Beyond Naming and Shaming: Accusations and International Law in Cybersecurity

Abstract

Accusations of bad state behaviour in cyberspace are proliferating, yet this increase in naming has not obviously produced much shame. Accused states uniformly deny the accusation or decline to comment, without changing behaviour. For international lawyers, the problem is compounded by the absence of international law in these charges. States are not invoking international law when they complain of other states’ behaviour, suggesting the law is weak – or worse, irrelevant – in holding states accountable for their cyber operations. In lieu of ‘naming and shaming’, we introduce and examine the broader concept of ‘accusation’ as a social, political and legal practice with diverse uses in cyberspace and beyond. Accusers must make strategic choices about how they frame their accusations, and we unpack various elements accusers may manipulate to their advantage. Accusations also have many purposes. They may seek to ‘name and shame’ an accused into conforming to certain behavioural expectations, but they may also aim at defensive or deterrent effects on both the accused and, crucially, on third parties. Particularly important, accusations may play a constitutive role, constructing new norms, including customary international law, within the international community. In short, accusations offer states and other stakeholders a menu of strategic options beyond those identified by the extant literature on naming and shaming.

1 Introduction

Once upon a time, hacking victims had little to say about the harms they suffered. Victims might never know they had been hacked and when they did, fears of reputational harm often kept them from disclosing it. In either case, cyberspace’s technical architecture meant those responsible could often remain anonymous.¹ Victims had trouble discerning if their adversary was the proverbial basement-dwelling teenager, a shadowy cybercriminal organization or a nation state’s intelligence or military services. As the number of states developing offensive cyber capabilities grew, conventional wisdom held that this ‘attribution problem’ posed serious – and perhaps insuperable – obstacles to enforcement by states of any rules in cyberspace.² The attribution problem complicated applying existing international legal regimes (e.g. international humanitarian law) whose operation depends on knowing a perpetrator’s identity. More importantly, the attribution problem stymied efforts to clarify what international legal rules apply when cyber operations target civilians and their infrastructure outside of armed conflicts.³

Times have changed.⁴ Over the last decade, 28 states – including China, Iran, North Korea, Russia, the United Kingdom and the United States – stand accused of conducting or supporting cyber operations with serious impacts on governments, peoples and resources.⁵ These accusations ‘naming’ a state and its cyber operation(s) come from a variety of sources, including other states, demonstrating an increased willingness to ‘name names’.⁶

All this increased naming, however, has not obviously produced a lot of shame. States accused of conducting or supporting cyber operations uniformly deny the accusation, point the finger at someone else or decline to comment.⁷ They show few signs of changing behaviour.⁸ The United States and China did reach an understanding in 2015 prohibiting commercial cyber espionage, following the US indictment of five People’s Liberation Army (PLA) officers for such behaviour.⁹ China’s commitment, however, appears to have been more a response to domestic politics, and was – in any case – short-lived.¹⁰ Thus, there is widespread scepticism about the capacity of so called ‘naming and shaming’ to curb unwanted behaviour in cyberspace.¹¹

For international lawyers, the recent spate of accusations is troubling for a different reason – the accusers almost always fail to invoke international law. The international legal system operates, at least in part, via ‘protests’ – formal objections by states and other subjects ‘against a conduct or a claim purported to be contrary to or unfounded in international law’.¹² In other contexts (e.g. human rights, the environment), ‘naming and shaming’ complaints often take the form of protests, explicitly tied to violations of treaty terms or customary international law rules.¹³ When it comes to state-sponsored cyber operations, however, accusers have studiously avoided invoking international law, let alone assessing if behaviour comports with its rules. Cyber operations are simply labelled as malicious, as irresponsible or as violations of ‘international norms’.¹⁴ Efrony and Shany highlight how ‘remarkable’ it is having ‘so little in the practice of victim states to indicate that [their international legal rights] actually guide their conduct when confronted by cyber operations …’.¹⁵

This reluctance to invoke international law might suggest that law is weak – or worse, irrelevant – in holding state actors accountable for their cyber operations.¹⁶ However, focusing on international law’s absence in accusations risks missing the larger effects that accusations may have on both compliance, and on the law itself. Certainly, social science suggests accusations can change an accused’s behaviour.¹⁷ International relations scholars have spent years studying the phenomenon of ‘naming and shaming’ states.¹⁸ That research shows that public accusations of international law violations, most often in the human rights context, led certain accused states to conform with – or at least reduce their deviation from – international law. However, much of this scholarship (like the state practice it studies) assumes that shaming is the only effect of naming and that it occurs unproblematically.¹⁹ It neglects both the other, independent effects that naming can have and the varied forms naming may take. Moreover, it presupposes a norm already in place to generate shame, rarely a warranted assumption for cybersecurity. Thus, we need a better analytic tool to investigate the diverse forms and potential effects that follow claims of state responsibility for cyber operations.

In lieu of ‘naming and shaming’ or ‘protests’, we develop the concept of ‘accusation’ to better capture the variation in the legal and political processes at work in these claims. Accusations make no prior assumptions about the goal of the ‘accuser’ (i.e. not always to ‘shame’) or about an accusation’s effects (i.e. not always to enforce existing international law). Unpacking the concept, we understand accusations to be comprised of at least two of three discrete processes:

• (i) attribution (the process of ascribing what happened to a particular actor or territory);

• (ii) exposure (the process of disclosing what happened to third parties);

• (iii) condemnation (the process of signalling disapproval of what happened).²⁰

Accusations can include all three processes, as when the United States accused the Russian Federation of interference in its 2016 presidential election.²¹ Other accusations may feature only two elements. Accusers can choose to attribute and condemn what happened without exposing it – i.e. making accusations via private or diplomatic channels. Or, accusers can expose and condemn what happened without disclosing (or even knowing) to whom it may be attributed.

Our elaboration of the concept of accusations in cybersecurity proceeds in five main parts. First, we develop the ‘accusation’ concept and survey its appearance in recent cyber practice (Section 2). Second, we identify different functions that accusations may serve for states and other actors based on cyber accusations made to date (Section 3). While accusations may aim at enforcement of the accuser’s preferred rules and norms, accusations can also deter, aid defence and, importantly, contribute to the emergence of new norms and international law. Third, we describe an accusation’s different components and show how these may be manipulated in various ways to achieve the desired goal(s) (Section 4). Fourth, we discuss external conditions that may influence an accusation’s efficacy (Section 5). We conclude by examining implications of cybersecurity’s accusation dynamics for international law (Section 6). Accusations are not merely vehicles for enforcing international law; they can also serve as building blocks for its creation. Accusations – and responses to them – may comprise the requisite evidence of state practice and/or opinio juris for the construction of customary international law. States and other actors need to understand the broader potential of their accusations, and shape their accusations – and responses – accordingly.

