See David Robb, Sony Hack: A Timeline, Deadline (Dec. 22, 2014, 1:25 PM), http://deadline.com/2014/12/sony-hack-timeline-any-pascal-the-interview-north -korea‌-1201325501 [http://perma.cc/ZE2Q-MM5H].

See Catherine Shoard, Sony Hack: The Plot To Kill The Interview–a Timeline So Far, Guardian (Dec. 18, 2014, 6:35 PM), http://www.theguardian.com/film/2014/dec/18/sony-hack -the-interview-timeline [http://perma.cc/8T2Y-SDNT].

See Lianna Brinded, The Interview Tipped To Cost Sony Pictures $200m Following Hack and Cancellation, Int’l Bus. Times (Dec. 18, 2014, 4:40 PM), http://www.ibtimes.co.uk‌/inter‌view‌‌-tipped-cost-sony-pictures-200m-total-following-hack-cancellation-1480157 [http://‌‌perma.cc/EJ8U-XT9B]. While the total damage to Sony is difficult to calculate, Sony has indicated that the attacks cost the company at least $15 million. See Ryan Faughnder, Sony Says Studio Hack Cost It $15 Million in Fiscal Third Quarter, L.A. Times (Feb. 4, 2015, 11:07 AM), http://www.latimes.com/entertainment/envelope/cotown/la-et-ct-sony‌-hack-cost-20‌15‌0204-story.html [http://perma.cc/Q8S6-66XS]; Andrea Peterson, Why It’s So Hard To Calculate the Cost of the Sony Pictures Hack, Wash. Post (Dec. 5, 2014), http://‌www‌.wash‌ingtonpost.com/news/the-switch/wp/2014/12/05/why-its-so-hard-to-calculate-the-cost-of‌-the-sony-pictures-hack [http://perma.cc/S7RT-ZLNC].

See Amanda Hess, Inside the Sony Hack, Slate (Nov. 22, 2015, 8:25 PM), http://‌www‌ .slate.com/articles/technology/users/2015/11/sony_employees_on_the_hack_one_year_later.html [http://perma.cc/8VYZ-XCMA].

See Press Release, Fed. Bureau of Investigation, Update on Sony Investigation (Dec. 19, 2014), http://www.fbi.gov/news/pressrel/press-releases/update-on-sony-investigation [http://perma.cc/4ZV4-BNSD].

See Brinded, supra note 3.

See Lisa Richwine, Cyber Attack Could Cost Sony Studio as Much as $100 Million, Reuters (Dec. 9, 2014, 5:58 PM), http://www.reuters.com/article/us-sony-cybersecurity-costs -idUSKBN0JN2L020141209 [http://perma.cc/72GJ-C37Z].

See Ellen Nakashima, U.S. Attributes Cyberattack on Sony to North Korea, Wash. Post (Dec. 19, 2014), http://www.washingtonpost.com/world/national-security/us-attributes -sony-a‌‌‌‌ttack-to-north-korea/2014/12/19/fc3aec60-8790-11e4-a702-fa31ff4ae98e_story.html [http://perma.cc/742A-8GCY] (noting that this was “the first time that the United States has openly laid blame on a foreign government for a destructive cyber attack against an American corporation”).

See Press Release, Fed. Bureau of Investigation, supra note 5. For examples of techniques relied upon by the U.S. government when tracing attacks, see APT1: Exposing One of China’s Cyber Espionage Units, Mandiant (2013), http://nsarchive.gwu.edu‌/NSAEBB/NSAEBB424‌/docs/Cyber-083.pdf [http://perma.cc/V294-8BXB].

See Press Release, John Kerry, Sec’y of State, U.S. Dep’t of State, Condemning Cyber-Attacks by North Korea (Dec. 19, 2014), http://www.state.gov/secretary/remarks‌/2014/12‌/235444.htm [http://perma.cc/J9JK-5PRS].

See President Barack Obama, Remarks by the President in Year-End Press Conference, White House (Dec. 19, 2014), http://www.whitehouse.gov/the-press-office/2014/12/19/remarks -president-year‌-end-press-conference [http://perma.cc/Y8PF-PPQY].

See, e.g., Kim Zetter, Critics Say New Evidence Linking North Korea to the Sony Hack Is Still Flimsy, Wired (Jan. 8, 2015, 4:53 PM), http://www.wired.com/2015/01/critics-say-new -north-korea-evidence-sony-still-flimsy [http://perma.cc/43RF-ECJ9].

See, e.g., Robert M. Lee, The Feds Got the Sony Hack Right, but the Way They’re Framing It Is Dangerous, Wired (Jan. 10, 2015, 6:30 AM), http://www.wired.com/2015/01/feds-got -sony-hack-right-way-theyre-framing-dangerous [http://perma.cc/D6D9-B8Y3].

For example, the U.S. government has recently accused Russia of interfering in the U.S. elections. See David E. Sanger & Charlie Savage, U.S. Says Russia Directed Hacks To Influence Elections, N.Y. Times (Oct. 7, 2016), http://www.nytimes.com/2016/10/08/us/politics/us -formally-accuses-russia-of-stealing-dnc-emails.html [http://perma.cc/PSP6-747U].

See, e.g., Herb Lin, Learning from the Attack Against Sony, Lawfare (Jan. 23, 2015, 10:38 AM), http://www.lawfareblog.com/learning-attack-against-sony [http://perma.cc/UTH9 -Z4MD]; Nakashima, supra note 8.

See Oona A. Hathaway et al., The Law of Cyber-Attack, 100 Calif. L. Rev. 817, 820 (2012) (“Some have referred to these and similar attacks as ‘cyber-warfare,’ suggesting that the law of war might apply. Yet the attacks look little like the armed conflict that the law of war traditionally regulates.”); Michael Schmitt, Classification of Cyber Conflict, 17 J. Conflict & Security L. 245, 246 (2012) (“Cyber operations have the potential for producing vast societal and economic disruption without causing the physical damage typically associated with armed conflict . . . . Moreover, massive attacks can be launched by a single individual or by a group that is organized entirely on-line. This is in sharp contrast to traditional warfare . . . .”).

See Sean Watts, Low Intensity Cyber Operations and the Principle of Non-Intervention, in Cyberwar: Law and Ethics for Virtual Conflicts 249, 249-50 (Jens David Ohlin et al. eds., 2015).

Under the doctrine of state responsibility, states are responsible for “wrongful” acts that are (a) attributable to the state and (b) breaches of an international obligation. Int’l Law Comm’n, Draft Articles on Responsibility of States for Internationally Wrongful Acts, with Commentaries, art. 2, Rep. of the Int’l Law Comm’n on the Work of Its Fifty-Third Session, U.N. Doc. A/56/10, at 68 (2001) [hereinafter Draft Articles on State Responsibility].

Id. art. 2, at 68.

See, e.g., Walter Gary Sharp, Sr., CyberSpace and the Use of Force 129-33 (1999).

See, e.g., Rebecca Crootof, Cyberinterference (2016) (unpublished manuscript) (on file with author). For an analysis of why comprehensive treaty regimes are unlikely in cyberspace, see Jack Goldsmith, Cybersecurity Treaties: A Skeptical View, Hoover Inst. (Mar. 9, 2011), http://media.hoover.org‌/sites‌/default/files/documents/FutureChallenges‌_Gold‌smith‌.pdf [http://perma.cc/Y8QW-WRX7].

See infra Section II.A.

For example, liability for transboundary harm has been pursued in the context of damages caused by space objects and by misfired weapons and mines. The International Law Commission (ILC) contemplated applying liability for transboundary harm to a broader range of activities in its work in its work on “liability for injurious consequences arising out of acts not prohibited by international law.” See infra text accompanying notes 106-114.

Xue Hanqin, Transboundary Damage in International Law 8 (2003) (“To be legally relevant, damage should be at least ‘greater than the mere nuisance or insignificant harm which is not normally tolerated.’”) (quoting Int’l Law Comm’n, Sixth Report on International Liability for Injurious Consequences Arising Out of Acts Not Prohibited By International Law, arts. 2(b), 2(e), U.N. Doc. A/CN.4/428 (Mar. 15, 1990)). While Xue notes that “international law only tackles those cases where transboundary damage has reached a certain degree of severity,” different thresholds of severity are required for transboundary liability “for different purposes and in different contexts.” Id. at 7-8.

See id. at 4, 7-8. “Transboundary” refers to damages caused directly between two or more states, as well as damages that have transcended boundaries. “Harmful effects” include physical damage to persons or property, as well as intangible damages caused by economic activities. “Severity” requires a factual inquiry particular to the circumstances of each incident, given that international law generally accepts liability only for damages “greater than the mere nuisance or insignificant harm which is normally tolerated” by the international community. Id. at 8. “Causation” requires a proximal, though not necessarily physical, link between an activity and the ill effects produced. Id.

Hathaway et al., supra note 16, at 826.

The National Research Council defines cyber attacks as actions intending to “alter, disrupt, deceive, degrade, or destroy adversary computer systems or networks or the information and/or programs resident in or transiting these systems or networks.” Nat’l Research Council, Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities 10-11 (William A. Owens et al. eds., 2009); see Christopher S. Yoo, Cyber Espionage or Cyberwar? International Law, Domestic Law, and Self-Protective Measures, in Cyberwar: Law and Ethics for Virtual Conflicts, supra note 17, at 175; Michael Schmitt, International Law and Cyber Attacks: Sony v. North Korea, Just Security (Dec. 17, 2014, 9:29 AM), http://www.justsecurity.org/18460/international-human‌itarian -law-cyber-attacks-sony-v-north-korea [http://perma.cc/R38E-G43Q].

Cost of Cyber Crime Study: Global, Ponemon Inst. (2015), http://www8.hp.com/us/en‌/software-solutions/ponemon-cyber-security-report/index.html [http://perma.cc/79WF -8G6B]. Others suggest an even larger average cost to U.S. firms. See James Griffiths, Cybercrime Costs the Average U.S. Firm $15 Million a Year, CNN (Oct. 8, 2015, 3:28 AM), http://‌money.cnn.com/2015/10/08/technology/cybercrime-cost-business [http://‌perma.cc/PR7W‌-HLP4].

Net Losses: Estimating the Global Cost of Cybercrime, Ctr. for Strategic & Int’l Stud. (June 2014), http://www.mcafee.com/us/resources/reports/rp-economic-impact-cybercrime2.pdf [http://perma.cc/8GQM-W5P9]; Will Yakowicz, Companies Lose $400 Billion to Hackers Each Year, Inc. (Sept. 8, 2015), http://www.inc.com/will-yakowicz/cyberattacks-cost -companies-400-billion-each-year.html [http://perma.cc/8PN8-M2FK].

Steve Morgan, Cyber Crime Costs Projected To Reach $2 Trillion by 2019, Forbes (Jan. 17, 2016, 11:01 AM), http://www.forbes.com/sites/stevemorgan/2016/01/17/cyber-crime-costs -projected-to-reach-2-trillion-by-2019 [http://perma.cc/4FGK-5FD4]. However, these figures remain rough estimates because the costs that result from privacy infringements and intellectual property losses remain difficult to calculate.

See Eric Cole, Advanced Persistent Threat: Understanding the Danger and How To Protect Your Organization 27 (2013).

See Steve Kroft, The Attack on Sony, CBS (Apr. 12, 2015), http://www.cbsnews.com‌/news‌/north-korean-cyberattack-on-sony-60-minutes [http://perma.cc/XXS2-ZGSB]. Another attack, which took place in 2012, was believed to have been carried out by Iran on Saudi Arabia’s national oil company, Aramco, destroyed thirty thousand computers. See id.

