STATE RESPONSIBILITY IN DIGITAL SPACE

byJovanKurbalija1

Thistextisanadaptationofthesame-titledarticlethatappearedintheSwissReviewofInternational&EuropeanLaw,2016,issue2

AbstractState responsibility is one of themechanisms for legal redress in international affairs. Yet theformulation of state responsibility in the digital realm is still in a very early stage. This articleaddressesboth a lex lata analysis basedonexisting lawof state responsibility, and lex ferendasolutions thatmaybedeveloped in order to address specificities of the Internet, such as stateresponsibility for the digital activities of non-state actors under their jurisdiction. The practicalapplicability of the laws describing state responsibility is analysed for the case study of animaginary cyberattack by country A (DigiLand) on the electrical grid system of country B(CyberStan),whichcausedablackoutandmajordamageinCyberStan.Thesearchforapossiblesolution in the digital field involves the potential application of law and the practice of stateresponsibility developed previously in environmental law and other specialised fields ofinternational law. In addition, the analysis addresses the interplay between states’ carefulapproach to international responsibilities, and the practical need to provide legal solutions forcasesinthedigitalfield.Content

I. MainconceptsandterminologyonstateresponsibilityA. ApplicabilityofinternationallawtothedigitalsphereB. LegalsourcesofstateresponsibilityC. Innovativesolutionsfromenvironmentallawandotherspecialisedfieldsof

internationallaw

II. ApplicationofstateresponsibilitytotheInternetA. TypesofstateresponsibilityB. ElementsofstateresponsibilityC. Damageandreparation

III. Conclusion 1DrJovanKurbalijaisthefoundingdirectorofDiploFoundationandHeadoftheGenevaInternetPlatform.Heisaformerdiplomatwithaprofessionalandacademicbackgroundininternationallaw,diplomacyandinformationtechnology.

2 ThegrowingrelevanceoftheInternetformodernsocietyincreasestheneedforlegalredressindigital space. The legal interests of individuals, entities and countries are threatened bycyberattacksoncritical infrastructure, cybercrime,data theft, anddefamation - tonamea few.Due to the trans-border nature of Internet communication, legal redress often requires actionbeyondnationalborders. Inthesearchforjusticeandlegalsolutions,awiderangeofmechanismshasstartedtoappear.InEurope,recourseondigitalcasesisoftensoughtwiththeCourtofJusticeoftheEuropeanUnion,as was the case with the right to be forgotten and the Safe Harbour framework.2Internetcompaniestakeonaquasi-juridicalrolebyrulingoncasesraisedbytheirusers.Forexample, intheimplementationoftheCourtofJusticeofEuropeanUnionrulingontherighttobeforgotten,Googlehadtoevaluate1,486,964requestsfortheremovalofInternetaddressesintheperiodof29May2014– 10May2016.3Legal cases related to Internetdomains arehandled throughaninnovativetypeofarbitration,intheformoftheUniformDisputeResolutionProcedure(UDRP).4 Statesarelookingforaneffectivelegalresponsetochallengesposedbydigitaldevelopments.TheInternetinfluenceshowstatesdelivertheircorefunctionsofensuringpeaceandstability,aswellas economic and socialwellbeing, andprotectinghuman rights. States’ responsibilities towardscitizensand their international responsibilities towardsother statesare increasinglyaffectedbytheInternet. Thus,itisnotsurprisingthatthewords‘responsible’and‘responsibility’areamongthemostusedterms - 13 times – in the 2015 report on global cybersecurity of the United Nations Group ofGovernment Experts.5A policy principle of reasonable behaviour of states in digital space hasbeenfrequentlymentionedininternationalinstruments.6 This articlediscusseshow the lawof state responsibility canensure the implementationof thepolicyprincipleoftheresponsibilityofstatesindigitalspace.Thearticleaddressesbothalexlataanalysis based on existing law of state responsibility, as outlined in the International LawCommission Draft Articles on Responsibility of States for Internationally Wrongful Acts(hereinafterreferredtoastheDraftArticles),andlexferendasolutionsthatmaybedevelopedinorder to address specificities of the Internet, such as state responsibility for digital activities ofnon-stateactorsundertheirjurisdiction.

2 SeeGoogleSpainSLandGoogleInc.v.AgenciaEspañoladeProteccióndeDatos(AEPD)andMarioCosteja

González(C-131/12,decided13May2014;ECLI:EU:C:2014:317)concerningtherighttobeforgotten;MaximillianSchremsv.DataProtectionCommissioner(C-362/14,decided6October2015;ECLI:EU:C:2015:650)concerningtheinvalidationoftheSafeHarbourframework.

3Google,«Europeanprivacyrequestsforsearchremovals,»GoogleTransparencyReport,10May2016,<https://www.google.com/transparencyreport/removals/europeprivacy/?hl=en>(allinternetsourceswerelastaccessedinMay2016).

4ForacomprehensivesurveyofInternetgovernance,jurisdictionandlegaldevelopments,consultJovanKurbalija,AnintroductiontoInternetGovernance,6thed.Geneva,2014.

5 UnitedNations,GeneralAssembly,Developmentsinthefieldofinformationandtelecommunicationsinthecontextofinternationalsecurity:ReportoftheSecretary-GeneralA/70/172(22July2015).

6CouncilofEurope’s2011resolutionstressedvariousaspectsofstateresponsibilityindigitalspace,including«…theirsharedandmutualresponsibilitiestotakereasonablemeasurestoprotectandpromotetheuniversality,integrityandopennessoftheInternet…»CouncilofEuropeRecommendationCM/REC(2011)8,RecommendationoftheCommitteeofMinisterstomemberstatesontheprotectionoftheuniversality,integrity,andopennessoftheInternet(21September2011).

3 ThefirstsectiondiscussestheimpactoftheInternetoninternationallawandthemainconceptsandterminologyrelatedtostateresponsibilityinthedigitalfield.Thissectionalsoexamineshowthedigitalfieldcouldbenefitfromthedevelopmentoflawandpracticeofstateresponsibilityinenvironmentalandotherspecialisedfields. The second section examines the applicability of state responsibility rules to the Internet in animaginary cyberattack by country A (DigiLand) on the electric grid system of country B(CyberStan),whichcausedablackoutandmajordamageinCyberStan.I. Main concepts and terminology on state responsibility Beforeaddressing theapplicationof state responsibility to thedigital sphere, it is important tosituate thisanalysiswithin thebroaderdiscussiononbothstateresponsibilityandthe interplaybetweentheInternetandinternationallaw.A.Applicabilityofinternationallawtodigitalsphere