Appreciating the forms and functions of accusations enriches our understanding of both international relations and international law. Accusations are bread and butter in politics of many types, not just in cybersecurity. But international relations scholars have paid little attention to how they are deployed, what effects they create and the strategic choices entailed in their creation and use. For international lawyers, the cybersecurity context provides a valuable case-study of how international law may be constituted in the shadows. State silence on international law in the cyber context does not signal the law’s desuetude. Accusations may play a crucial role, not just in enforcing international law, but also in constituting it. This more detailed understanding of how accusations can be constructed and deployed to various ends will help states and other stakeholders better manage cybersecurity challenges and the development of law on this issue.

2 Accusations: Defining the Concept in Theory and Practice

Accusations are a regular feature of all social interactions. A parent may accuse her child of causing a sibling to cry; a non-governmental organization (NGO) may accuse a company of using child labour; shareholders may accuse CEOs of mismanagement. In the context of this article on global cybersecurity, we define an accusation as the process by which one or more actors allege that a state bears responsibility for a cyber operation.²²

Our accusation concept captures more behaviour than fits under the ‘naming and shaming’ umbrella and avoids some of its problematic presumptions.²³ For example, ‘naming’ presupposes that charges are public, but that is not required for accusations.²⁴ Accusers can, and often do, communicate their charges privately to an accused or make accusations in closed settings. The nature and scope of ‘shaming’ also requires more specification. It might refer to the accuser’s acts (e.g. ‘X shamed Y into action’), but whether Y felt shame (or if shame is even possible in institutional actors like states) is ambiguous in the ‘naming and shaming’ construct. An accusation, in contrast, focuses our attention on behaviour by the accuser, alone. It makes no presumptions about effects upon the accused.

Notions of ‘naming and shaming’ also implicitly assume (and often conflate) both the normative virtue of the demanded action and the accuracy of the claims made against the ‘shamed’. Our concept of accusations makes no such assumptions. Accusations may prove inaccurate or false under scrutiny, but scrutiny takes time and sometimes creates confusion that can be strategically useful. Perpetrators of cyber operations may attempt to ‘false flag’ their origins. Alternatively, victims might knowingly accuse an innocent party for various reasons, whether to cause the accused state reputational harm, to sow confusion or to avoid appearing incompetent before domestic audiences with respect to the capacity to identify a cyber operation’s actual provenance.²⁵

Given these issues, it is not surprising that global cybersecurity has avoided the ‘naming-and-shaming’ moniker. States and scholars have instead increasingly focused their attention on the concept of ‘attribution’.²⁶ Unfortunately, that term has multiple distinct meanings, some technical, some legal and some political.²⁷ ‘Technical’ attribution may refer to identifying (i) the machine from which a cyber operation arises, (ii) the operator of that machine or (iii) the person or entity who directed the operator to act.²⁸ All three of these are distinct, one from another, and also distinct from legal or political attribution, which seeks to assign responsibility for ordering a cyberattack to its authors or to identify the location from which it originates.²⁹

We agree that attribution is an important task for global cybersecurity. Many accusations include an aspect of attribution. Yet, the concepts are not synonymous. Accusations can occur without attribution (i.e. when accusers say, ‘we do not know who did this, but it happened, and it was bad’). And where the concepts do overlap, accusations highlight additional issues for attention beyond where the malware originated or who launched it.

For this paper, we constrain our accusation definition to cases involving state or state-sponsored cyber operations for three reasons. First, accusations against non-state actors have existed since The New York Times accused Robert Morris of authoring the first computer virus.³⁰ Today, these accusations are ubiquitous, encompassing, for example, all cybercrime charges in every state. As a practical matter, assessing hacking accusations in toto is simply too unwieldy for an initial conceptual analysis such as this. Second, by focusing on accusations against states we work with the primary unit of analysis for both international law and international relations. While we believe our framework could be employed by researchers to investigate accusations by other international actors in other international contexts, we do not do so here.

Third, our concept captures a new – and expanding – behavioural phenomenon. In 2007, Estonia’s Foreign Minister accused Russia of being behind directed denial of service (DDoS) attacks that significantly disrupted that country for three weeks.³¹ Since then, researchers have catalogued an increasing and diverse practice of state-sponsored cyber operations. Accusations about these operations include allegations against individuals or ‘threat groups’ reportedly affiliated with a state as well as against states themselves.³² Accusations may be made by non-governmental actors, including information and technology communication (ICT) companies, cybersecurity vendors or academic institutions.³³ Alternatively, states themselves may make accusations against other states. These can take different forms, including (i) criminal law indictments of individuals affiliated with a state, (ii) economic sanctions, (iii) technical warnings and (iv) press releases.³⁴ In some cases, states appear to rely on non-governmental proxies to make their accusations for them.³⁵ Most recently, states have begun to make collective accusations, issued contemporaneously or even jointly.³⁶ Taken together, accusations are a new and important aspect of the geopolitics of cybersecurity; they require attention from states and scholars alike.

3 What Can Accusations Achieve?

What purpose do accusations serve? We focus here on four reasons an accuser may deploy an accusation: (i) enforcement; (ii) defence; (iii) deterrence; or (iv) constitution.³⁷ Some accusations may focus on achieving only one of these purposes; others may pursue multiple purposes sequentially or simultaneously. In every case, however, accusations are provocative, seeking to launch a broader chain of political, social, or legally significant events.

A Enforcement

Enforcement is the function most often associated with the ‘naming and shaming’ literature. Accusations often call out undesirable behaviour as a means to alter that behaviour in line with the accuser’s behavioural expectations. The basic logic of such accusations is straightforward. Bad actors usually seek to hide their bad actions. Polluting firms would prefer we not know about their activities.³⁸ Companies engaged in questionable financial practices may not welcome public scrutiny.³⁹ Human rights- violating governments usually prefer to torture and ‘disappear’ their opponents in secret.⁴⁰ Public exposure or revelation of the bad behaviour (‘naming’) seeks to impose reputational damage and/or moral discomfort (‘shaming’) on the bad actor, thereby inducing a change in that behaviour.

The enforcement logic lies behind a number of accusations in the global cybersecurity context, especially those involving states as the accuser. It was the rationale behind President Obama’s accusation that North Korea was responsible for the Sony Pictures hack and of subsequent US charges and sanctions against a named Pyongyang operative, Park Jin Hyok.⁴¹ US indictments of specific Chinese and Iranian individuals affiliated with their respective governments had a similar purpose in the absence of agreed mechanisms to bring them before US courts.⁴²

Accusations may thus seek to force compliance by a state merely by making the accusation. In other cases, accusations may pursue enforcement more indirectly. Accusers may, for example, issue accusations to ‘persuade a set of third-party actors to generate support for sanctions’, with those sanctions triggering the desired enforcement.⁴³ Accusations are also required to deploy domestic criminal penalties, including those against individuals acting at the direction of, or on behalf of, states who control them. Since first indicting five PLA officers, the United States has pursued indictments with increased frequency.⁴⁴ And, although most of the accused have escaped law enforcement, the United States did arrest a Chinese national in 2017 on charges of participating in hacks on the US Office of Personnel Management (OPM) detected in 2014 and 2015.⁴⁵ More recently, the United States succeeded in extraditing from Belgium Yanjun Xu, a deputy division director in China’s main spy agency, the Ministry of State Security, for allegedly committing cyber espionage against US suppliers of commercial and military aircraft.⁴⁶