Paulo Passeri, 2015 Cyber Attacks Statistics, Hackmageddon (Jan. 11, 2016), http://‌http://www.hack‌mageddon‌.com/2016/01/11/2015-cyber-attacks-statistics [http://perma.cc‌/WB5W-8USZ].

Michael N. Schmitt, “Below the Threshold” Cyber Operations: The Countermeasures Response Option and International Law, 54 Va. J. Int’l L. 697, 698 (2014).

See Oona A. Hathaway, The Drawbacks and Dangers of Active Defense, in 6th International Conference on Cyber Conflict: Proceedings 39, 43-44 (P. Brangetto et al. eds., 2014), http://ccdcoe.org/sites/default/files/multimedia/pdf/CyCon_2014.pdf [http://perma.cc‌/9LS8-3B6E].

For countermeasures (the appropriate term if the underlying attack is considered illegal, and if the response to it involves methods that too would be considered illegal if not in this context), see Draft Articles on State Responsibility, supra note 18, art. 49, at 328-33. For retorsions (the appropriate term if the response involves only unfriendly, but not illegal, actions), see Thomas Giegerich, Retorsion, in Max Planck Encyclopedia Pub. Int’l L. (Mar. 2011), http://‌opil.ouplaw.com/view/10.1093/law:epil‌/9780199231690/law-9780199231690 -e983 [http://‌perma.cc/JZT7-CV6P].

Martin Fackler, North Korea Accuses U.S. of Staging Internet Failure, N.Y. Times (Dec. 27, 2014), http://www.nytimes.com/2014/12/28/world/asia/north-korea-sony-hacking-the -interview‌.html [http://perma.cc/E6MK-DWRG].

See Angela McKay et al., International Cyber Security Norms: Reducing Conflict in an Internet-Dependent World, Microsoft 4 (2014), http://www.microsoft.com/en-us/download‌/details‌.aspx?id=45031 [http://perma.cc/5F7A-5HCM] (“Given the interconnected nature of cyberspace and the speed and nature of cyber attacks, the effects of offensive operations might be very difficult to predict and/or limit, and they could cascade to affect operations beyond the intended targets, including critical functions in the energy, communications, banking, chemical, or transportation sectors, among others. In other instances, an offensive cyber operation gone wrong could disrupt the global Internet or corrupt data at a scale that impedes key functions of the global economy. Unintended consequences of this scale could very easily escalate hostilities from the keyboard to kinetics, in the absence of normative limits on such behaviors.”).

See id. at 4; infra notes 253-254 (describing how an error in the Stuxnet code led to its unintentional, albeit benign, spread to computers around the world).

See McKay et al., supra note 38, at 4 (“[T]he increasing development of defensive and offensive cyberspace capabilities will, in itself, promote cyber insecurity between nation states, especially without a normative framework around those capabilities. If a state, for example, shifts cybersecurity investments from civilian defense and law enforcement to offensive military capabilities, other states will react. The actions of individual nation states could exacerbate cyber insecurity regionally or globally, driving broader tensions in the international system.”).

Armed Activities on the Territory of the Congo (Dem. Rep. Congo v. Uganda), Judgment, 2005 I.C.J. 168, ¶ 148 (Dec. 19). This prohibition is also provided for in customary international law. See Application of the Convention on the Prevention and Punishment of the Crime of Genocide (Bosn. & Herz. v. Serb. & Montenegro), Judgment, 2007 I.C.J. 43, ¶ 385 (Feb. 26).

U.N. Charter art. 2, ¶ 4.

See Christine Gray, International Law and the Use of Force 30 (3d ed. 2008).

U.N. Charter, pmbl. (“We the people of the United Nations determined . . . to ensure, by the acceptance of principles and the institution of methods, that armed force shall not be used, save in the common interest . . . have resolved to combine our efforts to accomplish these aims.”).

U.N. Conference on Int’l Orgs., Summary Report of Eleventh Meeting of Committee I/1, in 6 Documents of the Conference on International Organization 331, 334 (1945). The travaux préparatoires (meaning “preparatory works”) are the official records of a negotiation.

Ian Brownlie, International Law and the Use of Force by States 362 (5th ed. 1998); 1 The Charter of the United Nations: A Commentary 208 (Bruno Simma et al. eds., 3d ed. 2012); Hathaway et al., supra note 16, at 842; see also Bert V. A. Röling, The Ban on the Use of Force and the U.N. Charter, in The Current Legal Regulation of the Use of Force 3 (A. Cassese ed., 1986) (finding it “obvious” that Article 2(4) refers to armed force); Katharina Ziolkowski, General Principles of International Law as Applicable in Cyberspace, in Peacetime Regime for State Activities in Cyberspace: International Law, International Relations and Diplomacy 135, 172-74 (Katharina Ziolkowski ed., 2013) (summoning multiple lines of evidence for the proposition that Article 2(4) refers to armed force, and describing actions to which Article 2(4) might apply). must be confined to therealm,ile customary international legal practice of liability may lack of sponsibility. he by cyber attac

The travaux préparatoires suggest that participants of the San Francisco Conference in April 1945, which culminated in a draft of the UN Charter, specifically rejected an amendment that would have included economic coercion within the scope of Article 2(4). See U.N. Conference on Int’l Orgs., supra note 45, at 334; see Yoo, supra note 27, at 178-79. In addition to rejecting such a proposal by Brazil to include economic force, the Conference also declined to take up Iran’s suggestion to include political force in the prohibition. See Nico Schrijver, The Ban on the Use of Force in the UN Charter, in The Oxford Handbook of the Use of Force in International Law 470-71 (Marc Weller ed., 2015). In addition, the prevailing consensus that Article 2(4) only applies to “armed force” is supported by arguments that Article 2(4) was drafted with the goal to limit unilateral recourse to specifically “armed” conflict. See Hathaway, supra note 35, at 43-44; see also Michael N. Schmitt, The Use of Cyber Force and International Law, in The Oxford Handbook of the Use of Force in International Law, supra, at 1110-13 (discussing negotiations concerning the use of force definition).

Tallinn Manual on the International Law Applicable to Cyber Warfare 48-52 (Michael N. Schmitt ed., 2013) [hereinafter Tallinn Manual]. Rule 11 of the Tallinn Manual specifically notes that “[a]‌ cyber operation constitutes a use of force when its scale and effects are comparable to non-cyber operations rising to the level of a use of force.” Id. at 45. “ state’ states are permitted to make freely includeitiated by state actors, reinforces the view that this category of attacks

See, e.g., Office of Gen. Counsel, Dep’t of Def., An Assessment of International Legal Issues in Military Operations (2d ed., 1999), reprinted in Computer Network Attack and International Law 459, 483 (Michael N. Schmitt & Brian T. O’Donnell eds., 1999) (“[T]he consequences are likely to be more important than the means used.”); Schmitt, supra note 47, at 1113-16; Harold Hongju Koh, Legal Adviser, U.S. Dep’t of State, International Law in Cyberspace: Remarks at the USCYBERCOM Inter-Agency Legal Conference (Sept. 18, 2012), reprinted in 54 Harv. Int’l L.J. Online 1, 4 (2012). It should be noted, however, that direct use of weapons by a state is not required to violate the prohibition, as enabling other actors to use such weapons can constitute a violation as well. See Marco Roscini, Cyber Operations and the Use of Force in International Law 66-67 (2014) (“In the Nicaragua judgment, the I.C.J. also qualified the arming and training of armed groups—not directly destructive actions—as a use of force.”).

See Tallinn Manual, supra note 48, at 47.

See David E. Sanger & Michael S. Schmidt, More Sanctions on North Korea After Sony Case, N.Y. Times (Jan. 2, 2015), http://www.nytimes.com/2015/01/03/us/in-response-to-sony -attack-us-levies-sanctions-on-10-north-koreans.html [http://perma.cc/39NM-H58G].

See Koh, supra note 49, at 4 (“[I]f the physical consequences of a cyber attack work the kind of physical damage that dropping a bomb or firing a missile would, that cyber attack should equally be considered a use of force.”); see also Erki Kodar, Computer Network Attacks in the Grey Areas of Jus ad Bellum and Jus in Bello, 9 Baltic Y.B. Int’l L. 133, 139-40 (2009); Michael N. Schmitt, Computer Network Attack and the Use of Force in International Law: Thoughts on a Normative Framework, 37 Colum. J. Transnat’l L. 885, 914-15 (1999). To date, the Stuxnet attack, which destroyed nuclear centrifuges inside Iran’s Natanz uranium enrichment site, remains the only cyber attack widely accepted by scholars as a potential use of force. See, e.g., Russell Buchan, Cyber Attacks: Unlawful Uses of Force or Prohibited Interventions?, 17 J. Conflict & Security L. 212, 220-21 (2012). While debate nevertheless surrounds the lower threshold of Article 2(4), some examples of cyber attack consequences clearly constituting force have been suggested: a nuclear plant meltdown, the opening of a dam, or even the disabling of air traffic such that planes crash. See Koh, supra note 49, at 4. For discussion of the lower bounds of the use of force threshold, particularly in the context of blockades, see Penelope Neville, Military Sanctions Enforcement in the Absence of Express Authorization?, in The Oxford Handbook of the Use of Force in International Law, supra note 47, at 279-83.

See Crootof, supra note 21. The United Nations Group of Governmental Experts agreed that an armed attack in cyberspace need not require “armed” employment of weapons, as injuries to persons or damages to physical property may also meet the armed attack threshold. See Yoo, supra note 27, at 181.

Military and Paramilitary Activities in and Against Nicaragua (Nicar. v. U.S.), Judgment, 1986 I.C.J. 14, 91, ¶ 191 (June 27).

See U.N. Charter art. 51. Though there has been no clear agreement yet on whether such an example has taken place, scholars nevertheless agree that it is possible for a cyber attack to meet the threshold of an “armed attack” if its effects approach those of kinetic armed attack. See Hathaway et al., supra note 16, at 836-37; Kodar, supra note 52, at 139-40; Schmitt, supra note 52, at 914-15; Matthew C. Waxman, Cyber Attacks and the Use of Force: Back to the Future of Article 2(4), 36 Yale J. Int’l L. 421, 427 (2011).

See Koh, supra note 49, at 7. But see Hathaway, supra note 35, at 49 (“[T]he UN Charter does not permit states to respond with force to every single illegal use of force—in particular, to those uses of force that do not arise to the “most grave” level sufficient to amount to an “armed attack” and trigger Article 51.”).

See Schmitt, supra note 27.

See Military and Paramilitary Activities in and Against Nicaragua, 1986 I.C.J. at 106, ¶ 202; G.A. Res. 2625 (XXV), at 5 (Oct. 24, 1970); G.A. Res. 2131 (XX), ¶ 2 (Dec. 21, 1965). Attacks which aim to change the outcome of an election may be more likely to constitute an intervention, as opposed to a mere low-intensity cyber attack.

Oppenheim’s International Law defines “intervention” as requiring interference that is “forcible or dictatorial, or otherwise coercive, in effect depriving the state intervened against of control over the matter in question. Interference pure and simple is not intervention.” 1 Oppenheim’s International Law 432 (Robert Jennings & Arthur Watts eds., 9th ed. 2008). Put another way, intervention “aims to impose a certain conduct of consequence on a sovereign state.” Philip Kunig, Prohibition of Intervention, in Max Planck Encyclopedia Pub. Int’l L. ¶ 1 (Apr. 2008), http://opil.ouplaw.com‌/view‌/10.1093/law:epil/9780199231690‌/law‌-9780199231690-e1434 [http://perma.cc/3DBK-WFTV].

