Mistake of Fact in Putative Self-Defence Against Cyber Attacks

I am glad that Marko has taken on the task of tackling the issue of mistakes of fact in international law, as I completely agree that it is a very important yet so far largely overlooked aspect, surprisingly so. While I’d mostly approve of Marko’s deliberations and conclusions, I wanted to add a brief point that I came across while doing research for my soon-to-be-published book on remedies in cyberspace that might be suitable to further inform this important debate. Given the technical features of cyber infrastructures, the issue of mistakes of fact in relation to measures taken in self-defence is even more critical in this context.

This is because a state might of course not only factually err in regard to the existence of an armed attack pursuant to Article 51 UN Charter, but just as well in relation to its author. This issue has come up more recently in connection with armed attacks in or through cyberspace and the widely discussed attribution problem. An imminent crisis caused by a cybersecurity incident as the result of a malicious cyber operation that indeed leaves “no choice of means, and no moment of deliberation” is easily imaginable. At the same time, given the persistent difficulty to identify an operation’s source and agent with reasonable certainty reasonably fast, it is equally easily imaginable that mistakes will happen – leading to a forceful response in putative self-defence against the wrong target (for instance a critical server in an uninvolved third country that had been employed in order to carry out the malicious operation). What should be the legal consequences of such a mistake of fact?

In this regard, some states seem to be moving towards a position that in such a situation, the defending state should bear no responsibility as long as it had made a “reasonable” attempt to identify the source and attribute the cyber operation that amounted to an armed attack, even if ex post evidence reveals a mistake of fact. In its (classified) Presidential Policy Directive/PPD-20 from October 2012, the US Government put forward that an attacked state must

make all reasonable efforts, under circumstances prevailing at the time, to identify the adversary and the ownership and geographic location of the targets and related infrastructure where [cyber operations] will be conducted or cyber effects are expected to occur. (emphasis added)

In her keynote speech at the opening of CyCon 2019, the President of Estonia seemed to concur, arguing in relation to attribution in cyberspace that “what is required from the attributing state, is not absolute certainty but what is reasonable”. While it is not entirely clear whether she was taking the question of lawful self-defence into account in this passage, she did address “the inherent right of self-defence” against malicious cyber operations a little later. However, the conclusion seems inescapable: If a state is under no legal obligation to be “certain” regarding the facts of an attack, then it must follow that it is not responsible for a violation of Article 2(4) UN Charter even if subsequent evidence reveals a mistake of fact.

Interestingly, the Tallinn Manual 2.0 explicitly and unambiguously endorses this position:

(T)he exercise of self-defence is (…) subject to the existence of a reasonable determination that an armed attack is about to occur or has occurred, as well as to the identity of the attacker. This determination is made ex ante, not ex post facto. Their reasonableness will be assessed based upon the information available at the time they were made, not in light of information that subsequently becomes available. (Rule 71 para. 23; emphasis added)

This position is even more remarkable given that when it comes to the justification of countermeasures, the majority of the Tallinn experts agreed with the ILC in that “States taking countermeasures do so at their own risk, that is, the wrongfulness of their actions will not be precluded if they mistakenly attribute the cyber activities to a State that is not responsible” (Rule 20, para. 16). This is explained by highlighting “the desirability of preventing a proliferation of countermeasures” as they “present a risk of escalation” (id.). In view of this very reasonable consideration, it seems rather strange that the experts apparently did not feel the same discomfort concerning self-defence.

The legal opinion of other states that have made official statements as regards the application of international law to cyberspace is less clear on this. In his 2018 speech on the topic, the UK’s Attorney General Jeremy Wright did point out that “the victim state must be confident in its attribution (…) to a hostile state before it takes action in response”, but explicitly only in connection with countermeasures. It is also unclear how “confident” would translate to an ex post facto assessment of a mistake of fact. The French statement from last year is limited to the clarification that it does not accept an obligation to publicly disclose the evidence used for attributing a malicious cyber operation prior to reacting. This position, now common among states, of course further muddles the issue further if this effectively implies that mistakes of fact might not even come to light.

Only the Dutch position is a bit more clear and straightforward in this regard: In its “Letter to the parliament” from July 2019, the Minister of Foreign Affairs endorsed the argument that “[n]o form of self-defence whatever may be exercised without adequate proof of the origin or source of the attack and without convincing proof that a particular state (…) is responsible for conducting or controlling the attack” (Appendix, p. 9). Furthermore, while the Netherlands also emphasises that a state in principle does not have to disclose the evidence that led to attribution, it concedes that “[a] state that takes countermeasures or relies on its inherent right of self-defence (…) in response to a cyber operation may eventually have to render account for its actions, for example if the matter is brought before the International Court of Justice. In such a situation, it must be possible to provide evidence justifying the countermeasure or the exercise of the right of self-defence” (Appendix, p. 6; emphasis added). Taken together, these two statements seem to suggest that a mistake of fact concerning attribution would not exonerate the state: if it cannot provide sufficient evidence, it will be held responsible for its reaction.

As far as I can see, there is no persuasive legal reason to employ different standards regarding mistakes of fact in relation to the existence of an armed attack on the one hand and the identity of the perpetrator of an armed attack on the other. Neither should it make a difference whether we assess an armed attack “in or through cyberspace” or anywhere else. Thus, we may follow that at least some states, in line with the Tallinn Manual, would not accept responsibility after a mistaken act of self-defence.

In my opinion, this development is a cause for concern, which is why I find the Dutch position all the more important. To end with a teleological argument: the whole point of the jus contra bellum regime set up by the UN Charter, its raison d’être, is that it should be hard to justify a unilateral resort to force. Allowing states to claim an exonerating mistake ex post facto, be it honest and/or reasonable or not, would undermine that very rationale, especially in view of new technological developments. As Marko rightly emphasised, “states today (…) are hardly too hesitant in relying on self-defence”. It is one thing to excuse an individual who made an honest mistake in a stressful and putatively threatening situation. This should however not extend to the question of a state’s responsibility for that same conduct. In the words of de Vattel in his classic Le Droit des Gens, a state should never “act upon vague and doubtful suspicions lest is should run the risk of becoming itself the aggressor”.