Accusations can also be deployed to enforce international law via its two traditional vehicles for obtaining the cessation of wrongful behaviour: retorsion and counter-measures. Acts of retorsion are unfriendly – but lawful – acts (e.g. the expulsion of diplomats) designed to respond to an unlawful act.⁴⁷ Counter-measures are non-forceful acts that would otherwise be illegal, but which international law permits when conducted by a state in response to another state’s prior wrongful act(s).⁴⁸ For a state to engage in either retorsion or counter-measures, however, requires some accusation articulating the requisite wrongful acts that form the basis for it to pursue the enforcement of its legal rights.⁴⁹

The Trump Administration has recently touted enforcement as the core of its ‘naming and shaming’ strategy. In describing the increasing number of US accusations of state-sponsored cyber operations, Jeanette Manfra, then the Department of Homeland Security’s Assistant Secretary for Cybersecurity and Communications, made clear their purpose: ‘The U.S. … wants to alter the behavior of nations that are carrying out attacks …. The broader policy purpose still remains [that] we need to be able to hold bad actors accountable.’⁵⁰

B Defence

Manfra, however, also articulated a second function that accusations can serve: defence.⁵¹ Accusations provide information on what happened that can have great utility to third parties. This is especially important for cybersecurity where an accusation ‘may encourage victims or other vulnerable populations to bolster network defenses’.⁵² Thus, a number of accusations regarding cybersecurity operations have included technical indicators of compromise (IOCs) to assist other potential victims in identifying and defending against the malware in question (or future manifestations of it). Accusations about the Trisis/TRITON malware – which could result in loss of life by disrupting emergency shutdown systems within industrial plants – focused on detailing the nature of the threat without identifying its specific authors.⁵³ Similar defence-oriented contents have accompanied other accusations, including those associated with Russia’s 2016 electoral interference and the malware that targeted Ukraine’s power grid in 2015.⁵⁴

C Deterrence

Accusations may do more than assist third parties in defences; they may seek to deter potential perpetrators from ever engaging in the unwanted activity in the first place.⁵⁵ By exposing a state’s cyber operations, accusers signal that others cannot engage in similar behaviour without public attention. Cyber operations are often attractive precisely because perpetrating states think that they can be deployed anonymously – i.e. the operation will be undetected, the perpetrator can keep its own role unclear or perhaps it can foist blame onto another state or non-state party (a ‘false flag operation’).⁵⁶ Diminishing anonymity may change the cost–benefit calculus of states contemplating cyber operations; in some cases, it could deter them from acting at all. Thus, UK Foreign Secretary Jack Straw explained his government’s motivations for accusations about cyber operations by Russia’s military intelligence agency, the GRU, as follows: to ‘expose and respond to the GRU’s attempts to undermine international stability’.⁵⁷ Deterrence was also likely among the reasons that seven states – Australia, Canada, Denmark, Lithuania, New Zealand, the United Kingdom and the United States – accused the Russian Federation of launching the NotPetya ransomware.⁵⁸ Similarly, deterrence interests may explain accusations discrediting false flag cyber operations, including reports that Russia – not ISIS – conducted a cyberattack knocking TV5Monde off the air in France, and that Russia – not North Korea – disrupted the information infrastructure associated with the 2018 Winter Olympic Games.⁵⁹

D Constitution

Finally, accusations may be constitutive of new norms and law, or new interpretations of their meanings. In many cases, an accusation ‘sends a public message about correct and appropriate behavior’.⁶⁰ In the human rights context, accusations often invoke well-established legal norms of behaviour (e.g. prohibitions on torture or genocide; freedoms of expression or religion) against which the accused’s behaviour is measured.⁶¹ In such cases, the norm’s existence is already widely acknowledged and the constitutive role of accusations lies in elaborating its meaning with respect to new circumstances or actors. A similar process could occur within cybersecurity whereby an accusation references pre-existing norms, offering an interpretation that other actors (e.g. the accused, third-party states) could accept, reject or ignore. These interactions may thus interpret and articulate the meaning of the norm in ways that clarify future expectations for state behaviour.

But accusations may also play a key role in constructing new norms from scratch. They can do this in several ways. The most prominent cyber operations (Estonia, Stuxnet, WannaCry) are defined by their novelty; they did things never seen before or on a scale not previously thought possible.⁶² It was often unclear if any norm existed to govern states engaging in these operations.⁶³ In such cases, an accusation serves as an opening bid, aimed at a particular community, indicating not just the accuser’s disapproval of the cited operation, but often, too, its proposal (perhaps implicit) that all such conduct should be barred, i.e. that there should be a norm against such conduct.⁶⁴ Accusations may thus lay out the contours of ‘bad behaviour’ along with an argument about why, exactly, the behaviour is undesirable. Other actors may then respond to the accusation. They may accept some of it; they may accept all of it; they may accept it in some situations but not others; or they may reject it entirely. It is these interactions between the accuser, the accused and third party audiences that – over time – may result in the creation of a new norm (or its failure).⁶⁵

The United States may have employed such a constitutive strategy in suggesting that certain cyber operations (e.g. the Sony Hack, 2016 election interference) violated ‘established international norms’.⁶⁶ Ambiguity in the US statements leaves open which norms it believes were violated, and the accused have denied the US charges.⁶⁷ Nonetheless, the US accusations also served as an invitation to other like-minded states to express similar views on the appropriate norms of behaviour. In the case of US accusations about election interference, foreign and security ministers from the G7 subsequently issued a joint statement denouncing foreign attempts to interfere in democratic processes, including ‘through cyber-enabled activities’.⁶⁸ That norm was then endorsed by 1000+ governments, firms, universities and civil society institutions who have signed the French Government-led, Paris Call for Trust and Security in Cyberspace.⁶⁹

Accusations may also help construct new norms by supporting extant norm proposals. For example, in 2015, the consensus report of the UN Group of Governmental Experts (GGE) on Information Security identified 11 ‘voluntary’ norm candidates for responsible state behaviour in peacetime.⁷⁰ States have endorsed these subsequently in various fora, yet concerns about operationalizing them remain.⁷¹ Accusations offer a way to do this; states might consider incorporating references to GGE norms in their accusations to signal to the accused (and the international community as a whole) that these norms are more than words on paper, adding clarity to expectations for appropriate state behaviour going forward. Similarly, accusations might complain about non-conformance with best practices or confidence-building measures like those promulgated by the Organization of Security and Cooperation in Europe to help constitute them as normative expectations.⁷² Cyber accusations could help build out legal norms in similar ways. Several scholars have already examined accusations of cyber operations such as WannaCry and Russia’s 2016 election interference in terms of their (non)conformance with existing rules of international law.⁷³ Although states have not done so to date, they could take similar steps to incorporate legal claims in their accusations.