Military and Paramilitary Activities in and Against Nicaragua, 1986 I.C.J. at 107-08, ¶ 205. Nicaragua also uses the language of “political integrity.” Id. at 106, ¶ 202; see Tallinn Manual, supra note 48, r. 10, cmt. 10, at 45.

See Schmitt, supra note 27; Katja S. Ziegler, Domaine Réservé, in Max Planck Encyclopedia Pub. Int’l L. ¶ 1 (Apr. 2013), http://‌opil‌.ouplaw.com/view/10.1093/law:epil‌/9780199‌231‌6‌90‌/law-9780199231690-e1398 [http://‌perma.cc/JR6J-NNSH]. Oppenheim’s International Law explains that in addition to being closely linked to the concept of domaine réservé, the principle of non-intervention is a “corollary of every state’s right to sovereignty, territorial integrity and political independence.” 1 Oppenheim’s International Law, supra note 59, at 428.

While coercion remains key to most scholarly conceptions of intervention, Watts notes that “[s]tates have not achieved or expressed consensus on a notion of coercion sufficient to constitute intervention,” much less in the cyber context. Watts, supra note 17, at 270.

See, e.g., Schmitt, supra note 27.

See, e.g., Tallinn Manual, supra note 48, r. 10, cmt. 8, at 44-45; Schmitt, supra note 47, at 1113-17; Schmitt, supra note 27.

See Crootof, supra note 21; Benjamin Elgin & Michael Riley, Now at the Sands Casino: An Iranian Hacker in Every Server, Bloomberg (Dec. 12, 2014, 3:48 PM), http://‌www ‌.bloomberg‌.com/news/articles/2014-12-11/iranian-hackers-hit-sheldon-adelsons-sands-ca‌si‌n‌o-in-las-ve‌gas [http://perma.cc/UHD2-DLMZ]; cf. Max Kutner, Alleged Dam Hacking Raises Fears of Cyber Threats to Infrastructure, Newsweek (Mar. 30, 2016, 8:12 AM), http://‌www‌.newsweek.com/cyber-attack-rye-dam-iran-441940 [http://perma.cc/E46K-XPCS] (describing an incident in which a hacker affiliated with the Iranian government allegedly hacked a New York dam); Jordan Robertson & Michael Riley, American Airlines, Sabre Said To Be Hit in China-Tied Hacks, Bloomberg (Aug. 7, 2015, 5:00 AM), http://www‌.bloomberg.com/news/articles/2015-08-07/american-airlines-sabre-said-to-be-hit-in-hacks‌-backed-by-china [http://perma.cc/B2RM-Q8TD] (describing a series of attacks on corporations related to the U.S. travel industry that were allegedly attributable to hackers linked to China).

See Crootof, supra note 21, at 2 (“Assuming that they were state-sponsored, they weren’t cybercrime.”).

Id. at 4 (quoting Brian Barrett, Facebook Now Warns Users of State-Sponsored Attacks, Wired (Oct. 19, 2015, 11:28 AM), http://www.wired.com/2015/10/facebook-now-warns-users-of -state‌-sponsored-attacks [http://perma.cc/L5MQ-EKGR]).

Notifications for Targeted Attacks, Facebook (Oct. 16, 2015, 4:36 PM), http://‌www .facebook‌.com‌‌/notes/facebook-security/notifications-for-targeted-attacks/1015309‌29946‌157‌66 [http://‌‌perma.cc/5RZA-9K2U] (explaining Facebook’s policy of notifying users of attacks by persons “suspected of working on behalf of a nation-state”).

Draft Articles on State Responsibility, supra note 18, art. 2, at 68.

See id. arts. 30-31, 49.

See, e.g., Patrick W. Franzese, Sovereignty in Cyberspace: Can It Exist?, 64 A.F. L. Rev. 1, 31 (2009); Schmitt, supra note 27; see also U.N. Charter art. 2, ¶ 1 (recognizing the “principle of the sovereign equality of all its Members”).

See, e.g., Wolff Heintschel von Heinegg, Territorial Sovereignty and Neutrality in Cyberspace, 89 Int’l L. Stud. 123 (2013), http://stockton.usnwc.edu/cgi‌/viewcontent.cgi?article‌=1027‌&context=ils [http://perma.cc/2LVQ-9Y8M]; see also Corfu Channel (U.K. v. Alb.), Judgment, 1949 I.C.J. 4, 35 (Apr. 9) (“Between independent States, respect for territorial sovereignty is an essential foundation of international relations.”).

See, e.g., U.S. Dep’t of Def., Strategy for Homeland Defense and Civil Support 12 (2005) (“The global commons consist of international waters and airspace, space, and cyberspace.”).

See James Crawford, Brownlie’s Principles of Public International Law 251-52 (8th ed. 2012).

Ian Brownlie explains that the “principal corollaries of the sovereignty and equality of states” include “(1) a jurisdiction, prima facie exclusive, over a territory and the permanent population living there; (2) a duty of non-intervention in the area of exclusive jurisdiction of other states.” Ian Brownlie, Principles of Public International Law 289 (5th ed. 1998) (emphasis added); see also Military and Paramilitary Activities in and Against Nicaragua (Nicar. v. U.S.), Judgment, 1986 I.C.J. 14, 128, ¶ 251 (June 27) (“The effects of the principle of respect for territorial sovereignty inevitably overlap with those of the principles of the prohibition of the use of force and of non-intervention.”); 1 Oppenheim’s International Law, supra note 59, at 428 (noting that non-intervention “is a corollary of every state’s right to sovereignty, territorial integrity and political independence”); Kunig, supra note 59, ¶ 9 (“Without the prohibition of intervention, the principle of sovereignty could not be fully realized. Thereby, the raison d’être of the non-intervention rule is the protection of the sovereignty of the State.”).

For more on why sovereignty and non-intervention should not be seen as absolute prohibitions for all activity falling below the threshold of the use of force, see Ashley Deeks, An International Legal Framework for Surveillance, 55 Va. J. Int’l L. 291, 302 (2015) (“[I]deas such as non-intervention and sovereignty developed against a background understanding that states do and will spy on each other, thus establishing a carve-out for espionage within those very concepts.”).

See Simon Chesterman, The Spy Who Came in from the Cold War: Intelligence and International Law, 27 Mich. J. Int’l L. 1071, 1074-75 (2006) (“There is little prospect . . . of concluding a convention defining the legal boundaries of intelligence gathering, if only because most states would be unwilling to commit themselves to any standards they might wish to impose on others.”). See generally W. Michael Reisman & James E. Baker, Regulating Covert Action: Practices, Contexts, and Policies of Covert Coercion Abroad in International and American Law (1992) (reviewing contemporary covert actions and intelligence policies).

See Phillip Knightley, The Second Oldest Profession: Spies and Spying in the Twentieth Century (1986); Yoo, supra note 27, at 190-91 (noting that espionage dates to ancient Greece, Rome, China, and Egypt). The prevalence of espionage—and more recently, cyber espionage—may remain a prime example of the Lotus principle at work: in the absence of international law to the contrary, states simply have the right to act freely. Armin von Bogdandy & Markus Rau, The Lotus, in Max Planck Encyclopedia Pub. Int’l L. (June 2006), http://opil.ouplaw.com/view/10.1093/law:epil‌/9780199231690/law-9780199231690‌-e‌1‌62 [http://perma.cc/F2SY-DPEL].

The U.S. government defines cyber espionage as “[o]perations and related programs or activities conducted . . . in or through cyberspace, for the primary purpose of collecting intelligence . . . from computers, information or communication systems, or networks with the intent to remain undetected.” Presidential Policy Directive—U.S. Cyber Operations Policy (PPD-20) 2 (Oct. 2013), http://www.fas.org/irp/offdocs/ppd/ppd-20.pdf [http://perma.cc‌/X6TL-FSM3]. For the purposes of this Note, acts of cyber espionage are taken to be outside of the category of low-intensity cyber attacks to which liability applies, as they typically lack destruction or corruption of computer or internet systems and equipment. However, if an act of cyber espionage unintentionally or intentionally results in sufficient damage or coercion, it could then constitute a low-intensity cyber attack, or a traditional non-intervention, use of force, or armed attack under international law. See Yoo, supra note 27, at 183-84. The fact that the precise boundaries of the category of cyber espionage remain unsettled no doubt creates difficulties for defining the precise contours of any category of cyber attack. In addition, some cyber attacks may exhibit characteristics of both cyber espionage and a low-intensity attack. However, for purposes of categorizing an attack (or part of an attack) as a low-intensity cyber attack, the attack must result directly in damage, as opposed to mere intrusion or extraction of information. In this context, it may be useful to note that many recent attacks on government entities, such as the Office of Personal Management, would not be categorized as low-intensity attacks as they have resulted mainly in information extraction.

See Chesterman, supra note 77, at 1075; Hathaway, supra note 35, at 49.

Press Release, John Kerry, supra note 10.

Eric Bradner, Obama: North Korea’s Hack Not War, But ‘Cybervandalism,’ CNN (Dec. 24, 2014, 9:20 AM), http://www.cnn.com/2014/12/21/politics/obama-north-koreas-hack-not -war-but-cyber-vandalism [http://perma.cc/TMZ6-W9WP].

See Koh, supra note 49, at 4.

Elmer E. Smead, Sic Utere Tuo Ut Alienum Non Laedas: A Basis of the State Police Power, 21 Cornell L.Q. 276, 276-77 (1936). Some scholars also point to the notion of bon voisinage, or “good neighborliness,” as reflecting certain limitations (though not necessarily absolute) on states not to abuse the rights of other states. See, e.g., Günther Handl, Transboundary Impacts, in Oxford Handbook of International Environmental Law 533 (Daniel Bodansky et al. eds., 2008).

See Int’l Law Comm’n, Survey of Liability Regimes Relevant to the Topic of International Liability for Injurious Consequences Arising Out of Acts Not Prohibited by International Law, U.N. Doc. A/CN.4/543, reprinted in [2004] 2 Y.B. Int’l Law Comm’n pt. 1, at 85 [hereinafter ILC Survey].

See id. ¶ 56. Common law defines nuisance in tort as “an act or omission which is an interference with, disturbance of or annoyance to a person in the exercise or enjoyment of (a) a right belonging to him as a member of the public (public nuisance), or (b) his ownership or occupation of land or of some easement, profit or other right used or enjoyed in connection with land (private nuisance).” Id. ¶ 53 (quoting R.A. Buckley, Nuisance, in Clark & Lindsell on Torts 973 (18th ed. 2003)).

Id. ¶ 52 (translating the French, “nul ne doit causer à autrui un trouble anormal du voisinage”).

Id. ¶ 53.

Id.

Id.

Id. ¶ 52 (in French, “un trouble anormal”). The 1868 English case Rylands v. Fletcher noted that all significant harms, no matter “however innocently” inflicted, can give rise to liability in private nuisance. Rylands v. Fletcher [1868] 3 LRE & I. App. 330, 341 (HL) (Cranworth, J., concurring).

Trail Smelter Arbitration (U.S. v. Can.), 3 R.I.A.A. 1965 (Trail Smelter Arb. Trib. 1941).

Legality of Threat or Use of Nuclear Weapons, Advisory Opinion, 1996 I.C.J. 226, 241-42 (July 8).

Gabčíkovo-Nagymaros Project (Hung. v. Slovk.), Judgment, 1997 I.C.J. 3, ¶ 53 (Sept. 25).

