By: Harriet Moyanian, Amal Clooney and Philippa Webb
As geopolitical tensions escalate, cyberattacks are on the rise, with public services frequently targeted. More than 130 countries have experienced cyber disruptions. In recent years, ransomware attacks in Costa Rica paralyzed essential services for months.
A cyberattack on Albania paralyzed the border entry system and exposed the identity of police informants. Long-running ransomware attacks on Ireland's health system threatened the radiation treatment of hundreds of cancer patients.
AI technologies are "democratizing" cybercrime, as tools like ransomware-as-a-service have become so easy to access. In addition to the human cost - including delayed hospitalization, power outages, and disruption to education - economic losses are mounting.
Last year alone, ransomware attacks targeted 389 healthcare organizations in the United States. It is predicted that by 2031, ransomware will target a device every two seconds, at an estimated annual cost of $265 billion to victims.
To date, states have adopted a range of strategies to counter these cyber operations, such as dialogue (including at the UN and among regional bodies), naming officials or state sponsors, imposing sanctions on suspects, or disrupting supply chains. But the judicial track has been underutilized, with perpetrators of cyberattacks rarely having to appear in court.
State-to-State Cyber Litigation before an International Court?
Recourse to inter-state litigation is becoming more common, with nine cases registered with the International Court of Justice between April 2023 and 2024 - almost four times the annual average of previous years. However, there are reasons why a victimized state may not want to file an interstate case, even if it can gather enough evidence to prove the attribution of a cyberattack to another state.
First, many states are reluctant to allow an independent third party or court to rule on the substance of the dispute, especially in the context of covert cyber operations and the sensitivity of the evidence.
Second, states rarely characterize cyber operations against them as a violation of international law, precluding the existence of a legal "dispute." Major cyber powers may want to preserve their freedom of operations, so they characterize attacks against them as "malicious" or "irresponsible" rather than "illegal."
Accountability through the judiciary
For less powerful states that are subjected to malicious cyberattacks, going to court can be an attractive option, especially if it leads to tangible compensation. Some countries have sought legal advice on the possibility of bringing a state-to-state claim in response to cyberattacks that have significantly affected their infrastructure or population.
Challenges in cyber litigation include gathering evidence to identify perpetrators, and attributing the attack to the state according to the rules of state responsibility. Attribution techniques have improved thanks to international and public-private cooperation. There have also been proposals for independent mechanisms to gather facts and take cases to the International Court of Justice or the Security Council, as well as proposals for state-led mechanisms to develop standards of evidence for cyberattacks and lists of experts that states can consult.
Territorial claims and human rights
Cyber claims may be brought before regional human rights courts, for example, if states are party to the European Convention on Human Rights, a complaint can be brought for a violation of the right to life or a state's failure to investigate alleged violations.
Criminal prosecution of individuals
If a cyber operation can be attributed to an individual, they can be prosecuted domestically. The Budapest Convention on Cybercrime and the new UN Convention against Cybercrime encourage states to criminalize cyber activity and cooperate in investigation and prosecution. However, prosecution is rarely undertaken due to the complexity of evidence, its spread across multiple borders, and investigators' reliance on the private sector to preserve and analyze evidence.
Recent successes
Recent years have seen successes in combating cyber-attacks, such as Operation Kronos, led by the British National Crime Agency and the FBI in coordination with Europol and Eurojust against the LockBit group, which resulted in the seizure of its sites and servers in several countries and the arrest of its members.
Future trends
With the proliferation of state-sponsored cyber operations, states are likely to turn to the judiciary to hold perpetrators accountable, whether through international or domestic courts. Civilian victims can also seek compensation in cases before European courts. As evidence gathering, liability determination, and multilateral cooperation evolve, clearer paths to legal accountability emerge, suggesting that cyber cases will soon appear on the court docket, with victims getting their day in court.
comments