It would be a mistake, however, to assume that a state’s silence on the international legal implications of its accusation means that the accusation has none. Customary international law does not emerge immediately and fully formed. It is the product of interactions and iterations over time, where a sufficiently uniform practice is generally (although not universally) accepted as opinio juris (i.e. recognized as being legally obligatory).⁷⁴ Today’s accusations may serve as early evidence of a ‘usage’ – that is, a habitual practice followed without any sense of legal obligation. If such accusations persist and spread over time, states may come to assume that these accusations are evidence of opinio juris, delineating which acts are either appropriate or wrongful as a matter of international law.⁷⁵ In other words, accusations can directly contribute to the formation of customary international law.

While accusations may help construct or elaborate some new international law rules, they can also do the opposite: they can help undermine the development of other, potentially permissive, customary international laws.⁷⁶ By objecting and making accusations of wrongdoing, states and other actors can limit the potential for the accused’s behaviour to become legally accepted. The UN International Law Commission emphasized this point in its recent Draft Conclusions on Identifying Customary International Law, noting how a failure to react to behaviour can constitute evidence that it is lawful.⁷⁷ In other words, ‘tolerance of a certain practice may indeed serve as evidence of acceptance as law (opinio juris) when it represents concurrence in that practice’.⁷⁸ Thus, whether or not states currently characterize their cyber accusations in explicitly legal terms, by signalling disapproval of certain cyber acts (as President Obama did with respect to Chinese cyber espionage), these accusations counteract claims that the accused state’s operations are (or are becoming) permitted by international law.⁷⁹

4 Disaggregating Accusations: Attribution, Exposure, Condemnation

Successful accusations require factual knowledge of cybersecurity incidents. Such information is not always cheap or easy to obtain, but assembling the corroborating details of malicious activity to construct accusations can be an important legal tool for an array of savvy actors seeking to enforce, deter, defend or delineate bad behaviour online. But just as accusations may differ in why they are made, they may also differ in how they are formulated. Broadly conceived, accusations of malicious cyber activity share some or all of three common features: (i) attribution, (ii) exposure and (iii) condemnation.

A Attribution

Attribution is the process of answering the age-old question of who did what, exactly.⁸⁰ In international politics, efforts to attribute actions to named actors can take many forms, including individual investigations, fact-finding missions, truth and reconciliation commissions and the decisions of international courts and tribunals.

For our purposes, attribution is the identification or assignment of responsibility for a cyber operation.⁸¹ Unlike physical and static identifiers used in other contexts (e.g. fingerprints), digital attribution involves very different technical indicators and patterns that may complicate the process.⁸² Much of the cybersecurity literature focuses extensively on these technical aspects of attributing responsibility for cyber incidents.⁸³ Yet, as Herb Lin emphasizes, cyber attributions may require more than a technical analysis, depending on their goal(s). Does attribution seek to identify (i) the machine that enabled intrusion into the victim’s systems; (ii) the human perpetrator that set the intrusion in motion; or (iii) the adversary (e.g. a state) directing that human and ultimately responsible for the incident?⁸⁴ The latter two efforts will usually require other sources of intelligence beyond the technical indicators that point to a particular IP address or network.

Whatever the goal, cyber attribution is not binary – possible or impossible. Rather, as Rid and Buchanan explain, cyber attributions vary in both confidence and specificity.⁸⁵ Thus, when the University of Toronto’s Citizen Lab uncovered the ‘Ghostnet’ cyber espionage network targeting Tibetan institutions, its analysis circumstantially pointed to China as the culprit, but never formally named the identity of the attackers.⁸⁶ In contrast, the UK Foreign Ministry indicated that it was ‘highly likely’ that ‘North Korean actors known as the Lazarus Group were behind the WannaCry ransomware campaign’.⁸⁷ A US cybersecurity company, Mandiant, concluded that Unit 61398 of China’s PLA was the source of a long-standing commercial cyber espionage campaign, baring

A secret, resourced organization full of mainland Chinese speakers with direct access to Shanghai-based telecommunications infrastructure . . . engaged in a multi-year, enterprise scale computer espionage campaign right outside of Unit 61398’s gates, performing tasks similar to Unit 61398’s known mission.⁸⁸

Accusers can always attribute with less certainty or specificity than their actual knowledge, and often do so to protect sources and methods. It is also possible to have attribution at one level (e.g. to a machine, to a territory, to a person, to a state) but not others. Jason Healey, for example, shows it is possible to attribute responsibility for a cyber operation to a particular state even without evidence permitting attribution to particular individuals.⁸⁹

B Exposure

Exposure refers to the publicity an accusation receives. Accusers face an array of strategic choices about how, and how much, to expose about a cyber operation. Some accusations are communicated privately between the accuser and the accused.⁹⁰ Other accusations may be more public, communicated among members of a specific and limited community. Still others may be shared widely with the public at large. Of course, we have multiple examples of the latter in the cybersecurity context, from Estonia’s public claims of Russian responsibility for the 2007 DDoS attacks against its systems, to the US, UK and Australian accusations that North Korea launched WannaCry.⁹¹

The content of private or semi-private accusations is, by design, harder to discern, but their use is clearly widespread. Transnational technical communities (e.g. FIRST) or industry collectives (e.g. the Cybersecurity Tech Accord) certainly have information that could underpin accusations, but may be reluctant to share it publicly because of concerns that doing so might harm individual members of these groups.⁹² Similarly, private accusations by states, perhaps through diplomatic channels, may be a useful first step in an escalatory ladder. After formally accusing Russia of using cyber means to interfere in the 2016 US presidential election, for example, President Obama revealed that he had first privately conveyed the accusation to President Putin directly.⁹³

Accusers interested in exposure of a cyber operation must choose what vehicle they will use and what evidence to share. Accusers may proffer accusations, themselves, directly. States can use press releases and speeches to make accusations; private cybersecurity companies issue reports detailing their claims.⁹⁴ Alternatively, accusers may use proxies to expose information about a cyber operation. Proxies, as agents, might be engaged by and answerable to a variety of principals. States may use proxies, as the USA used Mandiant and its APT1 report as part of a larger effort to accuse China of acts of commercial cyber espionage.⁹⁵ CrowdStrike was authorized by its client – the Democratic National Committee (DNC) – to make public its accusation that Russia had hacked the DNC’s systems.⁹⁶ Media reports may perform a similar function, using ‘anonymous’ government sources to advance or confirm the existence of an accusation. Although they were unwilling at the time to accuse Iran directly, US officials used media outlets in 2012 to publicize their views that Iran had launched a series of cyberattacks against US banks.⁹⁷

As with attribution, accusers must also make strategic choices about how much documentation to employ when exposing a cyber incident. Detailing – and documenting – what happened bolsters an accusation’s credibility.⁹⁸ Part of what has made accusations from the likes of Mandiant (now FireEye) or the University of Toronto’s Citizen Lab so powerful are the technical details employed to support their claims.⁹⁹ But documenting accusations also comes with costs and risks. Hacking victims – both states and firms – are often reluctant to reveal the extent of intrusion, exfiltration or damage. Neither states nor firms want to appear weak or vulnerable. Firms often fear drops in share price or loss of customer confidence.