Pulp Mills on River Uruguay (Arg. v. Uru.), Judgment, 2010 I.C.J. 18, ¶¶ 101, 193 (Apr. 20).

Certain Activities Carried Out by Nicaragua in Border Area (Costa Rica v. Nicar.), Judgment, 2015 I.C.J. 1, ¶¶ 177-217 (Dec. 16).

Lac Lanoux Arbitration (Fr. v. Spain), 12 R.I.A.A. 281 (1957).

Canada-United States Settlement of Gut Dam Claims, 8 I.L.M. 118, 133-42 (Lake Ontario Claims Trib. 1969).

See ILC Survey, supra note 84.

See World Summit on Sustainable Development, Johannesburg Declaration on Sustainable Development, U.N. Doc. A/CONF.199/20 (Sept. 4, 2002); U.N. Conference on Environment and Development, Rio Declaration on Environment and Development, U.N. Doc. A/CONF.151/26/Rev.1 (Vol. 1) (June 14, 1992) (“States have . . . the responsibility to ensure that activities within their jurisdiction or control do not cause damage to the environment of other States or of areas beyond the limits of national jurisdiction.”); U.N. Conference on the Human Environment, Declaration, U.N. Doc. A/CONF.48/14/Rev.1 (June 16, 1972) (“States have . . . the responsibility to ensure that activities within their jurisdiction or control do not cause damage to the environment of other States or of areas beyond the limits of national jurisdiction.”). The U.S. has recognized the principle of transboundary harm in the environmental context. See Restatement (Third) of the Foreign Relations Law of the United States § 601 (Am. Law Inst. 1987).

See Göran Lysén, State Responsibility and International Liability of States for Lawful Acts: A Discussion of Principles 145-48 (1997) (describing debate on whether customary international law provides for liability outside of treaties and suggesting that it might). But see Allain Pellet, The Definition of Responsibility in International Law, in The Law of International Responsibility 3, 10 (James Crawford et al. eds., 2010) (concluding that customary international law does not support a concept of liability outside of the environmental context).

Hugo Grotius, 2 The Rights of War and Peace 884, ¶ 1 (Richard Tuck ed., Jean Barbeyrac trans., 2005) (1625); see also Pellet, supra note 100, at 5 (quoting Grotius and stating that his “formulation formed the very basis of international responsibility until very recently” and that it remains the foundation of the “classic theory” and “traditional definition”).

See Oona Hathaway & Scott Shapiro, The Internationalists: How a Radical Plan To Outlaw War Remade the World 20-22 (forthcoming 2017) (unpublished manuscript) (on file with author).

See ILC Survey, supra note 84, ¶¶ 426-427.

See id.

See Michel Montjoie, The Concept of Liability in the Absence of an Internationally Wrongful Act, in The Law of International Responsibility, supra note 100, at 503-04.

See James R. Crawford, State Responsibility, in Max Planck Encyclopedia Pub. Int’l L. ¶ 6 (Sept. 2006), http://opil.ouplaw.com/view/10.1093/law:epil/9780199231690/law-9780199231690-e1093http://opil.ouplaw.com‌/view‌/10.1093/law:epil/9780199231690/law-9780‌19‌9‌2‌31‌690-e1093 [http://perma.cc/4TYZ-BTE3]; Robert Q. Quentin-Baxter (Special Rapporteur), Fourth Rep. on International Liability for Injurious Consequences Arising Out of Acts Not Prohibited by International Law, ¶ 8, U.N. Doc. A/CN.4/373 (June 27, 1983) [hereinafter Liability for Injurious Consequences].

Alan E. Boyle, State Responsibility and International Liability for Injurious Consequences of Acts Not Prohibited by International Law: A Necessary Distinction?, 39 Int’l & Comp. L.Q. 1, 12 (1990).

Rep. of the Int’l Law Comm’n on the Work of Its Thirtieth Session, U.N. Doc. A/33/10, at 75 (1978) (emphasis added); see also ILC Survey, supra note 84, ¶¶ 1-4 (discussing the purpose of the survey as reviewing liability conventions for actions not prohibited by international law); Boyle, supra note 107, at 2-3 (noting that the ILC topic on “International Liability for the Injurious Consequences of Acts Not Prohibited by International Law” was an offshoot of the group charged with distilling the doctrine of state responsibility into the Draft Articles on State Responsibility).

Draft Articles on the Prevention of Transboundary Harm from Hazardous Activities, with Commentaries, arts. 3, 7, 8, Rep. of the Int’l Law Comm’n on the Work of its Fifty-Third Session, U.N. Doc. A/56/10, at 370-77 (2001) [hereinafter Draft Articles on Transboundary Harm]; see, e.g., G.A. Res. 65/28 (Dec. 6, 2010); G.A. Res. 62/68 (Dec. 6, 2007).

As James Crawford has recalled, “Despite the uncertainty surrounding their future status, the Draft Articles [on Transboundary Harm] provide an authoritative statement of the scope of a state’s international legal obligation to prevent a risk of transboundary harm.” Crawford, supra note 74, at 357.

Liability for Injurious Consequences, supra note 106, annex § 4. Perhaps the most enduring aspect of the ILC’s work is its affirmation of the underlying purpose of liability. In the words of the ILC Rapporteur, Quentin-Baxter, “[I]f all transboundary harm were wrongful, there would be no need for this topic. Every activity that caused or threatened such harm would be prohibited, except with the consent of the States whose interest was affected.” Robert Q. Quentin-Baxter (Special Rapporteur), Second Rep. on International Liability for Injurious Consequences Arising Out of Acts Not Prohibited by International Law, ¶ 85, U.N. Doc. A/CN.4/346 (July 1, 1981).

See Liability for Injurious Consequences, supra note 106, ¶ 60 (noting that as “international life grows more complex and is more elaborately organized,” liability, as opposed to wrongfulness, will be a more appropriate form of accountability); see also 4 Max Planck Encyclopedia of Public International Law 214 (Rudolf Bernhardt ed., 2000) (“[S]cientific and technological advances . . . have obliged international law to adapt itself to new circumstances . . . . The problem posed by these new activities does not derive from the question whether they are legitimate or wrongful, but from the fact that, even if they are essential or beneficial, they embody an inherent risk of transboundary harm.”).

See ILC Survey, supra note 84. See generally Analytical Guide to the Work of the International Law Commission, Int’l L. Commission, http://legal.un.org/ilc/guide/gfra.shtml [http://‌perma.cc‌/SB6V-6GSK] (organizing the work of the ILC by topics and helpfully tracking the development of each topic).

Liability for Injurious Consequences, supra note 106, ¶ 17 (“[T]here is a rather general expectation that the field of application will include all physical uses of territory giving rise to adverse physical transboundary effects.”). Initially, the ILC project of codifying liability was conceptualized in rather broad terms. See Boyle, supra note 107, at 96. For example, a 1995 ILC survey suggested that liability might extend to airspace, nuclear or industrial activities, conservation and utilization of critical resources, and even communication and broadcasting. See Liability Regimes Relevant to the Topic “International Liability for Injurious Consequences Arising Out of Acts Not Prohibited by International Law”: Survey Prepared by the Secretariat, [1995] 2 Y.B. Int’l Law Comm’n pt. 1, at 61, U.N. Doc. A/CN.4/471. Documents suggest that a debate existed between those who rejected the idea of focusing on the environment and those who believed that liability should also cover transboundary harm from activities as disparate as antitrust laws, monetary policies, newspapers, and even medical and biological research. See Daniel Barstow Magraw, Transboundary Harm: The International Law Commission’s Study of “International Liability”, 80 Am. J. Int’l L. 305, 323-24 (1986) (“Some members argued—without providing any substantial justification—for the inclusion of ‘restrictive economic policies,’ ‘monetary activities’ and ‘transboundary economic problems’ (possibly involving such subjects as antitrust policies, restrictive tariffs and import quotas, inflationary and deflationary monetary policies, international lending policies, and tax laws affecting transfer pricing or transnational capital flows). Others asserted that medical and biological research and, more generally, ‘economic, industrial and other activities’ should be included. Those and other claims prompted counter-arguments against coverage of transboundary harm caused by newspaper articles, monetary devaluation and legitimate industrial or agricultural competition.”).

In the end, the ILC working group compromised: the decision was made that the “rules to be drawn up should be of a general nature,” even though many would relate to the environment. See M.B. Akehurst, International Liability for Injurious Consequences Arising Out of Acts Not Prohibited by International Law, 16 Neth. Y.B. Int’l L. 3, 4 (1985) (noting that while Quentin-Baxter himself preferred to limit the topic to the “field of the environment,” the ILC as a whole explicitly rejected this approach).

This ILC project has been subject to sharp criticism. Brownlie calls the Commission “fundamentally misconceived.” Ian Brownlie, System of the Law of Nations: State Responsibility Part I 50 (1983); see also Julio Barboza, The Environment, Risk and Liability in International Law 125 (2011) (explaining a serious attack made on the ILC’s work in 1997 resulting from confusion that Barboza believes could have been, and in part was, ultimately overcome). Most take a more moderate approach, recognizing that despite the problems encountered by the ILC in its efforts to develop a general regime of liability, the utility and purpose of such a system is nontrivial. See, e.g., Mahnoush H. Arsanjani & W. Michael Reisman, The Quest for an International Liability Regime for the Protection of the Global Commons, in International Law: Theory and Practice 469, 488 (Karl Wellens ed., 1998) (“Our review of the successive efforts to deal with harm to the global commons thus indicates a quest for an effective legal regime that has, as yet, had very limited success. . . . The problems in constructing a viable regime for the protection of the global commons that incorporates a liability component are . . . formidable. But the consequences of not fashioning such a regime—and doing it soon—may well constitute the most profound common threat to humanity in the twenty-first century.”); Montjoie, supra note 105, at 504.

Corfu Channel (U.K. v. Alb.), Judgment, 1949 I.C.J. 4, 22 (Apr. 9).

Id. (emphasis added).

Malcolm N. Shaw, International Law 851 (6th ed. 2008). Shaw notes that the U.S. Attorney General expressed support for this doctrine in 1895. Id. at 851 n.28.

For example, in 1955, the United States agreed to pay Japan for damages caused to individuals, fish populations, and the Japanese fish market due to nuclear tests carried out by the United States on Enewetak Atoll. In 1964, the United States authorized $950,000 to be paid in compensation to the inhabitants of Rongelap Atoll for similar damages, while in later decades it prepared to settle Marshall Islands claims totaling over $100 million. Elsewhere, Canada reserved its right to compensation in the event of damage to the Pacific resulting from nuclear tests on Amchitka Island in 1960, while Japan and New Zealand made a variety of tort demands with respect to French nuclear testing throughout the decades. Similarly, several European states reserved the right to bring claims against the Soviet Union for damages caused by Chernobyl. See ILC Survey, supra note 84, ¶¶ 404-412.

Two other examples illustrate the duty to prevent and redress transboundary harm outside of the environmental context. In 1949, Austria made a formal protest to the Hungarian Government not to install land mines near the Austrian border. When mines detonated in Austria nearly two decades later, the Austrian government condemned Hungary’s actions, relying explicitly on the principle of “good-neighbourliness.” Id. ¶ 419. Similarly, in 1968, the Swiss government recognized liability to compensate Liechtenstein for damages suffered when a Swiss artillery unit erroneously fired shells across the border. See id. ¶ 420.

See Eric David, Primary and Secondary Rules, in The Law of International Responsibility, supra note 100, at 27.

