The activities of cyber proxies engage various rules of international law, as well as being covered by some soft law and policy initiatives. While the threshold for attributing the behaviour of a proxy to a state is not easily met, some rules bind proxies directly as individuals.
This chapter considers the extent to which existing international and policy frameworks in relation to malicious cyber activity can help hold cyber proxies to account. While the chapter focuses on Russia’s use of proxies in its war on Ukraine, our analysis has broader relevance to any state that seeks to work (to whatever degree of proximity) with non-state actors – including ideologically aligned hacktivists or commercial entities – to carry out cyber operations in order to further state goals.
Multilateral diplomacy
UN discussions, particularly those within the Framework for Responsible State Behaviour in Cyberspace, have repeatedly affirmed that malicious cyber operations – including those conducted through proxies – undermine international peace and security. Such discussions also emphasize that states should not exploit non-state actors for malicious cyber operations. The application of aspects of the Framework for Responsible State Behaviour established in discussions in the UN’s First Committee over the past 20 years, particularly on norms and international law, is examined later in this chapter.
Regulation in this area needs updating to recognize the increasing role of private military and security companies in cyber activity, both offensive and defensive.
As Table 1 above illustrates, one form of cyber proxy activity in the Russia–Ukraine context is the practice of mercenary or contractor groups providing bespoke offensive capabilities for profit, in alignment with Russian strategic objectives. There is some international governance of private military and security companies (PMSCs). For example, the Montreux Document, a 2008 joint initiative by the Swiss government and the International Committee of the Red Cross (ICRC), affirms states’ obligations under international law, particularly IHL and international human rights law, in relation to PMSCs.
Regulation in this area needs updating to recognize the increasing role of PMSCs in cyber activity, both offensive and defensive. There are some efforts under way to do so. For example, a UN Working Group on the Use of Mercenaries, which operates under the auspices of the UN Human Rights Council, has been working on a draft convention on the regulation, monitoring and oversight of PMSCs’ activities. The definition of PMSCs in the latest draft includes contractors providing services ‘whether on land, in the air or at sea, or whether in cyberspace or outer space’. While the draft seeks to strengthen states’ governance of PMSCs, including by requiring the integration of standards on international human rights law, due diligence and training, the prospect of a binding instrument in this area is still some way off (and even if it were to materialize, it is questionable whether Russia would become party to it).
Voluntary industry initiatives seek to complement these multilateral efforts. For example, the Cybersecurity Tech Accord, signed by over 160 private companies operating in the cyber sector, aims to promote responsible behaviour in cyberspace, including curbing the proliferation of cyber mercenaries. This includes support for the Paris Call Blueprint on Taming the Cyber Mercenary Market, published in 2023, which contains proposals to address the escalating challenge of cyber mercenaries. The Pall Mall Process seeks to tackle the proliferation and irresponsible use of commercial cyber capabilities. While adoption and enforcement remain uneven, these frameworks provide reputational pressure and legal hooks where state action alone is insufficient.
International law
As part of the Framework for Responsible State Behaviour in Cyberspace mentioned above, states have agreed that international law applies in the cyber context. Various areas of international law relevant to the activities of cyber proxies include the law of armed conflict; international criminal law; rules on attribution under the law on state responsibility; and the principle of due diligence.
As will be seen, there are important limitations to international law’s ability to constrain and punish cyber proxies. In practice, it is often difficult to attribute the activities of cyber proxies to a state due to the high thresholds of control set out in the rules on state responsibility. At the same time, few rules of international law are directed at non-state actors. And as well as being state-centric, international law provides only limited means of enforcement. For this reason, the activities of proxies have been described as falling within, if not a legal black hole, a ‘normative safe zone’. This is, of course, one of the attractions for Russia of using cyber proxies.
Understanding the law of armed conflict as it applies to proxies
Russia and Ukraine are in an international armed conflict, which is governed by international humanitarian law (IHL). States have agreed that the rules of IHL apply to cyberspace, although debates are ongoing as to how those rules apply. As discussed below, some IHL rules regulate how states should treat proxy actors, including requiring states to take responsibility for the actions of proxies in some circumstances. Some rules bind non-state actors as well as states. And cyber proxies participating in hostilities that disregard IHL risk being complicit in war crimes under international criminal law.