The means and methods by which accusers investigate a cyber incident may also be proprietary to companies or classified for states. Documenting the accusation thus risks giving the accused or third parties information that can be used to degrade future investigative efforts. They may even create new opportunities for offensive cyber operations. Although they were not disclosed in an accusation, the theft and leak of certain US National Security Agency (NSA) surveillance tools demonstrates just how much harm can follow the disclosure of means and methods: the NSA’s tools provided the foundation for both the WannaCry and NotPetya ransomware attacks.¹⁰⁰

Consequently, cyber accusations vary in terms of the exposure of underlying documentation. When the United States originally pointed the finger at North Korea for the Sony Pictures hack, it did not document what support it had for the accusation.¹⁰¹ This led to some disagreement about the accuracy of US charges.¹⁰² In contrast, the United States accusation of Russia hacking the DNC included details that allowed the accused and third parties to evaluate the claim.¹⁰³ Reputation and credibility matter greatly in the latitude an accuser has in disclosing supporting details when making accusations. If the accuser has a record of veracity and has technical capacity for sophisticated forensics and good intelligence, accusations with less detail may still be widely credible. As accusations of cyber operations become more common, we expect demands for documentation to rise, along with efforts to normalize how much substantiation should accompany an accusation.¹⁰⁴

C Condemnation

Condemnation refers to an expression of disapproval.¹⁰⁵ This term remedies two problems with the extant concept of ‘shaming’. It removes ambiguity. ‘Shaming’ might refer either to actions of an accuser or to the emotional state of the accused; condemnation is unambiguously an action of accusers and is separate from the accused’s feelings. Second, and related, it avoids anthropomorphizing states.

Implicitly or explicitly, condemnations usually have a reference point – a normative standard from which the accused’s behaviour supposedly diverged. Condemnations can vary in the specificity with which they reference the normative standard. In some cases, the standard may be left unstated, and the accused’s behaviour is simply labelled as ‘bad’. At other times, the normative standard may be referenced explicitly.¹⁰⁶ In cyberspace, accusations to date have condemned the accused’s behaviour in general terms (e.g. as ‘malicious’).¹⁰⁷ In a few cases, such as the Sony Hack and WannaCry, the condemnation suggested that the accused had violated ‘international norms’, albeit without identifying which norms specifically.¹⁰⁸ President Obama referred to the Sony Pictures hack as an act of ‘cyber vandalism’, but that was a novel phrase without any clear international normative antecedents. ¹⁰⁹

Such unspecific condemnation is not due to an absence of normative candidates. In 2015, a UN GGE reached consensus on a list of ‘voluntary’ norms of responsible state behaviour in peacetime.¹¹⁰ Moreover, as the two Tallinn Manuals demonstrate, international law may offer a range of rules to both constrain and facilitate state cyber operations.¹¹¹ Both sources thus purport to offer normative guidance for states’ cyber activity outside of armed conflicts and short of the use of force. Yet, states have not used the GGE’s language (e.g. its prohibition on targeting critical infrastructure in peacetime) to condemn other states’ cyber operations, even though Russia purportedly targeted Ukrainian power grids.¹¹² Moreover, as Efrony and Shany’s survey reveals, states have, to date, usually refrained from condemning cyber operations with reference to the Tallinn Manuals or the international law they purport to codify.¹¹³ In one of the only accusations referencing international law to date, the United Kingdom accused the GRU of a ‘flagrant violation’ of international law in a series of cyber operations – including those targeting the Ukraine transport system, OPCW, WADA, the US DNC and various businesses and users – albeit without explaining which laws were violated or which operations did so.¹¹⁴

D Constructing Accusations

Accusers face a number of trade-offs and strategic choices when constructing their accusations. Depending upon their goals and the function(s) they want the accusation to serve, accusers might combine some or all features – attribution, exposure and condemnation – and do so in different ways. In what follows, we examine some of these choices, trade-offs and possibilities for accusation construction by states.¹¹⁵

1 Attribution

Not all features are required in every type of accusation. Attribution, for example, may not be necessary if the accusation aims primarily at shoring up defences. Simply sharing the vulnerability and technical indicators of the malware may be enough to both prompt and enable defensive measures by diverse parties. The original accusations surrounding the TRITON/Trisis malware did not identify its authors, but cybersecurity firms nonetheless alerted relevant communities to defend against the threat posed.¹¹⁶ Similarly, attribution will not always be relevant for accusations designed to constitute new norms. An accuser may identify unwanted behaviour without identifying its perpetrator, and then call on other members of the relevant community to join in condemning such behaviour, thus contributing to the development of a norm that prohibits it.

Some attribution appears necessary, however, for accusations seeking enforcement or deterrence. Enforcement requires identifying which actor(s) must change their behaviour or suffer punishment.¹¹⁷ Similarly, an accusation’s deterrent value lies in showing third parties that they, too, could be identified, accused and punished if they engage in the cited behaviour.

For accusations that require attribution, accusers must weigh how much specificity and certainty to convey. Enforcement actions premised on punishing a state’s agents will require as much detail as the accuser can muster – indictments, after all, must not only name the person accused, they must also detail the factual bases for the criminal charges against that person. In contrast, accusations targeting the state itself may successfully change behaviour even with imprecise charges and incomplete evidence. Indeed, strategic ambiguity in the framing of accusations may be diplomatically useful and create face-saving opportunities for enforcement. States sensitive to stigma may respond better to more obliquely framed accusations that refrain from implicating the government directly but simply state that the cyber incident emanated from their territory. This gives the accused government opportunities and incentives to respond positively (e.g. through domestic prosecutions or cessation of the operation) without conceding complicity in the first place. This was then-Secretary of State Hillary Clinton’s approach with respect to ‘Operation Aurora’, where Google’s source code was lost as a result of intrusions from China.¹¹⁸ China followed a similar path in response to media reports linking it to the hacking of the US OPM – i.e. rather than admitting its responsibility, China identified and arrested several Chinese citizens, claiming they were the real culprits (charges many US officials regarded as suspect).¹¹⁹

2 Exposure

Exposure and publicity also may not be necessary components of effective accusations. Private accusations may work well (or better) than their public counterparts. Enforcement may be pursued publicly or privately; a state taking counter-measures may be obligated to communicate its intentions to the accused, but it has no obligation to communicate them more broadly.¹²⁰

Exposure is essential, however, in accusations designed to shore up defences, to deter or to constitute new norms. If third parties do not know about a cyber operation, they cannot defend against it, and nor are they likely to be deterred from engaging in similar behaviour. Similarly, the construction of norms involves public communications directed at (or among) the community of actors to which the norm should apply. When it comes to customary international law, for example, there must be some observable ‘practice’ that states can join or resist and to which the requisite opinio juris attaches.