See Draft Articles on State Responsibility, supra note 18, arts. 20-27, at 173-211. For further discussion on primary and secondary duties, see Boyle, supra note 107, at 10-11. The Commentary to the Draft Articles on State Responsibility suggests that secondary duties concern the following issues:

(a) The role of international law as distinct from the internal law of the State concerned in characterizing conduct as unlawful; (b) Determining in what circumstances conduct is to be attributed to the State as a subject of international law; (c) Specifying when and for what period of time there is or has been a breach of an international obligation by a State; (d) Determining in what circumstances a State may be responsible for the conduct of another State . . . ; (e) Defining the circumstances in which the wrongfulness of conduct under international law may be precluded; (f) Specifying the content of State responsibility, i.e. the new legal relations that arise from the commission by a State of an internationally wrongful act, in terms of cessation of the wrongful act, and reparation for any injury done; (g) Determining any procedural or substantive preconditions for one State to invoke the responsibility of another State, and the circumstances in which the right to invoke responsibility may be lost; (h) Laying down the conditions under which a State may be entitled to respond to a breach of an international obligation by taking countermeasures designed to ensure the fulfilment of the obligations of the responsible State under these articles.

Draft Articles on State Responsibility, supra note 18, at 60.

See Boyle, supra note 107, at 10; Draft Articles on State Responsibility, supra note 18, at 123; James Crawford (Special Rapporteur), Third Rep. on State Responsibility, ¶ 325, U.N. Doc. A/CN.4/507/Add.3 (Aug. 4, 2000) (“The law of treaties is concerned essentially with the content of primary rules and with the validity of attempts to alter them; the law of responsibility takes as given the existence of the primary rules . . . and is concerned with the question whether conduct inconsistent with those rules can be excused and, if not, what the consequences of such conduct are.”).

Shaw, supra note 117, at 782.

An American member present at the ILC’s 25th Session is said to have initially made the distinction between the terms “liability” and “responsibility.” The record reflects that he advocated: “[T]he term ‘responsibility’ should be used only in connexion [sic] with internationally wrongful acts and that, with reference to the possible injurious consequences arising out of the performance of certain lawful activities, the . . . term ‘liability’ should be used.” Draft Rep. of the Commission on the Work of Its Twenty-Fifth Session, [1973] 1 Y.B. Int’l Law Comm’n 210, 211, U.N. Doc. A/CN.4/SER.A/1973.

The ILC has stressed the importance of harm to liability, as opposed to responsibility. See State Responsibility, [1974] 1 Y.B. Int’l Law Comm’n 5, 7, U.N. Doc. A/CN.4/SER.A/1974 (“In the case of wrongful activities, damage was often an important element, but it was not absolutely necessary as a basis for international responsibility. On the other hand, damage was an indispensable element for establishing liability for lawful, but injurious activities.”). A number of commentators, including the ILC, refer to liability for transboundary harm as thus liability sine delicto, that is, liability “which does not have its origin in an internationally wrongful act.” See René Lefeber, Transboundary Environmental Interference and the Origin of State Liability 15, 198-202 (1996).

Several of the handful who have examined the topic of liability in international law begin by noting how much “confusion” there is about the subject. See, e.g., Alan Boyle, Liability for Injurious Consequences of Acts Not Prohibited by International Law, in The Law of International Responsibility, supra note 100, 95, 95-104 (noting the confusion surrounding how the ILC working group on injurious consequences would develop the topic and the variety of intellectual difficulties that the ILC faced); N.L.J.T. Horbach, The Confusion About State Responsibility and International Liability, 4 Leiden J. Int’l L. 47 (1991) (recognizing the confusion between state responsibility and international liability); Sompong Sucharitkul, State Responsibility and International Liability Under International Law, 18 Loy. L.A. Int’l & Comp. L.J. 821 (1996) (same); see also Rep. of the International Law Commission on the Work of Its Thirty-Seventh Session, U.N. Doc. A/40/10, reprinted in [1985] 2 Y.B. Int’l Law Comm’n pt. 2, at 19-27 (discussing the various intellectual challenges and disagreements encountered by the ILC in its work on liability). There is still confusion left about the state of liability in international law.

The ILC conceives of prevention as: (1) performing proper risk assessments, (2) preventing harm or minimizing the risk thereof, and (3) giving notice and technical information concerning risk to the country affected. See Draft Articles on Transboundary Harm, supra note 109, at 390, 402, 406.

See Boyle, supra note 107, at 10, 17. Boyle notes that within the international liability regime, the ILC has recognized that an “injured State can order the other to: (1) discontinue the act; (2) apply national legal remedies; (3) re-establish the situation existing before the act or, to the extent that this is impossible, pay corresponding compensation; (4) provide guarantees against repetition.” Id. at 17. However, some have disagreed, suggesting that only compensation can be requested. See id. at 17-18; see also Responsibilities and Obligations of States Sponsoring Persons and Entities with Respect to Activities in the Area, Advisory Opinion, Case No. 17, Order of Feb. 1, 2011, ITLOS Rep. 10, 49 (advising, with regard to international seabed activity, that sponsoring States are required to “establish procedures, and, if necessary, substantive rules governing claims for damages before its domestic courts”).

Outside of customary international law and general principles of international law, several treaties have created forms of liability in international law. See infra text accompanying note 143.

Liability for Injurious Consequences, supra note 106, ¶ 40. Others have called this same underlying duty a “compound primary obligation.” Magraw, supra note 114, at 311.

See, e.g., Rosalyn Higgins, Problems and Process: International Law and How We Use It 164 (1995).

Id. at 165.

Id.

Id.

Id. at 163-64. As Oona Hathaway and Scott Shapiro explain, in the pre-contemporary order, this practice played out clearly not via the Draft Articles on State Responsibility, which prohibit a recourse to force as a means of secondary enforcement in the contemporary era, but indeed via the secondary enforcement tool of war: “[States] had to make a claim regarding a wrong, offer an opportunity for peaceful redress, explain to the world why the wrong had not [been] addressed, and then go to war.” See Hathaway & Shapiro, supra note 102, at 9.

James Crawford, The International Law Commission’s Articles on State Responsibility: Introduction, Text and Commentaries 13-14 (2002) (“[T]he essential point is surely this, that different primary rules of international law impose different standards ranging from “due diligence” to strict liability . . . . By referring these issues to the interpretation and application of the primary rule, the Draft Articles took an essentially neutral position, neither requiring nor excluding these elements in any given case. This was a more subtle approach, more appropriate to a general set of articles dealing with all international obligations . . . .”).

Id. at 82. Some argue that in the case of Bosnia & Herzegovina v. Serbia & Montenegro, the ICJ settled the question of what the proper standard of liability was when it stated the following: “A State does not incur responsibility simply because the desired result is not achieved; responsibility is however incurred if the State manifestly failed to take all measures to prevent genocide which were within its power, and which might have contributed to preventing the genocide.” Application of Convention on Prevention and Punishment of Crime of Genocide (Bosn. & Herz. v. Serb. & Montenegro), Judgment, 2007 I.C.J. 43, ¶ 430 (Feb. 26). However, in that case, it is clear that the ICJ did not set out a universal standard of due diligence, but instead looked to “the obligation in question” (the relevant primary duty, which was a duty to prevent genocide). In doing so, the ICJ determined that the duty to prevent genocide was “one of conduct and not one of result,” and thus that a standard of due diligence was applicable. Id.

Higgins, supra note 130, at 157; see also Draft Articles on State Responsibility, supra note 18, at 31 (“The emphasis is on the secondary rules of State responsibility; that is to say, the general conditions under international law for the State to be considered responsible for wrongful actions or omissions, and the legal consequences which flow therefrom. The articles do not attempt to define the content of the international obligations, the breach of which gives rise to responsibility. This is the function of the primary rules, whose codification would involve restating most of substantive customary and conventional international law.”); R. Doak Bishop, James E. Crawford & W. Michael Reisman, Foreign Investment Disputes: Cases, Materials, and Commentary 576 (2d ed. 2014) (“Although international responsibility is sometimes said to be based on the principle of ‘objective responsibility,’ there is no general rule in the matter: some obligations are obligations of due diligence, others may entail a stricter standard.”).

See Sucharitkul, supra note 125, at 835-39. Nevertheless, Malcolm Shaw has contended that the majority of academic opinions tend toward an understanding of strict liability and the objective theory for state responsibility. See Malcolm Shaw, International Law 698 (5th ed. 2003).

See, e.g., Convention on the International Liability for Damage Caused by Space Objects, Mar. 29, 1972, 24 U.S.T. 2398, 961 U.N.T.S 187; Vienna Convention on Civil Liability for Nuclear Damage, May 21, 1963, 1063 U.N.T.S. 265; Convention on Third Party Liability in the Field of Nuclear Energy, July 29, 1960, 956 U.N.T.S. 263.

See James A. Henderson, Jr. et al., The Torts Process 451 (8th ed. 2012).

See id. Absolute liability is taken to mean full liability, or in the words of Judge Higgins, liability “by reference to events, with culpa as much an irrelevance as the due-diligence test.” Higgins, supra note 130, at 161. Absolute liability is used over the term “strict liability” to avoid confusion from the fact that the strict liability is typically only referenced in the context of negligence torts.

Rylands v. Fletcher [1868] LRE & I. App. 330, 339-40 (HL).

ILC Survey, supra note 84, ¶ 21; see, e.g., United Nations Convention on the Law of the Non-Navigational Uses of International Watercourses, May 21, 1997, 36 I.L.M. 700; United Nations Convention on Civil Liability for Damage Caused During Carriage of Dangerous Goods by Road, Rail and Inland Navigation Vessels, Oct. 10, 1989, U.N. Doc. ECE/TRANS/79; see also supra note 139 (listing additional treaties).

ILC Survey, supra note 84, ¶ 401.

The ILC has at points noted that even if the acting state observes its duties to take preventive measures, it should nonetheless be held answerable for damage, given that the duty not to cause damage is un-conditional. See Xue, supra note 24, at 14.

Shaw, supra note 117, at 888.

See ILC Survey, supra note 84, ¶¶ 65-79.

See Henderson et al., supra note 140, at 159.

Shaw, supra note 117, at 861. See generally ILA Study Grp. on Due Diligence in Int’l Law, First Report, Int’l L. Ass’n (Mar. 7, 2014), http://www.ila-hq.org/download.cfm‌/docid‌/8AC4DFA1-4AB6-4687-A265FF9C0137A699 [http://perma.cc/786K-TDCU] (considering whether there is agreement between the distinctive areas of international law in which the concept of due diligence is applied). Due diligence was first recognized in the Alabama arbitration of 1872 between the United States and the United Kingdom over obligations under the law of neutrality. See Ala. Claims Arbitration, (U.S. v. Gr. Brit.), 29 R.I.A.A. 125, 129 (1872). Due diligence also evolved out of the customary international duty on states to protect aliens. See ILA Study Grp. on Due Diligence in Int’l Law, supra, at 2.

Corfu Channel (U.K. v. Alb.), Judgment, 1949 I.C.J. 4, 24 (Apr. 9).

Pulp Mills on River Uruguay (Arg. v. Uru.), Judgment, 2010 I.C.J. 18, ¶ 197 (Apr. 20).

Id. For instance, in the environmental context, due diligence has since become firmly established as a requirement on states to undertake environmental impact assessments prior to activities likely to give rise to significant harm, as well to notify and consult parties likely to be affected by that harm and offer technical assistance in the case that harm does occur. See, e.g., Draft Articles on Transboundary Harm, supra note 109, art. 8, at 406-09 (specifying that states should notify and consult other states if there is a risk that one of their activities may cause harm and also obliging states to provide reparation, consequential on the causation of harm itself); Boyle, supra note 107, at 22.