The growing involvement of non-state actors such as citizen hackers in warfare raises a number of legal questions that are beyond the scope of this paper.
The following sections provide a summary of how IHL applies to cyber proxies:
Regulating how states treat proxies
IHL does not prohibit participation in an armed conflict, but it does set out consequences that result from participation. In some situations, individuals acting in support of a state can be targeted by the armed forces of the other side, whether by cyber or other means. Cyber proxies such as hacker groups cannot be a party to an international armed conflict themselves, as they are not a state. However, in two situations, a proxy actor could qualify as a combatant under IHL, and thus would become targetable by the adversary. As a combatant, the proxy would also enjoy certain protections.
The first situation in which a proxy actor could qualify as a combatant is if it is incorporated into a state’s armed forces or meets the required organizational criteria. Military cyber units such as US Cyber Command or China’s PLA Cyberspace Force would fall within their country’s armed forces, and certain Russian APT groups have been attributed to military units of Russia’s GRU intelligence agency.
Cyber proxies that are not formally incorporated into the armed forces of a state could still be combatants if they are part of an organized group or unit under a responsible command. To qualify as an organized group, a proxy would need to have an internal hierarchical structure that ensures discipline within the group and that effectively subordinates the group, and renders it responsible, to a state party to the conflict. This is a high threshold that would not be met by groups organizing independently of a state or only through online open communication. Of the categories of proxy actor outlined in Table 1 above, most would not qualify as organized armed groups.
The second situation is if the proxy actors are not part of a state’s armed forces or an organized group, so are considered civilians, but are ‘directly participating in hostilities’. Civilians enjoy protection against direct attack unless and for such time as they directly participate in hostilities. For a proxy to qualify as directly participating in hostilities, its operations would have to meet three cumulative criteria: a threshold of harm; direct causation; and a belligerent nexus.
In practice, these three criteria set a high threshold for a civilian to lose protection from attack – acts of cybercrime that directly cause harm (e.g. a ransomware operation) without a link to the conflict would not qualify. But where cyber proxies engage in offensive operations against enemy targets as an integral part of a cyber operation against military forces, they may be deemed to be directly participating in hostilities. This could be the case, for example, if a civilian hacker deployed malware to disable a power grid and generate a blackout for the purpose of facilitating an attack by a state’s armed forces, or used a smartphone app to provide tactical intelligence to attacking forces. In doing so, the hacker would lose protection as a civilian and become exposed to targeting for as long as they were providing assistance to the armed forces.
The legal framework that governs when civilians may lose their protected status and become legitimate military targets is complex; there is significant debate over what constitutes ‘directly participating in hostilities’ and for how long civilians who are doing so would be targetable. Many states and commentators endorse the ICRC’s ‘revolving door’ approach, under which civilians who engage in spontaneous, sporadic or unorganized direct participation in hostilities only lose their protection for the duration of the hostile act and regain their protected status once the act ends. But some, particularly the US, adopt a broader approach, under which protection is only regained when there is ‘affirmative disengagement’ by the civilian from the hostile activity. These issues are compounded in the cyber context, in which proxies can be constantly on and off their phones or computers, or cyber actors can deploy malware then walk away, with the malware continuing to operate without direct command – in both cases challenging traditional temporal frameworks for determining when participation begins and ends. Under IHL, in any circumstances where there is doubt about whether a person is a civilian or not, that person shall be considered a civilian. If civilian cyber proxies are captured by an adversary, they may face prosecution under the domestic law of the adversary state.
State responsibility for proxies under IHL
States that are parties to an armed conflict are responsible for the conduct of any group operating under their instructions, direction or control. There is debate about the meaning of ‘direction or control’; generally, ‘overall control’ is considered sufficient in the IHL context. Mere financing or equipping of hacker groups, or their activities, would not be sufficient. But a state would be responsible in situations in which it has a role in organizing the group’s cyber operations or gives specific instructions to a hacker group regarding the commission of a particular cyber operation in violation of IHL, as may be the case for the first category listed in Table 1, which involves Russian APT groups commissioning cyber activity. A case-by-case assessment will be required based on the facts.