3 Condemnation

Condemnation plays a key role in accusations pursuing deterrence, clarifying which behaviour is to be avoided. Condemnations may have less purchase in accusations that emphasize defence. Reports like Mandiant’s on the APT1 attack show that it may be enough to expose and attribute ‘malicious’ acts; little by way of explicit condemnation was needed.¹²¹

The relationship between condemnation and enforcement is more complicated. Strong condemnation may, indeed, cause the accused to change its behaviour, as the ‘naming and shaming’ logic suggests. But condemnation – particularly public condemnation – also risks stigmatization that may lead an accused to ‘dig in’, retrench and repeat the condemned behaviour.¹²² Those involved in truth and reconciliation commissions are often at some pains to avoid alienating key parties negotiating a future peace for exactly this reason.¹²³ Similarly, when regulatory authorities try to move companies towards better behaviours, they must balance condemnation via fines or public sanctions (which may be a useful deterrent) with potential stigmatization that could spawn evasive behaviour, make crime worse and create adversarial relationships between regulator and companies that are counterproductive.

Where accusers fear a backlash, they may substitute technical assistance for condemnation in a process known as ‘reintegrative shaming’.¹²⁴ The logic here is to couple stigmatization with opportunities and help in adopting more prosocial behaviours. Social science research suggests this approach can produce better results, especially in situations where there is ambiguity about the relevant rules of behaviour and culpability may not be felt.¹²⁵ In cyber contexts, this approach might be useful where otherwise lawful perpetrators failed to act or acted negligently (e.g. by failing to be diligent in ensuring an otherwise lawful cyber operation stayed within its expected parameters). Reintegrative shaming might also work where a state fails to operate with due diligence after it learns other actors have used its territory to launch a cyber operation. However, it is less likely to be useful for purposefully malicious actors. We also suspect it may have little effect when the accused operates outside – or at some distance from – the relevant community. Reintegrative shaming thus seems unlikely when dealing with rogue states like North Korea.

When it comes to constituting new norms, condemnation plays an obvious role. Condemnation articulates publicly what ‘bad’ (or unlawful) behaviour looks like and, perhaps implicitly, what ‘good’ (or lawful) behaviour might be. These articulations, often done through accusations, can then form the basis for a new norm or legal rule.

Perhaps counterintuitively, norm construction may sometimes occur without condemnation. Consider Stuxnet. On 1 June 2012, New York Times reporter David Sanger published a story that assigned responsibility for the virus (which destroyed up to 1,000 centrifuges in Iran’s nuclear programme) to the United States and Israel.¹²⁶ Far from condemning the US and Israeli actions, Sanger presented the operation positively, as giving the accused states a new, non-lethal mechanism to oppose nuclear proliferation. Thus, one could interpret Stuxnet’s exposure as an effort – in this case by media actors – to establish, not the maliciousness, but the propriety of using cyber capacities to thwart proliferation instead of more traditional kinetic means (with their attendant death and destruction).¹²⁷ The international community has not, however, embraced that idea. When and where such operations are appropriate remains unclear and contested. Subsequent reverse-engineering of Stuxnet into the Shamoon and BlackEnergy malware also suggests that the benefits of such cyber tools must be weighed against some significant costs.¹²⁸

The fact that Stuxnet was celebrated in some circles and condemned in others reveals that accusations may work differently with different audiences. A condemnation may resonate with one audience but not another. The OPM hack was condemned within a US domestic law framework as a breach of national security, but the US Director of National Intelligence, James Clapper, indicated that such behaviour was acceptable among states: ‘“You have to kind of salute the Chinese for what they did,” adding the US would have done the same thing if it could.’¹²⁹ The efficacy of an accusation thus depends on more than just alignment of its specific contents – attribution, exposure and condemnation – with its intended purpose(s). Context and audience will always affect an accusation’s effects.

5 Under What Conditions Do Accusations Work?

Accusations will not work at all times or in all conditions. Context matters in many ways. Two contextual features of particular consequence are: the normative environment in which the accusation is made, and the relationships among accused, accuser and third parties.

A Normative Environment: Is There a Norm?

As an enforcement tool, accusations require a norm or some standard of propriety against which the accused’s behaviour, and deviation from the norm, can be measured. The existing naming and shaming literature has not emphasized this condition, perhaps because some core shared norms are relatively clear in the areas featured in that literature (e.g. human rights, the environment). States – including accused violators – do not contest norms prohibiting torture, genocide or significant transboundary pollution.¹³⁰ Instead, accused states deny what the accused says happened or offer a different interpretation or application of the norm from that proffered by the accuser.¹³¹ By contrast, the norms (and international law) governing online behaviour are not always clear and well-entrenched. Ongoing contestation about their existence and meaning make their enforcement via accusations tricky.

Consider, for example, recent debates about whether sovereignty is violated when cyber operations by one state create unwanted effects in another state’s territory. Tallinn Manual 2.0 says it is, as do the Dutch and French governments.¹³² This view has been contested, however, by those who question whether sovereignty is a rule governing state behaviour or a background principle that informs the content of other rules (such as the duty of non-intervention).¹³³ The UK Attorney General, for example, has firmly placed the United Kingdom in the sovereignty-as-background-principle camp.¹³⁴ Accusations that one state has violated another’s sovereignty can thus get bogged down in an existential debate about sovereignty’s legal status, diverting attention from the more focused question about what cyber operations are permissible.¹³⁵ Of course, it is exactly these sorts of existential debates that may iterate over time to constitute a new norm (or block a permissive rule from forming). As such, the existence of a norm is less of a pre-condition for the constitutive function of an accusation than it is for an accusation’s enforcement efforts.

B Relationships

An accusation is a social practice whose meaning and effects are shaped by relationships among the accuser, the accused and the third-party audiences or communities in which those actors are embedded.

The relationship between accuser and accused will often influence the efficacy of an accusation. The more an accused values its relationship (whether political, economic or social) with the accuser, the greater the likelihood the accusation may prove effective. We would expect, for example, that accusations that the United Kingdom inappropriately targeted a European ally’s critical infrastructure (e.g. a telecommunications carrier like Belgium’s Belgacom) are more likely to lead to the cessation of that cyber operation than accusations that the United Kingdom targeted a similarly situated Russian company.¹³⁶

Relationships between the accused and the larger community may also affect an accusation’s result. Accusations seeking behavioural changes assume that perpetrators have pro-social reputations they want to protect and/or a moral compass of some kind.¹³⁷ This may not always be a good assumption. In cyberspace, for example, some actors (e.g. hacktivists with only loose ties to a state) may actually value a reputation for destructive cyber operations.¹³⁸ Indeed, they may seek to profit from it on the Dark Web or in other nefarious corners of the Internet. Rogue states, like North Korea, also may not care much about community opinion.