The ILC has noted as much in its survey of state practice on liability. See ILC Survey, supra note 84, ¶ 55.

Id. ¶ 229.

See id. ¶¶ 415-16.

See id. ¶¶ 228-29.

Corfu Channel (U.K. v. Alb.), Judgment, 1949 I.C.J. 4, 51 (Apr. 9) (Winiarski, J., dissenting); id. at 66-67 (Badawi Pasha, J., dissenting); ILC Survey, supra note 84, ¶ 229.

Nuclear Tests (Austl. v. Fr.), Order, 1973 I.C.J. 99 (June 22). The ICJ did not rule on the merits of this case.

Article 10 of the ILC’s Draft Articles on Transboundary Harm similarly supports an “equitable balance of interests” based in part upon “importance of the activity, taking into account its overall advantages of a social, economic and technical character . . . in relation to the potential harm” when consulting potentially harmed states about preventative measures. Draft Articles on Transboundary Harm, supra note 109, art. 10, at 412. Boyle notes that one of the three main points driving the work of the ILC on liability was thus the idea that “every State must have the maximum freedom of action within its territory compatible with respect for the sovereign equality of other States.” Boyle, supra note 107, at 6.

ILC Survey, supra note 84, ¶ 234; see also Nuclear Tests, 1973 I.C.J. at 104.

ILC Survey, supra note 84, ¶ 234; see also Shaw, supra note 117, at 861 (noting that the ILC Draft Articles on Transboundary Harm specify in Article 10 that the Articles strive for an “equitable balance of interests” and that in applying liability, the Draft Articles on Transboundary Harm seek to account for the “the importance of the activity [causing harm]” for the state where the activity is taking place in relation to the states that are likely to be affected, as well as the “means of preventing or minimising such risk”).

ILC Survey, supra note 84, ¶¶ 235-37. The ILC has made similar references to the fact that some activities giving rise to transboundary harm are “not always possible to prohibit or avoid” because they are “beneficial to society in general.” Pemmaraju Sreenivasa Rao (Special Rapporteur), Third Rep. on the Legal Regime for the Allocation of Loss in Case of Transboundary Harm Arising Out of Hazardous Activities, ¶ 36(3), U.N. Doc. A/CN.4/540 (May 15, 2004). Because of this, the ILC has noted that in many jurisdictions,

Strict liability . . . [for] inherently dangerous or hazardous activities . . . is arguably a general principle of international law, or in any case could be considered as a measure of progressive development of international law. In the case of activities which are not dangerous but still carry the risk of causing significant harm, there is perhaps a better case for liability to be linked to fault or negligence.

Id. ¶ 38.

Julie Makinen, North Korea Decries U.S. Allegations on Sony Hack; U.S. Turns to China, L.A. Times (Dec. 20, 2014), http://www.latimes.com/world/asia/la-fg-north-korea-proposes -joint-investigation-into-sony-hack-20141220-story.html [http://perma.cc/8VPD-J5CT].

This is a term adopted from treaty interpretation. See Vienna Convention on the Law of Treaties art. 32, May 23, 1969, 1155 U.N.T.S. 331 (“Recourse may be had to supplementary means of interpretation . . . when the interpretation according to article 31 . . . [l]eads to a result which is manifestly absurd or unreasonable.”).

See Oren Gross, Cyber Responsibility To Protect: Legal Obligations of States Directly Affected by Cyber-Incidents, 48 Cornell Int’l L.J. 481 (2015); Jason Healey & Hannah Pitts, Applying International Environmental Legal Norms to Cyber Statecraft, 8 I/S 356 (2012); Eric Talbot Jensen, Cyber Sovereignty: The Way Ahead, 50 Tex. Int’l L.J. 275 (2015); Thilo Marauhn, Customary Rules of International Environmental Law—Can They Provide Guidance for Developing a Peacetime Regime for Cyberspace?, in Peacetime Regime for State Activities in Cyberspace, supra note 46; Daniel Ortner, Cybercrime and Punishment: The Russian Mafia and Russian Responsibility To Exercise Due Diligence To Prevent Trans-boundary Cybercrime, 2015 BYU L. Rev. 177; Michael N. Schmitt, In Defense of Due Diligence in Cyberspace, 125 Yale L.J. F. 68 (2015); Ziolkowski, supra note 46; Jan E. Messerschmidt, Note, Hackback: Permitting Retaliatory Hacking by Non-State Actors as Proportionate Countermeasures to Transboundary Cyberharm, 52 Colum. J. Transnat’l L. 275 (2013).

See Tallinn Manual, supra note 48, r. 5, at 26 (“A State shall not knowingly allow the cyber infrastructure located in its territory or under its exclusive governmental control to be used for acts that adversely and unlawfully affect other states.”); see also U.N. Secretary-General, Developments in the Field of Information and Telecommunications in the Context of International Security, U.N. Doc. A/70/172 (July 22, 2015) (transmitting member states’ views of international security in the cyber context); Group of Governmental Experts in the Field of Information and Telecommunications in the Context of Information Security, ¶ 23, U.N. Doc. A/68/98 (June 24, 2013) (“States should seek to ensure that their territories are not used by non-State actors for unlawful use of [information and computer technologies].”).

Schmitt, supra note 165, at 70.

See id. at 70; Matthew J. Sklerov, Solving the Dilemma of State Responses to Cyberattacks: A Justification for the Use of Active Defenses Against States Who Neglect Their Duty To Prevent, 201 Mil. L. Rev. 1, 14 (2009).

See Tallinn Manual, supra note 48, r. 5, at 26-29.

See Schmitt, supra note 165, at 71.

For instance, in the Alabama arbitration, the foundational case affirming the concept of due diligence in international law, the Law of Neutrality provided the source of the due diligence standard breached by the United Kingdom in permitting ships to be built for the war effort on its territory. However, due diligence did not exist as a discrete requirement on states and indeed was simply a required standard of care when abiding by the Law of Neutrality. See Ala. Claims Arbitration (U.S. v. Gr. Brit.), 29 R.I.A.A. 125, 129 (1872). In addition, the applicability of the Alabama arbitration to any general obligation of due diligence is limited given that the Alabama arbitration was carried out pursuant to the Treaty of Washington of 1871, which itself provided for three “rules,” two of which called for “due diligence” as the standard for assessing each state’s conduct. See generally Treaty of Washington, Gr. Brit.-U.S., May 8, 1871, 17 Stat. 863.

See supra Section I.B.

See Sucharitkul, supra note 125, at 838. Still, uncertainty about this question persists.

It is unclear the extent to which the Tallinn Manual and Schmitt imply that due diligence applies in the low-intensity cyber context; however, several others offered such an argument. See, e.g., Karine Bannelier-Christakis, Cyber Diligence: A Low-Intensity Due Diligence Principle for Low-Intensity Cyberspace?, 14 Baltic Y.B. Int’l L. 23 (2014); Scott J. Shackelford et al., Unpacking the International Law on Cybersecurity Due Diligence: Lessons from the Public and Private Sectors, 17 Chi. J. Int’l L. 1 (2016). In fact, one could argue that Schmitt and the Tallinn Manual may have even implicitly invoked the concept of transboundary harm, perhaps out of concern that invoking sovereignty in too strict a sense might be problematic. After all, they seem to see due diligence as applying not to all intrusions into a state’s sovereign territory, but instead to intrusions “inflict[ing] serious damage” or causing “adverse effects.” Tallinn Manual, supra note 48, r. 5, cmt. 3, at 26; Schmitt, supra note 165, at 75. This suggests that most of the substance in the approach taken by Schmitt and the Tallinn Manual to due diligence may actually come through the words “damage,” “effect,” or “injury”—words that resonate strongly with the concepts explored by the ILC in its work on transboundary liability, and not necessarily with the concept of “sovereignty.” That is, an invocation of the right to sovereignty alone, as compared to an invocation of transboundary harm, would struggle to draw a line between any intrusion and intrusions causing “serious damage.”

See Tallinn Manual, supra note 48, r. 5, cmt. 3, at 26 (discussing Corfu Channel); Schmitt, supra note 165, at 72 (discussing Trail Smelter and Corfu Channel).

Tallinn Manual, supra note 48, r. 5, cmt. 3, at 26 (quoting Corfu Channel (U.K. v. Alb.), Judgment, 1949 I.C.J. 4, 22 (Apr. 9)).

Id.

Id. cmt. 8, at 27-28.

For example, in human rights law, “first generation” human rights obligations are understood as obligations on states to refrain from certain behaviors. “Second generation” obligations include economic and social rights, which are often provided by the state. See Christian Tomuschat, Human Rights: Between Idealism and Realism 137-39 (3d ed. 2014).

Invoking liability for transboundary harm also helps resolve confusions that arise in the 2015 report of the UN Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security. Despite commenting at length on the importance of the principle of sovereignty in cyberspace, this report does not provide a clear rule against states launching cyber attacks, though it recommends that “[s]tates should not knowingly allow their territory to be used for internationally wrongful acts.” Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, U.N. Doc. A/70/174 (2015) (emphasis added). This formulation, like the due diligence formulations above, leaves unclear not only what such “internationally wrongful acts” might be, but also what duties states owe with respect to low-intensity cyber attacks in the first place.

“Within a state’s boundaries” is taken broadly to apply to all non-state activities giving rise to cross-border harm, regardless of whether actors causing harm were physically present or acted via infrastructure located in a given state.

See McKay et al., supra note 38. See generally David Raymond et al., A Control Measure Framework To Limit Collateral Damage and Propagation of Cyber Weapons, NATO Cooperative Cyber Def. Ctr. Excellence (2013), http://ccdcoe.org‌/cycon/2013/proceedings‌/d1r2s6‌_raymond.pdf [http://perma.cc/V8EE-4GRJ] (suggesting measures needed to prevent cyber weapons from causing indiscriminate harm). State-sponsored attacks may be more sophisticated than average non-state hacks, making them prone to significant destructionSee, e.g., Kim Zetter, Suite of Sophisticated Nation-State Attack Tools Found with Connection to Stuxnet, Wired (Feb. 16, 2015, 2:00 PM), http://‌http://www.wired.com/2015/02/kapersky -discovers-equation-group [http://perma.cc/CM86-PHHW].

Lea Brilmayer explains, “Under international law, as in domestic law, foreseeability and proximate cause have been closely linked for both conceptual and practical reasons. Foreseeability is important as a convenient shorthand for the natural or probable consequences of any act.” Lea Brilmayer, Ownership or Use? Civilian Property Interests in International Humanitarian Law, 49 Harv. Int’l L.J. 413, 442 (2008) Therefore, “[w]here harm is intentional, it is necessarily reasonably foreseeable, and foreseeability is generally sufficient to satisfy the requirement of proximate cause.” Id. (emphasis added). The UN Compensation Commission has utilized this approach of substituting foreseeability for proximate cause. See Arthur W. Rovine & Grant Hanessian, Toward a Foreseeability Approach to Causation Questions at the United Nations Compensation Commission, in The United Nations Compensation Commission 235 (Richard B. Lillich ed., 1995).