States’ responsibilities to make IHL known to proxies
Even when the tests of instruction, direction or control are not met, such that the state concerned is not internationally responsible for a proxy’s conduct, all states have a due diligence obligation to ensure respect for IHL under Common Article 1 to the Geneva Conventions. This includes the obligation not to aid or assist in violations of IHL by others, nor to encourage private persons or groups to act in violation of IHL – for example, by inciting civilian hackers to direct cyber operations against civilian objects such as hospitals. States also have an obligation to ensure that civilian populations under their authority respect IHL. In the context of the conflict between Russia and Ukraine, both parties are under an obligation to make IHL rules known to civilian hackers and hacker groups, should demand that such actors respect IHL, and should take the measures necessary to suppress IHL violations. Both parties are also obliged to search for, prosecute or extradite alleged perpetrators of grave breaches of IHL and to enact any necessary legislation in this respect. They are further required to suppress all other breaches of the Geneva Conventions.
In practice, both Russia and Ukraine have encouraged civilians to participate in the hostilities using information and communication technologies (ICTs), for example as ‘patriotic hackers’. As Table 2 makes clear, hacker groups such as Killnet have targeted civilian objects such as banks, medical facilities and civilian airports. In doing so, the civilians participating in hostilities do not adhere to one of the fundamental tenets of IHL: protecting civilian objects from armed conflict.
To raise awareness of the rules of IHL among civilian hackers, in 2023 advisers at the ICRC produced ‘eight rules for civilian hackers during war and four obligations for states to restrain them’.
Some commentators have endorsed the notion that civilians should support the war effort and be ‘responsibly irresponsible’. But IHL embodies a careful balance between military necessity and humanity. Civilian involvement in armed conflict risks generating confusion about who or what is a ‘civilian’, and increases the risk of erroneous or unlawful attacks.
Obligations on both states and proxies
To raise awareness of the rules of IHL among civilian hackers, in 2023 advisers at the ICRC produced ‘eight rules for civilian hackers during war and four obligations for states to restrain them’. The purpose was to highlight rules that anyone who conducts a cyber operation in the context of armed conflict – whether a state or a non-state actor such as a civilian hacker or company – must respect. The document’s provisions include a prohibition on the use of malware or other tools or techniques that spread automatically and damage military and civilian objects indiscriminately, and a rule not to conduct any cyber operation against medical and humanitarian facilities.
There are some signs that certain cyber proxies are paying attention to the ICRC’s rules in the Russia–Ukraine context. In 2023, Killnet told the BBC that it agreed to the ICRC’s rules, as did the IT Army of Ukraine, a hacktivist group acting in support of Ukraine. Killnet’s leader translated the principles into Russian and circulated them on Telegram. The conversation is certainly a step in the right direction, but other hacktivist groups have not agreed to follow the rules. Given the unprecedented and growing numbers of non-state actors involved in armed conflict, and the ease with which they can participate through digital means, there is a need for more outreach to – and education of – states, individuals, hacker groups and companies on the relevant risks and obligations.
International criminal law
Cyber proxy activity could amount not only to a violation of IHL but also to a war crime. In December 2025, the Office of the Prosecutor of the International Criminal Court (ICC) published a policy on ‘Cyber-Enabled Crimes under the Rome Statute’. The policy indicates the Prosecutor’s intention to treat international crimes perpetrated or facilitated by cyber means in the same way as more traditional crimes, where cyber activity forms part of the conduct or substantially contributes to the commission of the crime. Under the Rome Statute, international crimes include genocide, crimes against humanity, war crimes and the crime of aggression. Since international criminal law applies to individuals, not states, international criminal responsibility does not depend on attribution of a proxy’s activity to a state. Cases may be brought before the ICC through a referral by a state party, by the UN Security Council, or on the Prosecutor’s own initiative.