Thecoresocial functionsof the lawremainasrelevant inthe Interneteraas itwasathousandyearsago,whenourfarpredecessorsstartedusingrulesinordertoorganisehumansociety.Lawisaboutregulatingrightsandresponsibilitiesamongindividualsandtheentitiestheyform,beitcompanies,organisationsorstates.Throughoutthelongevolutionofhumansociety,technologyhasalsobeenevolving,yetthebasisofthelawremainsthesame.In the Internet era, the intense trans-border digital interaction poses the main challenge inapplying existing legal rules. There is a consensus that existing international law applies to theInternet.7Thisprincipleisstipulatedbythe2013ReportoftheUNGovernmentGroupofExperts(GGE)8andwasreiteratedsubsequentlyinotherpolicydecisions.Inthefieldofhumanrights,theresolutionsoftheUNGeneralAssemblyandUNHumanRightsCouncilhavefirmlyestablishedtheprinciplethatthesamehumanrightsthatpeopleenjoyofflinemustalsobeprotectedonline.9

7ThemostprominentviewofuniquenessoftheInternetisformulatedbyJohnPerryBarlow’sDeclarationoftheIndependenceofCyberspace(1996):«[theInternet]isinherentlyextra-national,inherentlyanti-sovereignandyour[states’]sovereigntycannotapplytous.We’vegottofigurethingsoutourselves».OneofthefirstarticlesthatquestionedthisapproachwaswrittenbyJudgeFrankEasterbook,whoarguedinthearticle«CyberspaceandtheLawoftheHorse»(1996)thatalthoughhorseswereveryimportant,therewasneveraLawoftheHorse.SeeJohnPerryBarlow,«ADeclarationoftheIndependenceofCyberspace»,ElectronicFrontierFoundation,8February1996,<https://www.eff.org/cyberspace-independence>;andFrankEasterbrook«CyberspaceandtheLawoftheHorse»,UniversityofChicagoLegalForum(1996),207–216.

8UnitedNations,GeneralAssembly,ReportoftheGroupofGovernmentalExpertsonDevelopmentsintheFieldofInformationandTelecommunicationsintheContextofInternationalSecurity,A/68/98(24June2013,reissuedfortechnicalreasonson30July2013).

9TheprinciplethatexistinglawappliestotheInternetissupportedby,amongothers,thefollowingpolicydocuments: • GeneralAssemblyresolution70/125,Outcomedocumentofthehigh-levelmeetingoftheGeneralAssembly

ontheoverallreviewoftheimplementationoftheoutcomesoftheWorldSummitontheInformationSociety,A/70/125(13December2015).

• GeneralAssemblyresolution69/166,Therighttoprivacyinthedigitalage,A/RES/69/166(18December

4 WhiletheanswertothequestionifinternationallawisapplicabletotheInternetispositive,themainremainingquestionishowtoimplementexistingrules.Forexample,animportantchallengeis to ensure legal redress in cases related to the Internet that contain international elements.Individualsandcompaniescanrelyoninternationalprivatelaw,whilenationalgovernmentscanuse international public law mechanisms. Both approaches have a long tradition, and wereoriginallydevelopedinaneraoflessintensiveexchangesacrossnationalborders.Theyneedtobeexaminedand,whenneeded,furtherdevelopedinordertoprovideaffordableaccesstojusticeinInternetmatterstoindividualsandinstitutionsworldwide.B.Legalsourcesofstateresponsibility

ThemainsourceonstateresponsibilityistheInternationalLawCommission’sDraftArticles,whichisconsideredtobethecodificationof internationalcustomary lawonstateresponsibility.10TheDraftArticleswereadopted in2011byUNGeneralAssemblyResolution56/8311,52yearsafterstateresponsibilitywasselectedbytheUNasoneofthefourteentopicsforcodificationin1949.12Thelongdraftingprocessconfirmsthatstateresponsibilityhasbeenoneofthe«mostambitiousandmostdifficulttopicsofthecodificationworkoftheInternationalLawCommission».13Oneofthereasons for thiscomplexityresultedfromstates’ reluctancetostrengthentherulesofstateresponsibility,astheycouldaffectstates’sovereignty.14Conceptually speaking, the Draft Articles create a two-level structure of state responsibility.Primary rules specify stateobligations (e.g.not tocauseharmtoother states).Secondary rulesidentify«whetherthatobligationhasbeenviolatedandwhatshouldbetheconsequencesoftheviolation.»15Thelawofstateresponsibilitydealswiththesecondaryrules.The 2015 UN GGE Report’s approach to state responsibility closely reflects theDraft Articles.Namely, paragraph 28 of the UN GGE Report requires a breach of law (an ‘internationallywrongfulact’)aspre-conditionforstateresponsibility.ThisparagraphstrengthenstherestrictiveuseofthelawofstateresponsibilityintheInternetfieldbystressingthat«theindicationthatanICTactivitywaslaunchedorotherwiseoriginatesfromtheterritoryortheICTinfrastructureofaStatemaybeinsufficientinitselftoattributetheactivitytothatState.»TheTallinnManualontheInternational Law Applicable to CyberWarfare (‘TallinnManual’), which deals with the law of

2014).

• UnitedNations,GeneralAssembly,Thepromotion,protectionandenjoymentofhumanrightsontheInternet,A/HRC/20/L.13.

10 GeneralAssemblyresolution56/83,ResponsibilityofStatesforInternationallyWrongfulActs,A/RES/56/83(28January2002).

11 GeneralAssemblyresolution56/83,ResponsibilityofStatesforInternationallyWrongfulActs,A/RES/56/83(28January2002).TheInternationalLawCommission(ILC)articlesareannexedtotheresolution.

12 Althoughlawofstateresponsibilitywaslistedin1948,aneffectiveworkonthecodificationstartedin1956.FormoreinformationabouttheevolutionofcodificationofstateresponsibilityseeJamesCrawford,TheInternationalLawCommission’sArticlesonStateResponsibility:Introduction,TextandCommentaries,Cambridge2002.

13 PeterMalanczuk,Akehurst’sModernIntroductiontoInternationalLaw,7threved.London1997,p.254.14 ThespecificityofthelawofstateresponsibilitywasalsoreflectedinthefactthattheILCdidnotuseitstypical

methodofproducingadraftconvention,aswasdoneinthecaseofthe1969ViennaConventiononTreatyLaw.Instead,theILCproducedDraftArticlesasalessbindingformofcodifyingnormsonstateresponsibility.

15 RobertoAgo,«SecondReportonStateResponsibility»,in:InternationalLawCommission(ed.),YearbookoftheInternationalLawCommission,NewYork1970,at306.

