Research On The Imputed State Responsibility Of Cyber Attacks

With the increasing dependence of modern countries on the Internet,the frequency,intensity,and potential risks of cyber attacks have skyrocketed.In order to prevent cyber attacks from causing significant damage to national security and even constituting the “Pearl Harbor Incident” on the cyber,it is crucial to build a defense system against cyber attacks.The “active defense” means of making a cyber counterattack against an attack source is a decisive part of the cyber defense system.However,subject to Article 2,paragraph 4,of the Charter of the United Nations and the principle of prohibiting the use of force in customary international law,active defense can only be exercised in the form of the right to self-defence.According to the “Draft articles on the responsibility of States for internationally wrongful acts”and existing theories of State responsibility,the injured State can exercise its right to self-defence only when it confirms the identity of the attacker and establishes a direct control link between the host State and the initiator,in other words,achieving precise State attribution.However,compared to kinetic attacks,cyber attacks have better concealment,lower launch thresholds,and more difficult to trace and identify the source and identity of attackers,making it extremely difficult for the victim countries of cyber attacks to achieve accurate national attribution of cyber attacks.Therefore,the existing theory of State responsibility and the reality of the characteristics of cyber attacks do not adapt to each other,erasing the path for victim countries to respond promptly to the source system of cyber attacks to reduce or avoid their own damage,and limiting the level of national defense against cyber attacks.In response to this,some scholars have proposed the imputed state responsibility of cyber attacks,which aims to bypass State attribution and exercise active defense against territorial States or non State actors.However,as an evolving theory,there are many problems with the imputed state responsibility,including unclear constitutive requirements,methods of assuming responsibility,and procedural rules for the use of force,which may lead to the risk of abuse of force.In order to avoid the imputed state responsibility causing more serious problems than the problems it aims to solve,which are abused by some countries,and to enable China to have more discourse power in the field of cyberspace rule-making,it is imperative to actively promote the standardization and concretization of this theory.First of all,the constitutive requirements and the way of assuming responsibility for the imputed state responsibility should be clearly defined and included in its concept.The constitutive requirements for imputed state responsibility should be clearly defined as follow:Firstly a State is able to take the necessary measures to prevent a military attack launched from within the territory;secondly,that State is unwilling to take the necessary measures to prevent a military attack launched from within the territory and lastly it is unwilling to cooperate with the victim country after the attack occurs.The way to assume the imputed state responsibility must be clear in three aspects: First,the exercise of the right of self-defence based on shifting responsibility should be limited to the systems that launch cyber attacks;Secondly,the exercise of the right of self-defence based on shifting responsibility should be limited to cyber counterattacks;Thirdly,the time window for the exercise of the right of self-defence with regard to shifting responsibility should begin after the start of the cyber attack and end before the end of the cyber attack.At the same time,the transfer of responsibility should be limited by the following procedural rules.First,the injured State should exhaust all possible means of cooperation or consent.Even if the territorial State does not agree or refuses to cooperate,the injured State should also give the territorial State a certain amount of time to address and resolve the threat.At the same time,the injured State has the obligation to share with the territorial State all information about non State actors,including evidence of the intensity and origin of cyber-force attacks.