States can also bring domestic prosecutions under international criminal law. Indeed, in the first instance, it is for states to investigate and prosecute international crimes. But in order to do so, they need to have domestic law in place that criminalizes the conduct concerned and gives them jurisdiction over the crimes.
Responsibility under international criminal law can arise not just through perpetration of an international crime but also through other modes of liability, including assistance in the commission of a crime. Where the actions of a cyber proxy make a substantial contribution to the crime, and are conducted for the purpose of facilitating the commission of a crime (for example, if a non-state actor provided online surveillance for the purpose of guiding lethal strikes by Russia that intentionally targeted civilians in Ukraine), the individual may be responsible under international criminal law. Not only civilian hackers but also commercial actors, such as the CEOs of Russian hosting providers that offer essential infrastructure and services for the Russian military to carry out attacks on Ukraine, may incur responsibility under international criminal law if the elements of the crime are satisfied.
The Ukrainian State Security Service (SBU) has stated that it is gathering evidence of cyberattacks on Kyivstar, Ukraine’s biggest telecom operator; that it has attributed these attacks to Sandworm (a hacker group integrated with Russia’s GRU); and that it is submitting the evidence to the ICC for prosecution as war crimes. In June 2024, it was reported that the ICC’s investigation in Ukraine covers activity that includes cyberattacks on critical infrastructure. The ICC is also supporting the Joint Investigation Team, made up of six European countries and Ukraine, that is looking into alleged international crimes committed in Ukraine.
Rules on state responsibility
Secondary rules of state responsibility set out the circumstances in which states are liable for cyber activity attributable to them that violates international obligations. These rules also inform the options that victim states can take in response. As noted in Chapter 2, victims of harmful cyber activities by Russia’s proxies include not only Ukraine but also Ukraine’s allies in the West.
Attribution of a malicious cyber operation involves different elements: technical, political and legal. Attribution is a crucial first step that informs many of the response options for states, in relation to proxies, that will be discussed later in this paper. These options include diplomatic measures, sanctions, countermeasures and prosecutions.
Technical attribution
Technical attribution identifies the source of cyber activity through forensic analysis of malware, network infrastructure and operational patterns. This work is conducted by a range of entities, including government agencies, private cybersecurity firms with specialized capabilities, and sometimes civil society organizations such as Bellingcat or the CyberPeace Institute. Attribution of cyber operations to specific actors is challenging due to the cross-border nature of such operations and the deliberate and sophisticated use of obfuscation, intermediaries and false flags. Technical evidence sufficient for operational disruption often cannot be disclosed publicly without compromising intelligence sources. Nevertheless, public–private partnerships and shared threat intelligence have significantly enhanced attribution capabilities, enabling more frequent political attributions (see below).
Political attribution
Political attribution involves a state publicly ‘naming and shaming’ another state or state-sponsored entity for carrying out malicious cyber activity, based on technical findings and intelligence assessments. This typically occurs through a public statement or press release. For example, in 2024 Germany’s foreign ministry publicly linked Russia-connected threat actors to multiple incidents, including an APT28 campaign against German air traffic control and a Storm-1516 information operation targeting electoral integrity. In 2025, several European governments issued statements accusing Russia of cyber interference in critical infrastructure and democratic processes.
The calling out of the state and individuals concerned in such instances has the value of revealing that the state making the attribution has evidence of the activity and identity of the perpetrators. Such statements also create diplomatic pressure on the accused state, and reinforce the normative force of the Framework for Responsible State Behaviour in Cyberspace. As discussed further in Chapter 4, public political attributions can be most effective when accompanied by other measures that impose costs on the accused state. These can include lawful but unfriendly measures (known as ‘retorsion’) such as diplomatic protests and the expulsion of diplomatic personnel, or the imposition of sanctions such as asset freezes on the individuals concerned.
Legal attribution
For a state to be held responsible under international law, the act concerned must both be attributable to a state under the rules on state responsibility and constitute a violation of international law. In 2018, the then UK attorney general, Jeremy Wright, made the following statement in a speech about the application of international law to cyberspace:
However, in practice it is difficult for a state to be held legally responsible for an activity of a proxy – both due to the high thresholds of attribution in international law and states’ reluctance to invoke international law in relation to cyber activity. The following section analyses the rules on attribution and illustrates why in practice the behaviour of proxy actors will often not be able to satisfy these rules.
