability - a Dutch General Intelligence Service agent. The Stuxnet virus violated international law, but nobody was punished. Why not? Because it is difficult to prove who is behind a digital attack of this nature.

First of all, how vulnerable is a country like the Netherlands to cyberattacks? ‘The answer is simple: very, very vulnerable,’ says Moyakine. ‘The Netherlands is one of the world’s most highly digitized, economically developed countries, with an advanced technical infrastructure. I always tell my students that according to research, a cyberattack takes place every 40 seconds somewhere in the world, involving Distributed Denial of Service (DDoS) attacks, ransomware, and other types of malware. Cybersecurity company Kaspersky actually has a website that maps attacks in real time as they are detected.’

Ransomware

‘Ransomware is probably one of the greatest threats at present. It is impacting various organizations. Recent targets include the Royal Dutch Football Association (KNVB) and the Dutch Research Council (NWO). I was interested to hear the Dutch Minister of Education say that “the government does not negotiate with cybercriminals.” That prompts an important ethical question – one that I like to present to my students: is the Minister right? Private and public organizations often process personal data. In the case of hospitals, this can include medical information. By refusing to pay the ransom, you risk all that information being made public.

The KNVB is reported to have paid one million euros. In 2019, the University of Maastricht also paid a ransom: 200,000 euros in bitcoin. But in the end, the police managed to get the money back. And because bitcoins had increased in value in the meantime, the university actually got 300,000 euros back! They invested the extra money in a fund for students experiencing financial difficulties.’

The most notorious ransomware is LockBit. In early May, a probable suspect emerged: the Russian Dmitry Khoroshev. The problem is that Russia never extradites its own citizens and Russia itself is unlikely to be extorted. ‘LockBit doesn’t mess with Russians,’ explains Moyakine. ‘Actually, it will leave you alone if it sees that you have Russian in your language settings. So, you could always try adding Russian to your settings as a protective measure, but of course there’s no knowing how long that will remain effective.’ 

Physical damage

In the Netherlands, there have been fears for years that a cyberattack might result in damage to crucial infrastructure, such as locks and bridges. But physical damage is rare. ‘Fortunately, so far, we have never experienced a digital attack on the Netherlands that has disrupted our infrastructure,’ Moyakine confirms, ‘but it did happen in Ukraine in 2022 when the Russians struck their power system, leaving people without electricity and heating. If something like that happens in the winter, people can die. The perpetrators were hackers who were thought to be working in collaboration with the Russian authorities.

It’s really difficult to pin responsibility on countries,’ says Moyakine, ‘not just because it’s hard to gather enough evidence, but also because international law is bogged down by outdated theories. You want to start by identifying a culprit - the person who carried out the attack. And then you want to expose their ties with the state. We have the International Court of Justice in the Hague, one of whose tasks is to see to it that damages are paid. But that also opens the way for states that have been attacked to defend themselves and to take countermeasures.’  

State control

Moyakine thinks that as it stands, the burden of proof threshold is too high. ‘Suppose that a private entity or individual is being controlled by the state. Before the International Court of Justice can hold the state responsible, the control must be found to have been “effective.” This means that at every stage of a cyber operation, the state must have exerted sufficient control and been able to determine whether the operation stopped or went ahead. The Yugoslavia Tribunal, on the other hand, has ruled that control can be “overall,” meaning that a state must be found to have fulfilled a certain role in setting up the operation, financing it, training the people, providing viruses, and so on. In other words, their threshold for ascertaining state control is much lower. But given the way things are developing, I think it’s important to develop a clear control test. One possibility is the “working in tandem” concept devised by the lawyer Collin Allan. The idea is that if a state and a group of hackers collaborate with each other and cyber operations are carried out at the same time as other operations, that constitutes sufficient grounds for saying that state responsibility cannot be ruled out. We lawyers have a contribution to make to this debate. My hope is that government lawyers will read our documents and give this theory their thoughtful consideration.’

This article has been taken from our alumni magazine Broerstraat 5.

Further information

Evgeni Moyakine