5 armed conflict in digital space,16also follows the restrictive approach on state responsibilityregulationtakenbytheDraftArticles.Inhisanalysisofstateresponsibilityonthe Internet,PeterMargulies iscriticaloftherestrictiveapproachtowardsstateresponsibilityadoptedbytheTallinManual,whichrequiresabreachoflaw and attribution to state organs. Such a high threshold could make state responsibilitycompletely unusable in digital space.17Furthermore, a restrictive approach to the law of stateresponsibilitybasedontheDraftArticlescouldcollidewiththe ‘noharm’principle,whichcouldmake states responsible to prevent theuseof their territories in anyway that could harm theinterestsofotherstates.ItistheapplicationofthetraditionalRomanlawmaxim:sicuteretuoutalienum laedas18(use your own property so as not to injure that of another) to internationallaw.19Thisdelicatebalancebetweenrestrictiverulesonstateresponsibilityandthe‘noharm’principleisaddressedinotherareasofinternationallawwithpronouncedtrans-borderaspects,includingtheenvironmentandouter space. Specialised fieldsof international law,whichareanalysed inthesubsequentpart,couldinspiresomesolutionsforstateresponsibilityinthedigitalfield.C. Innovative solutions from environmental law and other specialised fields of international law

The restrictive approach to state responsibility taken by the Draft Articles has shown limitedusabilityinfastemerginglegalfields,suchastheenvironment,outerspaceandotherissueswithprofound trans-border aspects. In these legal fields, new legal solutions and practices on stateresponsibility havebeendeveloped, in particular around the applicationof ‘noharm’principle.This section will focus on identifying similarities and differences between the digital field andotherspecialisedfieldsofinternationallaw.Thisanalysiswillformthebasisforidentifyingusefulpracticesandanalogoussolutionsonstateresponsibilityindigitalspace.1. Environment

Themost frequently used parallel in the discussion on the development of international legalsolutions for the Internet iswith theenvironmental field. Inparticular, parallels aremadewithclimatechangeandtransborderpollutions,anareathathasmuchincommonwiththeInternet’stransbordernature.However, there ismuchmoretothecomparisonbetweenthe Internetandenvironment/climatechangethantheirtransbordernaturealone.Whileboth theenvironmentandthe Internetarecharacterisedby transborderdynamics, therearesignificantdifferencesrelatedto thedegreeofcontrolover transbordereffects.Forclimatechange,itisalmostimpossibletomanagetheseeffects(forexample,thinkaboutglobalwarming), 16 SeeMichaelN.Schmitt(ed.),TallinnManualontheInternationalLawApplicabletoCyberWarfare,Cambridge

2013.17 PeterMargulies,«SovereigntyandCyberAttacks:Technology’sChallengetotheLawofStateResponsibility»,14

MelbourneJ.ofInt’lL.(2013),p.496.18 Theprinciplesicuteretuoutalienumlaedasisoneofthefundamentalprinciplesofinternationalenvironmental

law.Sicuteretuo…isthebasisofPrinciple21oftheStockholmDeclaration.ThesamelegalreasoningwasusedinCorfuChannelCaseoftheInternationalCourtofJustice.

19 Formoreinformationonthe«noharm»principlepleaseconsultsectionII.B.1.

6 whereas it is much easier to control the Internet’s transborder dynamics. Geo-location toolsanchor the Internet strongly into geography. For example, technology enables the blocking orfilteringofInternettraffictoandfromparticularterritories.The immediacyof the impactof transborderdynamicsalsodiffersbetweenclimatechangeandInternet cases. Climate change has long-term consequences, whereas most of the Internetimpactsarealmostinstant.ApossibletemporalanalogybetweenclimatechangeandtheInternetwouldbeinpreservingInternetknowledgeanddataasglobalpublicgoodsforfuturegenerations.Thetwofieldsfurtherdifferintheavailabilityofaninternationallegalframework.Climatechangeis regulated by the UN Framework Convention on Climate Change (1992). As for the Internet,thereisnoconventionortreatythatregulatesthedigitalfieldinacomprehensiveway.Theonlyinternational legal instrument is the Council of Europe’s Convention on Cybercrime, whichregulatesaspecificarea(cybercrime)attheregionallevel,withglobaladherence.The involvement of non-state stakeholders is another point of slight divergence. Governmentsnegotiated at the COP in Paris; civil society, academia and business were part of lobbyingactivities, similar to many other global policy processes (migration, trade, food, human rights,etc.).Theonlydifferenceisthatnon-stateactorswereabit‘noisier’inclimatechangepolicythaninotherpolicyprocesses.Similarly,non-stateactorshavehadanactiveroleintheWorldSummitontheInformationSociety(WSIS),theInternationalTelecommunicationsUnion(ITU),andmanyother relateddigitalprocesses.Anovelelement indigitalpolicy is theparticipationofallmajorstakeholders on an ‘equal footing’ in the activities of the Internet Governance Forum and TheInternetCorporationforAssignedNamesandNumbers(ICANN).Finally, there is a difference related to the evidence that is used for decision-making. Climatechange policy making is based on scientific evidence provided by the International Panel onClimate Change (IPCC). Scientists indicated the likelihood of climate change, and created aframeworkfordiplomaticnegotiations.EvidenceisnotusedaswidelyasonewouldexpectinanengineeringfieldastheInternet.Forexample,weknowverylittleabouttheimpactofcybercrime(estimatesofglobalimpactrangefromUS$300billionto3trillion).Thiscreatesamajorevidencegapinglobaldigitalpolicymaking.These similarities and differences are important to consider, in order to understand theapplicabilityofenvironmentalandclimatestateresponsibilitysolutionstotheInternet.Themostadvanceduseofenvironment-relatedstateresponsibility is inthefieldoftransborderpollution.The first major case was the Trace Smelter case of 1941, which was based on the ‘no harm’principle,lateronusedinmanydeclarationsandconventionsintheenvironmentalfield.ThecasewillbeexplainedinfurtherdetailinsectionII.B.1ofthispaper.2. Watercourses

Bothwatercoursesand the Internet share resourcesacrossnationalborders.Theequitableandreasonable utilisation of common resources is the key concept in international watercourselegislation,asitwasspecifiedinArticle5oftheUNWatercoursesConvention:

«WatercourseStatesshall intheirrespectiveterritoriesutilizean internationalwatercourse inanequitableandreasonablemanner.Inparticular,aninternationalwatercourseshallbeusedand developed by watercourse States with a view to attaining optimal and sustainable

7 utilization thereof and benefits therefrom, taking into account the interests of thewatercourseStatesconcerned,consistentwithadequateprotectionofthewatercourse.»20

