Legal Framework Mapper

How international legal frameworks apply to cyber operations in the dataset. Select a framework and rule to examine its relevance, analytical controversy, and implicated cases.

Legal classifications on this page reflect analytical frameworks used in academic and policy literature. They do not constitute legal determinations.

Rule 4 — State Responsibility

Tallinn Manual 2.0

Description

A state bears international responsibility for a cyber operation attributable to it that constitutes a breach of an international obligation. Attribution requires that the operation was conducted by state organs or by persons acting under the direction or control of the state.

Analytical Controversy in Cyberspace

The threshold for 'direction or control' remains contested. States increasingly use proxy groups, contractors, and criminal organisations for cyber operations, making attribution under Rule 4 analytically complex. The 'effective control' vs. 'overall control' debate from ICJ and ICTY jurisprudence has no settled cyber-specific interpretation.

Implicated Cases (3)

Colonial Pipeline2021

Criminal group operating from Russian territory raises questions about state tolerance as a basis for responsibility

Costa Rica / Conti2022

Conti's Russian nexus tested the boundary between criminal autonomy and state acquiescence

WannaCry2017

State-linked group (Lazarus) using criminal ransomware tools blurs the state/non-state distinction