This idea of absolute liability for intentional torts in international law finds support in the practice of the UN Compensation Commission. Though the Commission was only entitled under UN Security Council Resolution 687 to hold Iraq liable for “direct loss, damage . . . or injury,” a Commission panel concluded that harms resulting from environmental pollution related to the burning of Kuwaiti oil wells were compensable. The panel found these harms sufficiently foreseeable and therefore proximate to merit compensation, in part because the burning of these fields was intentional. See Brilmayer, supra note 182, at 442. In addition, the Draft Articles on State Responsibility suggest that the intentional or deliberate nature of wrongful state actions can overcome the requirements of proximate cause when calculating reparations. See Draft Articles on State Responsibility, supra note 18, art. 31, cmt. 10, at 227-28 (emphasis added) (“[C]ausality in fact is a necessary but not a sufficient condition for reparation. There is a further element, associated with the exclusion of injury that is too ‘remote’ or ‘consequential’ to be the subject of reparation. In some cases, the criterion of ‘directness’ may be used, in others ‘foreseeability’ or ‘proximity.’ But other factors may also be relevant: for example, whether State organs deliberately caused the harm in question, or whether the harm caused was within the ambit of the rule which was breached, having regard to the purpose of that rule. In other words, the requirement of a causal link is not necessarily the same in relation to every breach of an international obligation.”). In domestic law, the Third Restatement of Torts also provides for a broader scope of liability, through more expansive “proximate cause” limits, when an actor commits an intentional tort. Restatement (Third) of Torts: Intentional Torts to Persons § 110, cmt. a (Am. Law Inst., Tentative Draft No. 1, 2015).

One of the three driving points of the ILC’s work on liability was the understanding that “an innocent victim should not be left to bear his loss or injury.” Robert Q. Quentin-Baxter (Special Rapporteur), Third Rep. on International Liability for Injurious Consequences Arising Out of Acts Not Prohibited by International Law, ¶ 53, U.N. Doc. A/CN.4/360 (June 23, 1982).

Schmitt, supra note 165, at 80. Rule 5 of the Tallinn Manual says that a state should not knowingly allow its infrastructure to be used to harm other states; the commentary to Rule 5 indicates that a state can violate Rule 5 absent a full finding of attribution. See Tallinn Manual, supra note 48, r. 5, cmt. 3, at 26.

See ILC Survey, supra note 84, ¶ 23 (noting the difficulty of assessing state conduct as “negligent”).

In fact, the Draft Articles on State Responsibility explain that neither fault nor intention is necessary to find state responsibility. See Draft Articles on State Responsibility, supra note 18, art. 2, cmt. 10, at 73 (“[One] . . . question is whether fault constitutes a necessary element of the internationally wrongful act of a State. This is certainly not the case if by ‘fault’ one understands the existence, for example, of an intention to harm. In the absence of any specific requirement of a mental element in terms of the primary obligation, it is only the act of a State that matters, independently of any intention.”). As it seems that the Draft Articles on State Responsibility do not require intent to find that state responsibility inheres, it is hard to explain (even at a theoretical level) why a finding of intent to harm would preclude application of international liability.

For example, in both the Nicaragua and Armed Activities on the Territory of the Congo cases, the “motive of the supporting State” in providing support to third parties was found to be “of little consequence,” to a determination that the state had engaged in unlawful action. Watts, supra note 17, at 268-69; see also Gray, supra note 43, at 79; Higgins, supra note 130, at 146-68.

Yoo, supra note 27, at 179-80. By contrast, according to Yoo, only a minority of the UN International Group of Governmental Experts refused to characterize instances like cyber espionage giving rise to unexpected and unintentional damages as an armed attack, even if damage otherwise amounted to the level of a traditional armed attack. See id. However, it should be noted that the Tallinn Manual suggests that the International Group of Governmental Experts could not come to clear agreement on whether a state could be held in breach of its due diligence obligations if it simply “should have known” about an impending attack. See Tallinn Manual, supra note 48, r. 5, cmt. 11, at 28.

See supra Section II.B.

See discussion infra Section IV.A.2.

See Draft Articles on Transboundary Harm, supra note 109, arts. 7-9, at 402-12.

See Xue, supra note 24, at 113-82.

See id. at 4, 7-8 (noting that transboundary liability requires a factual inquiry particular to the circumstances of each incident of whether the damages incurred were “greater than the mere nuisance or insignificant harm which is normally tolerated” by the international community (quoting Julio Barboza (Special Rapporteur), Sixth Rep. on International Liability for Injurious Consequences Arising Out of Acts Not Prohibited by International Law, U.N. Doc. A/CN.4/428, annex (Mar. 15, 1990))). In addition, in the Iran-U.S. Claims Tribunal, compensation was provided even for lost profits and other “intangible” injuries to property owners. See Int’l Fin. Corp. v. Iran, 15 Iran-U.S. Cl. Trib. Rep. 189, ¶ 238 (1987); Sergey Ripinsky, Damnum Emergens and Lucrum Cessans in Investment Arbitration: Entering Through the Back Door, in Investment Treaty Law 54 (Andrea K. Bjorklund et al. eds., 2009).

For example, noises, smells, and other intangible effects can constitute nuisances, given that one definition of nuisance is “interference” with another’s enjoyment of his or her land. See ILC Survey, supra note 84, at 23.

See ILC Survey, supra note 84, at 79; see also Nuclear Tests (Austl. v. Fr.), Order, 1973 I.C.J. 99 (June 22).

León Castellanos-Jankiewicz, Causation and International State Responsibility 19 (Amsterdam Ctr. of Int’l Law Research Paper No. 2012-07), http://www.sharesproject.nl/wp -content‌/uploads‌/2012/01/Castellanos-Causation-and-International-State-Responsibility‌1‌.pdf [http://‌perma.cc‌/VEE4-MRJ8]; see also Higgins, supra note 130, at 163 (noting that responsible states may owe reparation for a breach of international law, even if no damage has resulted). The Janes claim provides some interesting insights into how liability should be conceived of at the damages stage. The Tribunal noted that damages should be calculated based on the harms suffered by the individuals involved in the dispute, not based on the amount of damage Mexico had theoretically caused to the United States through its violation of international law. This may provide a more concrete way to calculate damages than would be obvious under state responsibility, which would consider more theoretical costs, for example the cost of intrusion on a state’s sovereignty. See Laura M.B. Janes (U.S. v. Mex.), 4 R.I.A.A. 82 (Gen. Claims Comm. 1925).a nh theoretical effects on the insights into how liability should be conceived of at the damage stage. In that case, the tribuni

Shaw, supra note 117, at 861.

Id.

It should also be noted that in considering absolute liability specifically, the ILC did consider suggestions that damages for liability be limited. See ILC Survey, supra note 84, ¶ 223.

Shaw, supra note 117, at 862.

See Gross, supra note 165, at 498; David Fidler, Cyber Norm Development and the Protection of Critical Infrastructure, Council on Foreign Rel. (Jul. 23, 2015), http://‌blogs.cfr.org‌/cyber‌/2015‌/07/23/cyber-norm-development-and-the-protection-of-critical-infrastructure [http://‌perma.cc/7ZQG-7P7E].

International Strategy for Cyberspace: Prosperity, Security, and Openness in a Networked World, White House (May 2011), http://www.whitehouse.gov/sites/default/files/rss_viewer‌/international_strategy_for_cyberspace.pdf [http://perma.cc/R52L-Z556].

Sanger & Schmidt, supra note 51.

For example, China condemned the Sony attack, even though it disagreed that the attack could be definitively attributed to North Korea. See Megha Rajagopalan & Steve Holland, China Condemns Cyberattacks, But Says No Proof North Korea Hacked Sony, Reuters (Dec. 22, 2014, 8:22 AM), http://www.reuters.com/article/us-sony-cybersecurity-idUSKBN0K‌006‌U20141222 [http://perma.cc/8GQ9-UQCR].

Draft Articles on Diplomatic Protection with Commentaries, art. 1 cmt. 3, Rep. of the Int’l Law Comm’n on the Work of its Fifty-Eighth Session, U.N. Doc. A/61/10, at 27 (2006) (quoting 3 Emmerich de Vattel, The Law of Nations or the Principles of Natural Law Applied to the Conduct and to the Affairs of Nations and Sovereigns 136 (C.G. Fenwick trans., Carnegie Inst. 1916) (1758))).

Mavrommatis Palestine Concession (Greece v. U.K.), Decision on Jurisdiction, 1924 P.C.I.J. (ser. A) No. 2, at 5, 12 (Aug. 30); see also Ahmadou Sadio Diallo (Guinea v. Dem. Rep. Congo), Preliminary Objections, Judgment, 2007 I.C.J. 582 (May 24); Paneveezys-Saldutiskis Railway (Est. v. Lith.), Judgment, 1939 P.C.I.J. (ser. A) No. 76, at 5, 6, 16 (Feb. 28) (“In the opinion of Court, the rule of international law . . . [at issue] is that in taking up the case of one of its nationals, by resorting to diplomatic action or international judicial proceedings on his behalf, a State is in reality asserting its own right, the right to ensure in the person of its nationals respect for the rules of international law.”).

In these cases, states’ claims have typically taken the form of an exchange of diplomatic notes. See Bishop et al., supra note 137, at 2.

See id.

In the United States, the State Department has long been in the business of representing “citizen-to-state claims,” that is “claims by U.S. citizens against foreign states and vice versa.” Harold Hongju Koh, The State Department Legal Adviser’s Office: Eight Decades in Peace and War, 100 Geo. L.J. 1747, 1750 (2012). While in the early days, secretaries of state were known to use their diplomatic clout to espouse such claims before foreign governments, by the middle of the nineteenth century the practice had indeed become so common that it overwhelmed existing resources and prompted the creation of a new role of Claims Clerk. See Richard B. Bilder, The Office of the Legal Adviser: The State Department Lawyer and Foreign Affairs, 56 Am. J. Int’l L. 633, 634 (1962). The Office of the Legal Adviser of the State Department ultimately incorporated this role and to this day retains responsibility for managing various foreign claims. See id. at 634-38. In a related context, the Department of Justice adjudicates claims of U.S. nationals against foreign governments under specific jurisdiction conferred by Congress. Funds for the payment of awards are derived from congressional appropriations, international claims settlements, or the liquidation of foreign assets in the United States by the Department of the Treasury. See About the Commission, U.S. Dep’t Just., http://www.justice.gov/fcsc/about-commission [http://perma.cc/5VYX-389W].

See Montjoie, supra note 105, at 512; see also ILC Survey, supra note 84, ¶¶ 405-411, 523; Jean-Marc Sorel, The Concept of “Soft Responsibility?,” in The Law of International Responsibility, supra note 100, at 165 (discussing the relationship between liability and responsibility in the context of international law).

See, e.g., Michael Waibel, The Diplomatic Channel, in The Law of International Responsibility, supra note 100, at 1089-90.

See id. at 1091-92.

See ILC Survey, supra note 84.

Certain Activities Carried Out by Nicaragua in Border Area (Costa Rica v. Nicar.), Judgment, 2015 I.C.J. 1, ¶¶ 177-217 (Dec. 16); Pulp Mills on the River Uruguay (Arg. v. Uru.), Judgment, 2010 I.C.J. 18, ¶ 101 (Apr. 20).

See Ahmadou Sadio Diallo (Guinea v. Dem. Rep. Congo), Judgment, 2012 I.C.J. 324 (June 19); see also Barcelona Traction, Light & Power Co., Ltd. (Belg. v. Spain), Judgment, 1970 I.C.J. 3 (Feb. 5).

See Rainbow Warrior Affair (N.Z. v. Fr.), 11 R.I.A.A. 217 (1990); Geoffrey Palmer, Deputy Prime Minister of N.Z., Settlement of International Disputes: The “Rainbow Warrior” Affair, Address to the University of Virginia School of Law (Nov. 3, 1988), in 15 Commonwealth L. Bull. 585 (1989).

