International Responsibility of States for Cyberattacks against Countries’ Critical Infrastructure

Abstract

Cyberattacks against countries’ critical infrastructure have become one of the most significant challenges of international law over the past two decades. Using a descriptive-analytical method, this article examines the international responsibility of states for such attacks. The research findings indicate that, despite the consolidation of the general principles of responsibility in classical law, establishing responsibility in cyberspace faces two fundamental obstacles: first, the difficulty of proving the attribution of attacks to states due to the intangible and transboundary nature of cyberspace, the possibility of identity falsification, and the use of non-state actors by states; and second, the absence of clear and uniform standards regarding the level of evidence required to prove cyberattacks. State practice in the cases of Stuxnet and attacks on Ukraine’s infrastructure shows that states often refrain from accepting responsibility and resort to a strategy of denial. If responsibility is established, its legal consequences include cessation of the wrongful act, reparation for damage, and countermeasures, each of which faces practical implementation challenges. Finally, the article presents proposals for drafting a comprehensive international treaty, establishing an independent body for investigating cyberattacks, and developing evidentiary standards.