Inaddition,Article7oftheUNWatercourseconventionintroducedtheprincipleof‘noharm’tootherstates.WhenrelatedtothedebateonInternet’slegalmatters,thedebatearoundabsolutevs. limited territorial sovereignty over waterflows is particularly relevant. Absolute sovereigntywasadopted in the so-called ‘HarmonDoctrine’, namedafter anAmericanAttorney-General in1895, during a dispute between the U.S. andMexico over the use of the Rio Grande waters.Accordingtothe‘HarmonDoctrine’,statesarefreetodecideontheuseofriversflowingthroughtheir territory. The Harmon Doctrine has not gained following. Instead, the practice ofinternational watermanagement has continued to follow the approach of limited sovereignty,which implies taking the interests of other states into consideration. The Internet is likely torequire the same approach, given the high degree of interdependence among societies indevelopingandusingtheInternet.3. Nuclear activities StateresponsibilityinthenuclearfieldisstricterthanthegeneralinternationallawcodifiedintheDraftArticles.A setof international instrumentsdealingwith state responsibility in the fieldofnuclearenergyincludethe1960ConventiononThirdPartyLiabilityintheFieldofNuclearEnergy,1963 Vienna Convention on Civil Liability for Nuclear Damage, 1986 Convention on EarlyNotificationofNuclearAccidents,1986ConventiononAssistanceinCaseofNuclearAccidents.State responsibility in the nuclear field could be triggered by failure of states to exercise duediligenceoveractivitiesofnuclear facilities. Inaddition«statesare responsible for transfrontierharmatleastwhenitresultsfromnegligenceorintentionalpollutionandpossiblyevenforharmresultingfromaccidents».214. Law of the sea The1982UNConventionontheLawoftheSea(UNCLOS)introducesstateresponsibilityinarticle194(paragraph2)

«…2. States shall take all measures necessary to ensure that activities under theirjurisdictionorcontrolaresoconductedasnottocausedamagebypollutiontootherStatesand their environment, and that pollution arising from incidents or activities under theirjurisdiction or control does not spread beyond the areas where they exercise sovereignrightsinaccordancewiththisConvention.»22

UNCLOScoversbothstateresponsibilitytowardsotherstatesandfordamagesofareasbeyondthelimitsofnationaljurisdictionsuchastheopensea.ItalsotriggeredananalogybetweentheopenseaandtheInternet,andintroducedtheapplicationoftheconceptof‘commonheritageof

20 ConventionontheLawoftheNon-navigationalUsesofInternationalWatercourses,NewYork21May1997,U.N.

Doc.A/51/867.21 AlexandreKiss,«StateResponsibilityandLiabilityforNuclearDamage»,35DenverJ.ofInt’lL.&Policy(2006),p.

133.22 UnitedNationsConventionontheLawoftheSea(UNCLOS),MontegoBay,10December1982,1833U.N.T.S.3.

8 mankind’ to the Internet. 23 This would mean that the Internet’s infrastructure is beyondindividualstates’jurisdictionandsubjecttotheprotectionofallstates.ClassifyingtheInternetas‘common heritage of mankind’ would have a significant impact on state responsibility on theInternet.5. Outer space ThelegalregimerelatedtoouterspaceinvolvesahighlevelofstateresponsibilityasspecifiedinOuterspace:1972ConventiononInternationalLiabilityforDamagesCausedbySpaceObjects.24Article6ofthe1967OuterSpaceTreaty25extendsstateresponsibilitytonon-governmentactorsbyspecifyingthat:

«Each StateParty to the Treaty that launchesor procures the launchingof anobject intoouterspace,includingthemoonandothercelestialbodies,andeachStatePartyfromwhoseterritoryorfacilityanobjectislaunched,isinternationallyliablefordamagetoanotherStatePartytotheTreatyortoitsnaturalorjuridicalpersonsbysuchobjectoritscomponentpartsontheEarth,inairorinouterspace,includingthemoonandothercelestialbodies.»

Comparedtoallothermentionedfields,theOuterSpaceTreatyprovidesthebroadestcoverageofstateresponsibility.Apossibleexplanation for thisstipulation is thatback in1967,whentheConvention was drafted, only states had sufficient financial and technical means to launchsatellites. In themeantime,moreandmoreprivateentitieshavegained the capacity to launchsatellites. Still, the requirements for launching satellites remain higher than for, for example,conducting cyber attacks. The low threshold for cyber activities (they are just ‘a click away’),means that it is not very realistic for states to assume responsibility for cyber activities of anyactorundertheir territorialorpersonal jurisdictionasStatescandofor limitednumberofnon-stateactorsinvolvedinouterspaceactivities.II.ApplicationofstateresponsibilitytotheInternetAfterexaminingthelawofstateresponsibilityintheprevioussection,thissectionwillapplystateresponsibilitytoahypotheticalcaseinwhichCountryA(CyberStan)sufferedmajordamageatitselectronicgridsystemcausedbyacyberattack.TheonlycertainfactisthattheattackcomesfromacomputerbasedincountryB(DigiLand).CyberStan’sdiplomaticlegalteamneedstoexploreallpossibilitiesforlegalactionagainstDigiLand.Theanalysisoftheirlegaloptionswillbesupportedbythemainacademicandpolicyapproachestostateresponsibility.

23 See«StatementbyDr.AlexSceberrasTrigona,SpecialEnvoyofthePrimeMinisteroftheRepublicofMalta»,

WorldSummitontheInformationSocietyReviewProcess,15December2015,<https://www.gov.mt/en/Government/Press%20Releases/Documents/pr152897a.pdf>.

24ConventiononInternationalLiabilityforDamageCausedbySpaceObjects,29March1972,961U.N.T.S.187.

25TreatyonPrinciplesGoverningtheActivitiesofStatesintheExplorationandUseofOuterSpace,includingtheMoonandOtherCelestialBodies,Washington,D.C.,27January1967,610U.N.T.S.205.

9 A.TypesofstateresponsibilityForCyberStan,thelegaloptionstoclaimresponsibilityofDigiLandforthisattackaresummarisedintheenclosedtable,whichpresentsthemaintypesofresponsibility/liability(row)andelementsofresponsibility(column).TypesofresponsibilityElementsofresponsibility

“FAULT”SUBJECTIVERESPONSIBILITY

“RISK”OBJECTIVERESPONSIBILITY

STRICTRESPONSIBILITY

Breach of rules of internationallaw

Required Required NOTRequired

Intention to breach the rule(fault/culpa)

Required NOTRequired

NOTRequired

Territorial link (action originatingcomputer or network under statejuridiction)

Required Required Required

Attribution to state (including itsorgans)

Required Required NOTRequired

Damageandloss Required Required Required1.‘Fault’ResponsibilityFirstly,CyberStancouldtrytobasethecaseagainstDigiLandonfaultresponsibility,anapproachthatwasusedbytraditionalinternationallaw.Thisconceptwasparticularlydominantduringtheinterwarperiod (1918-1941).However, ithas started losing relevance in the secondhalfof the20thcentury.Theincompatibilitybetweenmodernstatesand‘fault’responsibilitywashighlightedby I. Brownlie: «In the conditions of international life, which involve relations between highlycomplex communities, acting through a variety of institutions and agencies, the public lawanalogy of the ultra vires acts is more realistic than a seeking for subjective culpa in specificnatural persons who may, or may not, “represent” the legal person (the state) in terms ofwrongdoing.»26Brownlie’sconcerncanbeextendedtoourcase.ItisnotlikelythatCyberStanwillhaveenoughevidencetofirstidentifyandsubsequentlyprovefaultofDigiLand’sofficials.27Asaresult,CyberStanislikelytolookforthenextoptiononthestateresponsibility‘menu’…2.‘Risk’Responsibility‘Risk’or‘objective’responsibilitylowersthethresholdforresponsibility.Itdoesnotrequirefault,butitrequirestheattributionoftheactiontootherstatesandtheirofficials.‘Risk’responsibilityis