See Hazel Fox, G.C. & Philippa Webb, The Law of State Immunity 475-83 (3d ed. 2015). But see Jurisdictional Immunities of the State (Ger. v. It.), Judgment, 2012 I.C.J. 99 (Feb. 3).

See Convention on Jurisdictional Immunities of States and Their Property, art. 12, U.N. Doc. A/59/38 (Dec. 2, 2004) (not yet in force) (“[A] State cannot invoke immunity from jurisdiction before a court of another State which is otherwise competent in a proceeding which relates to pecuniary compensation for death or injury to the person, or damage to or loss of tangible property, caused by an act or omission which is alleged to be attributable to the State, if the act or omission occurred in whole or in part in the territory of that other State and if the author of the act or omission was present in that territory at the time of the act or omission.”).

See Corte Cost., 22 ottobre 2014, n. 238, Foro it. 2015, I, 1152 (It.); Voitia v. Federal Republic of Germany [A.P.] [Supreme Court] 11/2000, p. 514 (Greece).

28 U.S.C. § 1605(a)(5) (2012). The Canadian Constitutional Court has recognized a similar exception to sovereign immunity for territorial torts. Schreiber v. Canada (Attorney General), 2002 SCC 62 §§ 30-37. The European Convention on State Immunity has as well. European Convention on State Immunity art. 11, May 16, 1972, 74 E.T.S.

See De Letelier v. Republic of Chile, 748 F.2d 790, 792 (2d Cir. 1984); see Scott A. Gilmore, Suing the Surveillance States: The (Cyber) Tort Exception to the Foreign Sovereign Immunities Act, 46 Colum. Hum. Rts. L. Rev. 227 (2015).

See Justice Against Sponsors of Terrorism Act, Pub. L. No. 114-222, 130 Stat. 852 (2015). (“A foreign state shall not be immune from the jurisdiction of the courts of the United States in any case in which money damages are sought against a foreign state for physical injury to person or property or death occurring in the United States and caused by . . . (1) an act of international terrorism in the United States; and (2) a tortious act or acts of the foreign state . . . regardless where the tortious act or acts of the foreign state occurred.”); see also In re Terrorist Attacks on September 11, 2001, 538 F.3d 71 (2d Cir. 2008) (explaining the “entire tort” requirement).

See Liability for Injurious Consequences, supra note 106, ¶ 41.

See, e.g., The Department of Defense Cyber Strategy, U.S. Dep’t Def. 14 (Apr. 2015), http://‌www‌.defense.gov/Portals/1/features/2015/0415_cyber-strategy/Final_2015_DoD‌_CYBER‌_STRAT‌EGY_for_web.pdf [http://perma.cc/U7GG-VHLF].

See ILC Survey, supra note 84, ch. 1. For a discussion of the need for international law to recognize civil liability for torts otherwise governed by international criminal law, see Rebecca Crootof, War Torts: Accountability for Autonomous Weapons, 164 U. Pa. L. Rev. 1347 (2016).

Akehurst, supra note 114, at 15 (quoting Robert Q. Quentin-Baxter (Special Rapporteur), Preliminary Rep. on International Liability for Injurious Consequences Arising Out of Acts Not Prohibited by International Law, ¶ 56, U.N. Doc. A/CN.4/334 (July 4, 1980)). It should be noted that the United States permits foreigners to bring tort suits against it under select statutes. See, e.g., 10 U.S.C. § 2734(a) (2012); 28 U.S.C. § 1350 (2012). For example, by 2006, the United States had paid more than $26 million in compensation for tortious acts committed by U.S. soldiers in Iraq and Afghanistan under the U.S. Foreign Claims Act. See Jordan Walerstein, Coping with Combat Claims: An Analysis of the Foreign Claim’s Combat Exclusion, 11 Cardozo J. Conflict Resol. 319, 339-40 (2009).

See Liability for Injurious Consequences, supra note 106, ¶ 42.

The United States has long maintained that a violation of Article 2(4) triggers Article 51. See Koh, supra note 49, at 3-4.

See Hathaway, supra note 35, at 49 (noting that the gap between Article 2(4) and Article 51 “prevents an endless process of retaliations for small offenses”).

See Michael N. Schmitt & M. Christopher Pitts, Cyber Countermeasures and Effects on Third Parties: The International Legal Regime, 14 Baltic Y.B. Int’l L. 1, 2 (2015).

See, e.g., Kenneth Geers, The Challenge of Cyber Attack Deterrence, 26 Computer L. & Security Rev. 298, 301-02 (2010).

Another problem with state responsibility, unlike liability, is that (at least in theory and according to the ILC) it is supposed to be concerned with all subjective violations of international law, even those that do not involve material damage. See Draft Articles on State Responsibility, supra note 18, art. 31, cmt. 7, at 92.

See, e.g., Foster v. Preston Mill Co., 268 P.2d 645, 647-48 (Wash. 1954) (noting that tort law often limits the “defendant’s duty to insure safety . . . to certain consequences” and compares damages with those experienced by neighbors (citations omitted)).

See ILC Survey, supra note 84, ¶ 27; see also Foster, 268 P.2d at 647 (describing the extent of liability incurred through ultrahazardous activities); Draft Articles on State Responsibility, supra note 18, arts. 30-31, at 216-31 (outlining the obligations of States responsible for “internationally wrongful act[s]”). In addition, and in some aspects paradoxically, traditional responsibility may actually require more substantial compensation than even “strict liability” does, since once responsibility is found, total reparation is required and is not likely to make any balancing approach. See Barboza, supra note 114, at 92.

Some experts have recently proposed a “cyber insurance” program, a cousin to the idea of state liability for cyber attacks. See Nathan Bruschi, Maybe Wall Street Has the Solution to Stopping Cyber Attacks, Wired (June 2, 2016, 4:02 PM), http://www.wired.com‌/2016‌/06‌/cyber-bonds [http://perma.cc/3G3B-TY8G].

See Press Release, U.S. Attorney’s Office for the S. Dist. of N.Y., Manhattan U.S. Attorney Announces Charges Against Seven Iranians for Conducting Coordinated Campaign of Cyber Attacks Against U.S. Financial Sector on Behalf of Islamic Revolutionary Guard Corps-Sponsored Entities (Mar. 24, 2016), http://www.justice.gov/usao-sdny‌/pr‌/man‌hatt‌an‌-us-attorney-announces-charges-against-seven-iranians-conducting-coordinated [http://‌‌perma.cc/HD82-4V4V].

See, e.g., Robert M. Lee, Feds Set a Risky Precedent by Indicting 7 Iranian Hackers, Wired (Mar. 26, 2016, 7:00 AM), http://www.wired.com/2016/03/feds-set-risky-precedent-indicting-7 -iranian-hackers [http://perma.cc/8A4N-5DER].

See, e.g., Schmitt, supra note 34, at 703; Schmitt & Pitts, supra note 231.

Tallinn Manual, supra note 48, r. 9, at 56.

See Gabčíkovo-Nagymaros Project (Hung. v. Slovk.), Judgment, 1997 I.C.J. 3, ¶¶ 83-84 (Sept. 25).

See Draft Articles on State Responsibility, supra note 18, art. 49, at 328.

Id.

See id. art. 51, at 341; Air Servs. Agreement (Fr. v. U.S.), 18 R.I.A.A. 417, ¶ 83 (Dec. 9, 1978).

See id. art. 52, at 345; Gabčíkovo-Nagymaros, Judgment, 1997 I.C.J. ¶ 84. The law of countermeasures is reflected in customary international law. See Military and Paramilitary Activities in and Against Nicaragua (Nicar. v. U.S.), Judgment, 1986 I.C.J. 14, 127, ¶ 248 (June 27); United States Diplomatic and Consular Staff in Tehran, Judgment, 1980 I.C.J. 3, ¶ 53 (May 24); Archer Daniels Midland Co. v. United Mexican States, ICSID Case No. ARB(AF)/04/5, Award, ¶ 124-25 (Nov. 21, 2007).

See Hathaway, supra note 35, at 40-41, 46-47, 49. (“It is important that lawyers and policymakers be careful not to create bigger problems in other areas of international law when trying to solve the threshold problem in cyber by engaging in over-interpretation of broadly applicable legal principles.”). It should also be noted that if the threshold for use of force is lowered to cover low-intensity cyber attacks, this effectively means that a state cannot respond in kind to such an attack through a countermeasure.

See Draft Articles on State Responsibility, supra note 18, art. 52, cmt. 1, at 345.

Analogous concerns in domestic law, particularly the need to maintain public order and prevent retaliatory self-help, drove the development of tort law and liability for breaches of particular duties. See ILC Survey, supra note 84, ¶ 18.

Shaw, supra note 117, at 861.

U.N. Charter art. 33; see also U.N. Charter art. 2(3) (“All Members shall settle their international disputes by peaceful means in such a manner that international peace and security, and justice, are not endangered.”).

See e.g., Gross, supra note 165, at 501 n.123; Jay P. Kesan & Ruperto Majuca, Optimal Hackback, 84 Chi.-Kent L. Rev. 831, 837 (2009); Schmitt & Pitts, supra note 231 at 6-8.

See, e.g., Schmitt & Pitts, supra note 231, at 6-8 (distinguishing countermeasures that affect third party interests from those that affect third party rights, such as treaty rights).

See Raymond et al., supra note 181, at 8 (pointing out that Stuxnet was likely designed to target Iranian centrifuges at the Natanz uranium enrichment plant, but eventually infected systems in several countries); Michael Joseph Gross, A Declaration of Cyber-War, Vanity Fair (Mar. 2011), http://www.vanityfair.com/news/2011/03/stuxnet-201104 [http:// perma.cc/6TLG-X79Y] (describing the spread of Stuxnet, a self-replicating computer virus, through thousands of computers around the world).

See Stuxnet: Computer Worm Opens New Era of Warfare, CBS News (Jun. 4, 2012), http://www.cbsnews.com/news/stuxnet-computer-worm-opens-new-era-of-warfare‌-04‌-06-2012 [http://perma.cc/Z2KA-BDME]. For example, in the weeks following the alleged U.S. and Israeli Stuxnet attack on Iranian nuclear facilities, researchers identified the Stuxnet worm on hundreds of thousands of computers outside of Iran, in countries as disperse as Azerbaijan, the United Kingdom, India, Indonesia, Pakistan, and the United States. Jarrad Shearer, W32.Stuxnet, Symantec (July 13, 2010), http://www.symantec.com‌/security‌_response/writeup.jsp?docid=2010-071400-3123-99 [http://perma.cc/9L35-ARNG]. This resulted in fear that the malware would “bring industrial society to a halt,” given that the worm targeted programmable-logic controllers common to many industries (e.g., oil extraction, dams, energy production, water distribution, and aviation). Gross, supra note 253.

See Castellanos-Jankiewicz, supra note 197, at 52 (noting that responsibility tends to adhere to proximate causation over direct causation); ILC Survey, supra note 84, ¶ 25.

See Brilmayer, supra note 182, at 442. Taken from another perspective, recognizing the duty to prevent transboundary harm to third parties simply applies notions of precaution owed under other bodies of law, such as the Laws of Armed Conflict (e.g., the principles of distinction and proportionality), to the low-intensity cyber realm. State practice also seems to support recognition of liability to third states, given that many state cyber weapons are carefully designed to attack precisely one target and to avoid replication outside of target environments.

See John G. Sprankling, The Global Right to Property, 52 Colum. J. Transnat’l L. 464, 491-97 (2014); Peter Tzeng, Comment, The State’s Right to Property Under International Law, 125 Yale L.J. 1805 (2016).