But in many instances, pro-social reputation matters to accused parties because they care about these relationships. Existing research has explored the likelihood that social ties may generate norm compliance. Goodman and Jinks find that the likelihood of a positive response to an accusation about a state depends on the strength, immediacy and size of the group with which the accused shares an identity.¹³⁹ Interestingly, the social science research on which they rely suggests that the most effective groups have three to eight members, with the efficacy of compliance for larger groups dropping off rapidly.¹⁴⁰ At first glance, that fact does not bode well for international law and the nearly 200 nation states subject to it.¹⁴¹ On the other hand, market concentration among big tech companies and high network concentration in a few states mean cultivating normative agreement among a relatively small number of actors can address many behaviour coordination challenges in cyberspace. Thus, accusations aimed at norm construction for a smaller audience of like-minded states may be a valuable first step in constructing broader norms.

An accuser’s own reputation and relationships will also shape the efficacy of accusations generally, and norm construction specifically. Accusers often aim to change, not just the accused’s behaviour, but all similar behaviour: they may want to create a new norm around the undesired behaviour (or to apply an existing norm in some new way). And it is the community – not the accused – that will decide whether such norm development bears fruit. The community’s view of the accuser may therefore matter more to a proposed norm or law’s reception than the community’s view of the accused. States are more likely to accommodate well-documented normative claims on the (im)propriety or (un)lawfulness of WannaCry coming from high-status states like the United Kingdom (the accuser) rather than reactions from North Korea (the accused).¹⁴²

For international law purposes, the importance of the accuser’s identity is reinforced by the idea of a ‘specially-affected state’ – i.e. one ‘who either engages in a practice that some states do not or is distinctively affected by a practice – directly or indirectly – in a manner that distinguishes it from other states’.¹⁴³ Where states are specially affected – either because they possess cyber operation capabilities that others do not, or because they have been the victim of cyber operations – international law may actually require the community of states to pay particular attention to their views on the state of customary international law. There are even recent suggestions that international law requires a majority of specially-affected states to support the formation of any new customary rule.¹⁴⁴

Powerful accusations may also be deployed by both less powerful states – like Estonia – and non-governmental organizations who lack state authority and must rely on their reputation and credibility within the community. In these cases, the accuser’s reputation matters more than material power. Is the accuser a trusted actor? Have its previous accusations been corroborated and accepted? Or, is the accuser perceived to have a self-interested agenda or motives that do not benefit the community as a whole?

Taken together, certain external conditions may be more or less relevant to the capacity of an accusation to achieve its desired function(s). Those functions may also be more or less achievable depending on the contents of the accusation itself; different elements of an accusation may be mandatory (or not) for different functions. Table 1 offers a tentative menu for how these considerations may align in constructing accusations for global cybersecurity.

6 Implications for International Law: Obstacles and Opportunities

A The Absence of International Law in Existing Accusations?

How do accusations interact with international law? Most obviously, they could be a source for its enforcement. If conditions are favourable, accused parties may become more compliant in response to the accuser’s condemnation of an internationally wrongful act (or a failure to act). As noted, however, cyber accusations have been slow to take advantage of this possibility.¹⁴⁵ What explains this reluctance to invoke international law?

One reason may be contested views on legality and propriety. At least some of the accusations to date involve behaviour currently regarded as legally acceptable. The OPM hack, for example, may have severely undermined US national security at a scale not seen previously. Yet, from the perspective of international law, this was an act of espionage, which international law either fails to regulate or affirmatively permits.¹⁴⁶ As such, it is not surprising to see accusations against China avoid condemnation for the OPM hack in international legal terms.

Similar contestation may explain the reluctance to invoke other international legal rules that have divided states at the GGE and elsewhere.¹⁴⁷ The 2017 UN Group of Governmental Experts failed to achieve consensus reportedly because states were divided over whether certain international law rules that apply elsewhere (e.g. self-defence, international humanitarian law, sovereignty and due diligence) also apply in cyberspace.¹⁴⁸ In other cases (e.g. the duty of non-intervention) there may be agreement on the rule’s existence but different interpretations of its meaning (i.e. in what cyber-areas is intervention prohibited? What constitutes the requisite ‘coercion’ to violate the duty in a cyber operation?). Such disparate interpretations make it difficult to expect enforcement to flow from an accusation of the rule’s violation.¹⁴⁹ Consequently, some states may avoid accusing another state of acts they, themselves, believe violate a rule of international law (e.g. sovereignty) because they are unsure if the community as a whole would agree.

Another reason states may decline to invoke international legal rules is that they do not want the accusation to have constitutive effects. Some states may value the lack of clear rules. Ambiguous rules – or no rules – may provide more flexibility to engage in cyber operations that states value. Reciprocity concerns may operate along similar lines. Iran, for example, never challenged the US and Israeli role in Stuxnet as a use of force or even an armed attack (triggering a right of self-defence), preferring instead to deploy its own cyber operations against US financial targets without any legal rhetoric or justification at all.¹⁵⁰

Even if an accuser perceives consensus around the existence of an international legal norm, documentation issues may serve as a barrier to referencing it. International legal accusations pose particular evidentiary challenges. Accusers must tie the accused state to the actual hackers, demonstrating that those hackers were government officials, affiliated with a non-state actor operating under the state’s control or affiliated with a non-state actor’s operations that were later adopted by the state.¹⁵¹ International legal claims also require a particular standard of proof, and the accuser may not have sufficient evidence to meet that standard (or may resist burning the sources and methods to produce such evidence). Fear of reckless or spurious accusations is widespread and, indeed, among the norms agreed to by the 2015 UN GGE was: ‘the accusations of organizing and implementing wrongful acts brought against States should be substantiated’.¹⁵²

Other challenges in using international law may have little to do with norm constitution or enforcement. Jack Goldsmith and Stuart Russell emphasize that ‘[u]nless a nation is able to effectively redress a cyber intrusion, it can be harmful or self-defeating to publicize it, since public knowledge of loss and the failure to respond effectively invite more attacks’.¹⁵³ This may be true for all accusations, but it certainly resonates with respect to international law accusations specifically. States may be reluctant to make international legal claims where they lack available and effective enforcement remedies to bring the accused into compliance with their view of the law. And to the extent the accused are rogue actors, states may not find much added utility in invoking an international legal regime that the accused has demonstrated a willingness to flout in other contexts.

B Deploying Accusations Strategically to Advance International Law

A more nuanced understanding of how accusations work could help states better construct them for desired ends, including improved enforcement of international law and constituting the contents of the law itself. To date, cyber accusations have emphasized the former, with little to no attention to the latter possibility. However, careful crafting of accusations, with attention to their structure and function, could enhance their effectiveness for either end.