26 IanBrownlie,SystemoftheLawofNations,StateResponsibility,PartI,Oxford1983,p.38.27AttributionincybercasesisdiscussedunderII.B.2

10 basedonabreachofrules(exdelicto).Inourcase,CyberStanwouldneedtofindtheprimaryruleof international law that was breached. For example, this could be a breach of the ‘no harm’principle,whichrequiresastate«touseorpermittheuseofitsterritoryinsuchamannerastocauseinjurybyfumesinortotheterritoryofanotherorthepropertiesorpersonstherein...»asitwas specified inTrail SmelterCase (1941).28Theapplicationof the ‘noharm’principlecouldbelinkedtoanexaminationonwhetherastatehastakenthenecessary‘duediligence’measuresinordertoavoidanynegativeeffectsontheterritoryofotherstates(formoreonthis,seesectionII.B.2.a.2).3.StrictresponsibilityIfCyberStancannotproveabreachofprimarylaw,thelastpossibilitywouldbetoresortto‘strictresponsibility’, which requires proving that the cyberattack originated from the territory ofanotherstate;inthiscase,fromDigiLand.Strictresponsibilityinitspurestformisrarelyapplied.Namely,itisnotpossibleforstatestomonitorallactivitiesontheirterritorythatmaycauseharmto other states. In the digital field, it is particularly difficult to control all digital activitiesconducted by non-state actors. In addition, in many cases, it is not even desirable to requeststates to monitor all digital activities. It may increase surveillance and endanger the delicatebalance that societies worldwide need to strike between the protection of human rights andsafeguardingpublicinterests.Whileitisimportanttoestablishaterritoriallinkofthecyberactiontotheterritoryoftheotherstate,thisisnotsufficienttoestablishstateresponsibility.Asitwillbediscussedfurtherdown–insectionII.B.2.b–the‘territorial link’shouldbesupplementedbytheduediligencerequirement,whichmakes a state responsible fornot taking all adequate steps toprotectother states fromharm.4.DirectandindirectresponsibilityAnother classification, introduced by Oppenheim 29 , divides state responsibility into twocategories. Direct responsibility is based on actions of states and their organs. Both ‘fault’ and‘risk’responsibilitiesaredirectresponsibilities.Indirectorvicariousresponsibilityisresponsibilityof damage caused by other entities under the state’s jurisdiction, including individuals andcompanies.Strictresponsibilityisanexampleofindirectresponsibility.B.ElementsofstateresponsibilityStateresponsibilitytoInternetcaseswillbeanalysedonthreemainelements:1)breachofruleofinternational law,2)attributionand3)existenceofdamageor loss.Theother twoelementsofstateresponsibilitythatwerementionedinthetable–fault/culpaandtheterritoriallink-arenotfurtheranalysedinthissection.Fault/culpaisnotincludedsinceitisusedfor‘faultresponsibility’,which is no longer applied in international practice. The ‘territorial link’ is assumed to existwheneverstateresponsibilityisdiscussed,asitisintheCyberStancase.Namely,thebasisforany

28TrailSmelterCase(UnitedStatesvCanada).ArbitralTrib.,3UNRep.Int’lArb.Awards1905(1941).29RobertJennings&ArthurWatts,Oppenheim’sInternationalLaw,9thed.,Oxford2008.

11 discussiononDigiLand’sresponsibility is thatthecyber incident inCyberStanwas initiatedfromthecomputerslocatedintheterritoryofDigiLand.1.Breachofrulesofinternationallaw

State responsibility is initiated by a breach of rules, which could be done by both acts andomissions to act. The International Court of Justice confirmed omission as the basis for stateresponsibilityinseveralcases,includingCorfuChannel(UKv.Albania)30,UnitedStatesDiplomaticandConsularStaffinTeheran(USv.Iran)31,andApplicationoftheConventiononthePreventionandPunishmentoftheCrimeofGenocide(BosniaandHerzegovinav.SerbiaandMontenegro)32.Primary rules dealing specifically with the Internet are limited. If CyberStan and DigiLand arepartiestothe2001BudapestConventiononCybercrime,theyaresupposedtofollowtheprimaryrulespreventingcybercrimeactivitiesasstipulatedbythisConvention. IftheyarenotpartiestotheBudapestConvention,theywillhavetorelyongeneralinternationallawand,inparticular,theUNCharter.CyberStancouldbasethiscaseonthe‘noharm’principle,whichisconsideredtobepartofinternationalpubliclaw.The‘noharm’rulespecifiesthatastateshouldnotallowtheuseofitsterritoryforactivitiesthatcould harm other states. This rule dates back to the Roman law and maxim sic utero tuo, utalineumnon laedas (literally, use our own so as not to injure another). The legality of the ‘noharm’ruleissupportedbyawiderangeofconventions,courtcasesandpolicydocuments.Anintensivediscussionontheuseofthe‘noharm’principlestartedwiththeTrailSmeltercaseontransboundarypollution,whichtookplacein1941andstipulatedthat«nostatehastherighttouse or permit the use of territory in such a manner as to cause injury by fumes in or to theterritoryofanotherofthepropertiesorpersonstherein».33AfewdecadesaftertheTrailSmeltercase,the‘noharm’rulebecameoneofthecoreprinciplesofglobalenvironmentalpolicy.In1972,theStockholmDeclarationstipulatedinPrinciple21thatstates have a responsibility «to ensure that activitieswithin their jurisdictionor control donotcause damage to the environment of other States or of areas beyond the limits of nationaljurisdiction».34TheRioDeclarationinPrinciple2reiteratesthe‘noharm’principle.35The‘noharm’principleisalsousedinmanyinternationalconventions:the1982UNConventionoftheLawoftheSea(Article194-2)36, theConventiononBiologicalDiversity(Article3),371985 30CorfuChannel(UKv.Albania),ICJReports1949,p.4,(Merits).31UnitedStatesDiplomaticandConsularStaffinTeheran(USv.Iran),1980ICJReportsp.63,124(Judgment),atp.3.32 CaseConcerningApplicationoftheConventiononthePreventionandPunishementoftheCrimeofGenocide

(BosniaandHerzegovinav.SerbiaandMontenegro),2007ICJReports43(Judgment)atp.428–450.33TrailSmelterCase(UnitedStatesv.Canada).ArbitralTrib.,3UNRep.Int’lArb.Awards1905(1941).34 SeeUnitedNationsConferenceontheHumanEnvironment,ReportoftheUnitedNationsConferenceonthe

HumanEnvironment,A/CONF48/14/Rev1(15–16June1972).35 ReportoftheUnitedNationsConferenceonEnvironmentandDevelopment,RiodeJaneiro,3–14June1992,

A/CONF.151/26/Rev.1(Vol.I),at3.36 «Statesshalltakeallmeasuresnecessarytoensurethatactivitiesundertheirjurisdictionorcontrolareso

conductedasnottocausedamagebypollutiontootherStatesandtheirenvironment,andthatpollutionarisingfromincidentsoractivitiesundertheirjurisdictionorcontroldoesnotspreadbeyondtheareaswheretheyexercisesovereignrightsinaccordancewiththisConvention»(UnitedNationsConventionontheLawoftheSea,supran.21).

12 Convention for the Protection of the Ozone Layer (Article 1), 1967 Outer Space Treaty, 1973Marine Pollution Convention, 1972 London Duping Convention, and the UN WatercourseConvention (Article7).38 Furthermore, the ‘noharm’ rulewas reiterated ina few judgmentsoftheInternationalCourtofJustice:theLegalityoftheThreatorUseofNuclearWeapons39andtheCase concerning the Gabčíkovo-Nagymaros Project.40The Budapest Convention on Cybercrimespecifies that states have the responsibility to prevent the use of their territories by non-stateactorstoconductcyber-attacksagainstotherstates.

2.AttributionStateresponsibilitycannotbeestablishedwithoutattributionoftheactthatwouldtriggerstateresponsibility.TheDraftArticlesspecifythatattributionmustbeestablishedtothestateanditsorgans.Attribution in Internet cases has technical and legal aspects. On the technical level, it is verydifficulttoattributeInternetacts,duetothetechnicalarchitectureoftheInternetandtheuseofvarious techniques thatensureanonymity, including theuseof ToR software,multiple Internetroutes, encryption, etc. In addition to technical evidence, there is a need to ensure legalattribution in order to initiate cases based on state responsibility. Typically, legal evidencerequiresahigherlevelofcertaintythantechnicalevidence.Itishighlydemandingtogathersufficientprooftoensureattributionofactstostateorgans.MostInternet-relatedcasesremainonthelevelof ‘alleged’attribution.Thiswasthecaseinthe2007DenialofServiceattackonEstonia’sdigitalinfrastructure41andthe2014StuxnetattackonIraniannuclearenrichmentfacilities.42Traditionalstateresponsibility,whichrequiresattributionofactstostateorgans,isofverylimiteduse in thedigital field,wheremost activities are conductedbynon-state actors.Most InternetinfrastructurefacilitiesareownedbyprivatecompaniesandtheInterneteconomyisdrivenbytheprivatesector.Typically, theneed for legal redress in thedigital sphere is linked toactivitiesofnon-stateactors,beingindividualsorcompanies.Thisopensthequestionofwhetherastatecan

37«Stateshave,inaccordancewiththeCharteroftheUnitedNationsandtheprinciplesofinternationallaw,the

sovereignrighttoexploittheirownresourcespursuanttotheirownenvironmentalpolicies,andtheresponsibilitytoensurethatactivitieswithintheirjurisdictionorcontroldonotcausedamagetotheenvironmentofotherStatesorofareasbeyondthelimitsofnationaljurisdiction»(ConventiononBiologicalDiversity,RiodeJaneiro,5June1992,1760U.N.T.S.79).

38 Article7ofthe1997UNWatercoursesConvention.The«noharmprinciple»isalsousedinotherwatercoursesconventions,seetheUnitedNationsEconomicCommissionforEurope’sWaterConvention(Article2.1);the1994DanubeRiverProtectionConvention(Article2);andthe1995MekongConvention(Article4).

39LegalityoftheThreatorUseofNuclearWeapons,1996ICJReports226(AdvisoryOpinion)at241etseq.(para.29).

40 CaseconcerningtheGabčíkovo-NagymarosProject(Hungaryv.Slovakia),1997ICJReports,p.7(Judgment),at41(para.53).

41 Formoreinformation,see:SteveMansfield-Devine,«Estonia:WhatDoesn’tKillYouMakesYouStronger»,7NetworkSecurity(2012),12-20;andR.Ottis,«Analysisofthe2007CyberAttacksAgainstEstoniafromtheInformationWarfarePerspective»,Proceedingsofthe7thEuropeanConferenceonInformationWarfareandSecurity.Reading:AcademicPublishingLimited,2008,163–168.

42 Formoreinformation,see:DanielTerdiman,«StuxnetdeliveredtoIraniannuclearplantonthumbdrive»,CNET,12April2012,<http://www.cnet.com/news/stuxnet-delivered-to-iranian-nuclear-planton-thumb-drive/>.

13 beheldresponsibleforactsofindividualandnon-stateentitiesunderitsjurisdictionaccordingtostrictorvicariousresponsibility.ThetraditionalviewonattributionforstateresponsibilityistakenbyDraftArticle11:«ConductofpersonsoragroupofpersonsnotactingonbehalfoftheStateshallnotbeconsideredasanactoftheStateunderinternationallaw».43However,theUNLawoftheSeaConventionbroadensstateresponsibility to natural and juridical persons under its jurisdiction. Article 139, paragraph 1,specifies that: «States Parties shall have the responsibility to ensure that activities in theArea,whethercarriedoutbyStatesParties,orStateenterprises,ornaturalor juridicalpersonswhichpossessthenationalityofStatesPartiesorareeffectivelycontrolledbythemortheirnationals,shallbecarriedoutinconformitywiththisPart...»44;State responsibility is further reinforced inArticle 235, paragraph245: «States shall ensure thatrecourse is available in accordance with their legal systems for prompt and adequatecompensationorotherreliefinrespectofdamagecausedbypollutionofthemarineenvironmentbynatural or juridical personsunder their jurisdiction.» Similar approach to state responsibilityareusedintheTreatyonPrinciplesGoverningtheActivitiesintheExplorationandUseofOuterSpace of 1967 (article 6)46: «States Parties to the Treaty shall bear responsibility for nationalactivities inouterspace…whethersuchactivitiesarecarriedoutbygovernmentagenciesorbynon-governmental entities». Finally, in international jurisprudence, the ICJ ruled in theNamibiacase:«Physicalcontrolofaterritoryandnotsovereigntyorlegitimacyoftitle,isthebasisofstateliabilityforactsaffectingotherstates.»47Legalwritershaveintensivelydebatedthetopicofstateresponsibilityfornon-stateactorsunderastate’sjurisdiction.Forexample,IanBrownliearguedthat«TheStateisunderadutytocontroltheactivitiesofprivatepersonswithin itsstate territory»48andOppenheimargues forvicariousresponsibility for unauthorised acts of the agent of the state and the other legal entities(individuals,companies,etc.).49Alexander Kiss stressed that apart from the ILC Draft Articles, which do not hold a Stateresponsible,«thisviewdoesnotappear tobeaccepted forenvironmentalmatters.Thegeneralrule seems rather to be that the Statewhose territory serves to support the activities causingenvironmentaldamageelsewhereorunderwhosecontrolitoccursisresponsiblefortheresultingharm».50KarlZemanekintroducedaneconomicargumenttothediscussiononstateresponsibilityfor acts by private persons on their territory, by stressing that “themost convincing answer isprovidedbythefactthatthenationaleconomyoftheStateonwhoseterritorytheactivitytakesplacebenefitsfromthatactivitygenerally,andthegovernmentthroughrevenuesinparticular.»51