Levels of exposure (or publicity) can be strategically varied and ratcheted up to achieve desired goals. Very specific accusations made in private may open different diplomatic options for enforcement than public broadcast of that same information. Blanket proscriptions (calling on the accused to stop doing something) and wholesale stigmatization can be nuanced in useful ways. An alternative approach might be accusations critiquing states for a failure to act to control behaviour within their territory. This leaves the accused room to both save face and moderate behaviour. Accused states may respond to such accusations claiming these operations are perpetrated by actors beyond government control. Accusations aimed at a supposed lack of territorial control might induce the accused state to exercise more control over sub-state actors’ unwanted behaviour.¹⁵⁴

In addition, states and other stakeholders might consider the value of generating lists or rankings of states with good and poor records of international law compliance in cyberspace in much the same way as the United States has done with its annual Human Rights Report or as the World Bank does with its ‘ease of doing business’ rankings.¹⁵⁵ Tying poor performance in such listings to resources and assistance for capacity building (which helps the accused address the problem and reduce unwanted cyber behaviour emanating from its territory) might add a ‘carrot’ to the ‘stick’ of a poor ranking.

Our vision of accusations suggests, however, that states and stakeholders should not limit their expectations to international law enforcement. Properly constructed, accusations may create opportunities to clarify the international law that currently governs state cyber operations and/or to constitute new rules that do so. Simple steps could improve the credibility of existing accusations – and the legal norms they promote – within the relevant communities of states or other stakeholders. Agreeing to more standardized attribution methodologies, for example, would make it easier for audiences to weigh an accusation’s credibility. Standardizing condemnations, in turn, would help build the case for a ‘uniform’ practice – one of the elements in identifying new rules of customary international law.

States could also make more accusations collectively. In September 2019, 27 states issued a ‘Joint Statement’ that contemplated a set of unspecified collective actions to advance responsible state behaviour in cyberspace.¹⁵⁶ One action these states might consider would be collective accusations. Some precedents already exist for this.¹⁵⁷ Accusations involving WannaCry, NotPetya, the OPCW hack and Georgia suggest that increasing the number of accusers might raise the credibility of the claims made.¹⁵⁸ Custom requires not only a uniform practice, but a general one practised by most (but not necessarily all) nation states. More accusers expressing disapproval of certain cyber operations makes it easier to argue that those expressions of disapproval comprise a sufficiently general practice that could be accepted as opinio juris.

Alternatively, states might advance the power of accusations by creating an impartial institution to do attribution or advocate for international law.¹⁵⁹ A neutral or independent third party could collect attribution data from state and non-state actors who might be reluctant to share it publicly (or even with each other privately).¹⁶⁰ Doing so might dispel some fog surrounding accusations and counteraccusations. It might shift arguments from ‘what happened?’ to ‘is what happened permissible and legal?’. An attribution organization might thus supplement and even strengthen currently disaggregated accusation and attribution efforts.¹⁶¹ Similarly, an attribution organization could build and concentrate technical expertise. This would particularly benefit states that lack the capacity to adequately attribute, and thus broaden participation in the creation of new cyber norms. If neutral actors issue specific and credible reports of unwanted behaviour, they may lead states (either globally or in more like-minded groups) to coalesce around new international legal rules proscribing such behaviour.

Finally, policymakers might consider whether and how additional legal instruments could be helpful in making these accusations. If they want to clarify what the rules and norms are for cyber operations, there are clear steps they can take to do this, beyond simply waiting for practice and opinio juris to emerge organically over time. Having some agreed upon treaty framework for international law’s application in cyberspace (whether bilateral, regional or global) would open up a range of new possibilities for using accusations about those treaty commitments to further construct rules of the road in cyberspace.

7 Conclusions

Generating compliance with international norms and legal rules is an ongoing struggle in world politics. States have a variety of tools for this purpose ranging from discrete – often private – criticism to public, even forceful, coercion. In this paper, we have investigated one such tool – the accusation – and the many ways it might be used to steer states towards more pro-social and norm-compliant behaviour in cyberspace.

For international relations (IR) scholars, our investigation builds on the well-understood dynamics of ‘naming and shaming’ but opens up that concept to reveal a much richer array of political possibilities. One such possibility is that naming and shaming do not always go together. IR literatures tend to assume they do – that once a state is ‘named’ in an accusation, shame and shaming behaviour will follow. Our paper starts from the puzzle that, in cybersecurity, this link between naming and shaming is weak and, of particular interest for readers of this journal, that international law is largely absent from naming, shaming and accusations in cybersecurity. Unpacking the structure of accusations helps us understand why this is so. Accusations are flexible tools. They can be constructed in diverse ways to accomplish diverse goals. They can also have effects beyond those expected.

Of particular interest to IR constructivists will be the role accusations can play in the constitution of new social norms, rules and law. This is a classic case of social construction in action. Accusers have to decide which accusations to make and how to frame (and justify) those charges. Accused parties, and third parties, have to decide how to respond – whether to accept or deny the accusation and, importantly, they must articulate their reasons for doing so. These repeated social interactions will, over time, determine the social contours of the cybersecurity issue space – what its rules are, who has authority there and how those rules and authorities came to be so.

For international lawyers, these political possibilities can play a critical role in identifying the existing legal rules and building new ones, even when states avoid the rhetoric of international law. Accusations – and the responses they generate – could advance international law enforcement. But the failure of accusations to enforce international law does not make law irrelevant. The interchanges following an accusation help reveal what behaviour is – and is not – accepted by the international community of states. The resulting delineation of wrongful behaviour in cyberspace can constitute the practice from which opinio juris may emerge over time.

For policymakers, our investigation offers a menu and a toolkit for thinking about whether and how accusations can be used to further their cybersecurity goals. When framing an accusation, accusers have choices. Do they want to name a perpetrator, or just announce that a cyber operation has happened and alert others to the threat? If they want to name perpetrators, do they want to name a government or specific individuals, or simply say the operation emanated from a named territory? How much evidence do they want or need to divulge to elicit the desired reaction either from the accused or from third parties? Do they want to make their accusation public immediately, or can they begin with a private conversation with the accused, and then escalate the accusation to a larger audience as needed? Different answers to each of these questions will lead to a different framing of an accusation, and different political consequences down the road.

States and other stakeholders thus have strategic choices to make as they survey global cybersecurity today. As visibility improves on who is doing what, there will be more opportunities to use accusations to set the rules of the road. In doing so, accusations may help, if not enforce, at least construct relevant constraints (and permissions) derived from international law.

Email: [email protected]. Professor Finnemore would like to thank Amoz Hor for his excellent research assistance and comments in the preparation of this paper

In addition to his academic duties, Professor Hollis regularly consults with the Microsoft Corporation on its push to establish new rules and institutions for cyberspace. Professor Hollis would like to thank Corinne Zucker for her excellent research assistance. This article was prepared as part of a project on Protecting Civilian Institutions and Infrastructure from Cyber Operations: Designing International Law and Organizations, carried out by the Center for International Law and Governance at The Fletcher School of Law and Diplomacy, with financial support of the Microsoft Corporation and the Hitachi Center for Technology and International Affairs. All errors or omissions remain the authors’ own

Footnotes