43 InternationalLawCommission,YearbookoftheInternationalLawCommission1975,VolumeII,NewYork:United

Nations,1976,at51–61.44Art.139(1)UNCLOS.45Art.235(2)UNCLOS.46Art.24(6)OuterSpaceTreaty.47 LegalConsequencesforStatesoftheContinuedPresenceofSouthAfricainNamibia(SouthWestAfrica)

notwithstandingSecurityCouncilResolution276(advisoryopinion),1971ICJReports,p.16,at54,para.118.48Brownlie,supprano.25,at163.49RobertJennings&ArthurWatts(eds.),supran.28.50AlexandreCharlesKiss&DinahShelton,InternationalEnvironmentalLaw,Leiden1991,at353–354.51 KarlZemanek,«StateResponsibilityandLiability»,in:W.Lang,H.Neuhold,&K.Zemanek(eds.),Environmental

protectionandinternationalLaw,London1991,at195.

14 This survey of legal cases and academic arguments shows that there are serious attempts injurisprudenceanddoctrine toovercome the rather rigid criterion for state responsibilityof theDraftArticles,and tobroadenthecoverageof state responsibility toprivateentitiesandactorsunderastate’s jurisdiction.52Thereare twomajordirections inwhichCyberStanwouldneedtosearch for state responsibility of DigiLand for acts of non-state actors. Firstly, CyberStan couldprove a certain level of control of DigiLand’s state organs over the activities of the non-stateactorswho arebehind the cyber attack. Secondly, it can argue for the lack of duediligenceofDigiLandinensuringthatitsterritoryisnotusedagainstotherstates.i.Controlovernon-stateactorsbystateorgans.Jurisprudenceandlegaldoctrinehavedevelopedthreemaincriteriaforidentifyingstates’controlovernon-stateentities:effectivecontrol,overallcontrolandindirectcontrol.Firstly,the‘effectivecontrol’criterionwasintroducedbytheInternationalCourtofJustice(ICJ)intheNicaraguavs.theUnitedStatesCase.AlthoughtheUnitedStatessupportedandtrainedrebelfighters against the Nicaraguan government, the ICJ ruled that the United States were notresponsibleforrebelfighters’actions,sincetheUSdidnothave«effectivecontrolofthemilitaryorparamilitaryoperationsinthecourseofwhichtheallegedviolationswerecommitted».53.TheTallinnManualalsofollowstheprincipleof‘effectivecontrol’,asitstressesthat«merefinancingand equipping» is not sufficient for qualifying state support to private actors as ‘effectivecontrol’.54Accordingtothisapproach,itwouldnotbesufficientforCyberStantoprovethat–forexample –DigiLand’s official networkswereused for the attack. In order to requestDigiLand’sstate responsibility, it would need to prove that DigiLand’s officials were involved in theoperationalisationofthecyberincident.Secondly,the‘overallcontrol’criterionwasintroducedbytheInternationalCriminalTribunalforthe former Yugoslavia in the case of Prosecutor v Tadic (Appeals Chamber Judgement).55Itlowered the threshold for state responsibility by specifying that a state is responsible if it hasoverallcontrol,ratherthaneffectivecontrol,overactivitiesofnon-stateactors.Thus,thesupportfor military groups and other non-state actors would be sufficient for establishing stateresponsibility.IfCyberStancanprovethattheorganisationfromwhichnetworktheattackcamehadreceivedgrantsfromthegovernmentofDigiLand, itcouldusethisevidenceasthebasistodevelop an argument for state responsibility via the ‘overall control’ criterion. The main legalbattlewouldbeconductedonthequestionifDigiLandexercised‘duediligence’onmattersthatcouldhaveaffectedthisattack.Thirdly,accordingtoGraham,the‘indirectresponsibility’criterionwasusedafterthe9/11attacksasthepolicybasisforattackingtheTalibangovernmentofAfghanistan.56AlthoughtheTalibandidnot have effective nor overall control over the al Qaeda terrorist group, they were heldresponsibleforprovidingasanctuaryforalQaeda.Itisstillambiguouswhethertheprincipleof‘indirectresponsibility’constitutesanewpracticeonstateresponsibilityorifitisconfinedonlyto

52Theterm«individual»isusedfornaturalactorsand«entities»forlegalactors.53 MilitaryandParamilitaryActivitiesinandagainstNicaragua(Nicaraguav.UnitedStatesofAmerica),Judgment,

1986ICJReportsp.14,181.54MichaelN.Schmitt(ed.),supran.15,at32–3.55Prosecutorv.Tadić,1999ICTY,IT-94-1-A,I.C.T.Y.AppealsChamber(15July)(Judgment)at49.56DavidE.Graham,«CyberThreatsandtheLawofWar»,87J.ofNationalSecurity:Law&Policy(2010),at93–4.

15 the use in specific circumstances, such as in response to the 9/11 terrorist attacks. If it hasbecomeanewlegalprinciple,itwouldintroducetheprinciplesofstrictresponsibilityofastateforanyactcommittedbyindividualsandotherentitiesinitsterritory.Usingthiscriterionwouldleadtowardspurestrictresponsibility,whichconsidersonlythefactthatanattackoriginatedfromtheotherterritory.Thus,themostrealisticlegalgroundforthecasecouldbefoundinthe‘overallcontrol’criterion.IfCyberStan’s lawyers cannot prove DigiLand’s overall control over its non-state actors whocommittedthecyberattack,theycanbuildthecasearoundprovingthatDigiLanddidnotuse‘duediligence’inpreventingtheattack.ii.Duediligence57Whilestatescannotbeheldresponsibleforeveryactofindividualsandnon-stateentitiesintheirterritory,theycanmakeduediligencestepsinordertopreventtheuseoftheirterritoryagainstindividualsandentitiesinotherstates(basedonthe‘noharmprinciple’).In field of human rights, due diligence tests have been used to evaluate whether states areresponsible forbreachesofhumanrightsregulationsbyprivateentitiesundertheir jurisdiction.Forexample, inthecaseVelásquezRodríguezvHonduras58, theInter-AmericanCourtofHumanRightsruledthatastatecanbeheldresponsibleforviolationsbyprivateactorsifthestatefailedtoexercise‘duediligence’topreventandrespondtotheviolations.TheCourtindicatesthatthestatemust

take reasonable steps to prevent human rights violations and to use the means at itsdisposaltocarryoutaseriousinvestigationofviolationscommittedwithinitsjurisdiction,to identify those responsible, to impose the appropriate punishment and to ensure thevictimadequatecompensation.59

TheduediligenceprinciplewasalsousedinTheAsianAgriculturalProductsLtd(AAPL)vSriLanka.The judgementruledthatSriLankacouldnotbeheldresponsibleforthedestructioncausedbytheTamilTigers,butitcouldbeheldresponsiblefornottakingduediligencetoprotectdestroyedinstallations.60The application of the concept of ‘due diligence’ to cyber matters could also be inspired bysolutionsininternationaldiplomaticlaw,whereastateisobligedtotake‘allappropriate’stepsinordertoprotecttheembassiesofforeigncountries.TheomissiontotakethesestepswasoneofthelegalbasesoftheICJjudgmentinthecaseofUnitedStatesDiplomaticandConsularStaff inTeheran(1980).61

57 Foradiscussionon«duediligence»incyberspace,consultKatharinaZiolkowski,«RightsandObligationsofStates

inCyberspace»,in:KatharinaZiolkowski(ed.),PeacetimeRegimeforStateActivitiesinCyberspace,InternationalLaw,InternationalRelationsandDiplomacy,Talinn2013,pp.165–170.

58VelasquezRodriguezCase,JudgmentofJuly29,1988,Inter-Am.Ct.H.R.(Ser.C)No.4(1988).59Ibid,at93.60AsianAgriculturalProductsLtd.v.RepublicofSriLanka,1990ICSIDCaseNo.ARB/87/3(27June).61UnitedStatesDiplomaticandConsularStaffinTeheran(USv.Iran),supran.30.

16 Due diligence steps could include measures such as the adoption of strategy and legislationagainst cybercrime. Thus, while CyberStan cannot request DigiLand’s responsibility for theconcreteattack,itcanbaseitsclaimonDigiLand’sresponsibilitytotakeallnecessarymeasurestopreventsuchanattack.Grahamindicatesthefollowingstepstodetermineduediligence:

- To enact stringent criminal laws against the commission of international cyber attacksfromwithinnationalboundaries.

- Toconductmeaningful,detailedinvestigationsintocyberattacks.- Toprosecutethosewhohaveengagedintheseattacks.- To cooperate with the victim states’ own investigations and prosecutions of those

responsiblefortheattacks.62‘Due diligence’ is flexible enough to adjust to new technological developments and theway inwhich the Internet is (mis)used. Due diligence criteria and mechanisms are likely to developthroughstatepracticeindealingwithcyberincidents,whichcouldbethebasisfornormcreationthroughinstantcustomarylaw.C.DamageandreparationInrequestingstateresponsibility,CyberStanwillhavetoprovedamageandloss,whichwillalsoformthebasisforreparation.Giventheambitiousroleofcyberinmodernlife,damageandlossbycyberactivitiescouldbeverydiverse,rangingfromdirecteffectsontheattackedobject(e.g.damage to the power grid) to damages affecting the health and well-being of the broaderpopulation.ThestartingpointfordealingwithquestionsofdamageandreparationshouldbetheDraftArticles,whichidentifiesthreetypesofreparations.Firstly, Article 35 indicates restitution as a way «….to re-establish the situation which existedbefore the wrongful act was committed… ». Restitution could be used if it is possible andproportional. In digital cases, restitution could be used only if the cyberattack has triggeredphysicaldamage,whichisnotfrequentinthedigitalfield.Secondly, if restitution cannot be used, the Article 36 specifies compensation as ‘…financiallyassessabledamageincludinglossofprofits…’.Inourcase,itismostlikelythatCyberStanwillseekcompensation for damage triggered by the cyber-attack. The exact level of requestedcompensation would depend on establishing a causal link between the cyberattack and theresultingdamage.The third possibility is satisfaction, which, according to Article 37, ‘… may consist in anacknowledgementofthebreach,anexpressionofregret,aformalapologyoranotherappropriatemodality.’Satisfactionasreparationapproachcouldbeusedinstateresponsibilityindigitalcases.In sum, possibilities for reparation in digital caseswill dependon the typeof damage that hasresulted from the cyberattacks. Typically, restitutionwill rarely be used, leaving the other twomechanismsofcompensationorsatisfaction.

62Graham,supran.55,at93–94.

17 III.ConclusionAsour analysis shows,CyberStan is unlikely to find a legal basis to request state responsibilityofDigiLand for thecyberattack.Namely,theobjectiveresponsibility,asisoutlinedinthe2001DraftArticlesonStateResponsibilityandsupportedbythe2015UNGGEReport,istoorestrictivetobeappliedtocybercases.Outoftwocoreelementsforobjective state responsibility–breachof rulesandattributionofaction to stateorgans –CyberStanmayhaveaneasiercaseofprovingabreachof the ‘noharm’rule,whichrequiresastatenot toallowtheuseof its territory inways thatareharmful toother states.However, theattributionof thecyberattack to the stateorgansofDigiLandposeshighburdentoprove.The limited usability of objective responsibility in digital issues is likely to trigger alternative solutions for stateresponsibility,similartoenvironmentallawandotherspecialisedfieldsthathavefacedsimilarlimitations.Oneofthemainchallengeswillbetodealwiththeresponsibilityofnon-stateactors,whicharethemainplayers inthecyber-field.Thischallengecouldbeaddressedbyfurtherdevelopingthe‘noharm’principle,whichshouldpreventanyuseofastate’sterritory,includingbynon-stateactors,forcyber-attacksagainstotherstates.However, the complexity of cyber activitieswillmake it difficult for states to guarantee the applicationof the ‘noharm’ principle by ensuring that no cyber activity under their jurisdictionwill harm entities beyond their nationalborders.Apotentialsolutioncouldbeidentifiedin‘duediligence’requirements,whichwouldrequirestatestotakeall reasonablemeasures to prevent cyberattacks against other states by, among othermeasures, introducing lawagainst cyber-crime activities, participating in international cooperation, prosecuting perpetrators of cyberattacks,etc.Theconceptofstateresponsibilityinthedigitalfield,whichisstillinanearlystage,islikelytoemergethroughstatepractice,decisionsofinternationalcourtsandpolicyprocessessuchasUNGGE.Stateresponsibilityisoneofthewaysforlegalredressindigitalcasesbeyondnationalborders.Togetherwithothermechanisms from international private law for dealing with contract and torts, international criminal law foraddressing cybercrime and alternative dispute resolutions, state responsibility should contribute towards ensuringlegalstabilityandtheruleoflawinthemoderndigitally-drivensociety.