Thresholds of attribution under the law on state responsibility
The main bases for legal attribution in international law are Articles 4, 5, 8 and 11 of the Articles on State Responsibility. The applicability of each of these articles to cyber proxies is considered below:
State organs
Under Article 4 of the Articles on State Responsibility, the conduct of a state organ is attributable to a state. The test to determine attribution is whether the entity concerned is incorporated into the state’s apparatus as a matter of law. Article 4 would cover cyber defence groups such as the Estonian Defence League’s Cyber Unit; hacker groups incorporated into a state’s apparatus, such as Unit 61398 of the Third Department of the Chinese People’s Liberation Army; Israel’s Unit 8200; or Bureau 121, a hacking unit with the North Korean Reconnaissance General Bureau. The unit must be completely dependent on the state and have no real autonomy in decision-making. Cyber groups or companies that are contracted by the state to carry out cyber operations may be included, but this depends on the terms of contract and may be hard to prove.
The activities of the GRU are attributable to Russia because, as a military intelligence agency of the General Staff of the Russian Armed Forces, the GRU is an organ of the state. APT units within the GRU are also likely to be considered as state organs under Article 4. The US indictment of Andrienko and Others (2020), in which six GRU operatives were accused of deploying destructive malware worldwide (including in the NotPetya operation), states that ‘Sandworm’ is part of the GRU and therefore the Russian state:
Persons or entities ‘empowered to exercise governmental authority’
Under Article 5 of the Articles on State Responsibility, conduct can be attributed to a state where the person or entity is not an organ of the state but has been empowered by national law to exercise elements of governmental authority. This might cover, for example, private companies performing public functions such as providing security. The conduct of cyber proxies contributing to Russia’s war effort against Ukraine could only satisfy this test if the proxy were empowered, under Russian domestic law, to provide assistance to Russia; this is a high bar and is likely to be difficult to prove. In particular, there are challenges in distinguishing private from official conduct, although this may be easier to prove where the conduct in question is systematic and recurrent, such that the state ought to have known about it. For example, it has been argued that the systematic and widespread activities of Russian agencies that sought to influence the 2016 US presidential election may be attributed to Russia under Article 5, even if some of the conduct was private in nature.
Acting under the direction, control or instructions of a state
Under Article 8 of the Articles on State Responsibility, the conduct of a person or group of persons acting on the instructions of, or under the direction and control of, a state is attributable to that state. Effectively, this is the state using a proxy as its auxiliary to carry out a task – for example, contracting a cybersecurity company to install malware on a computer. In Table 1, above, on the classification of cyber proxies, entities in the category listed as ‘APT-commissioned proxies’ may in some cases meet the test in Article 8, depending on the level of control exerted over them by the relevant APT.
From international case law, two tests have emerged for determining the degree of control that must be exercised by a state in order for the conduct of a non-state actor to be attributable to that state. The International Court of Justice (ICJ) has held that the test amounts to ‘effective control’ rather than a general situation of dependence and support. Merely suggesting operational targets, or providing financial support, will not in itself be enough to meet the threshold in Article 8. Similarly, a state simply tolerating the activity of a proxy, turning a blind eye to such activity, or gently encouraging the activity from a distance will not be responsible for the activity in question. However, as noted earlier, the International Criminal Tribunal for the former Yugoslavia (ICTY) found a test of ‘overall control’ when discussing state control over organized state groups in the context of an armed conflict.
Major Russia-based cybercrime groups that operate ‘ransomware as a service’ – such as LockBit (featured in the second row of Table 1 above) – would be unlikely to meet the high thresholds of Article 8, but attribution will depend on the facts in each case. In any event, attribution assessments need to be kept under constant review because, as noted earlier, relations between proxies and the state are dynamic. For example, while the Wagner Group is a private military company conducting operations (including information operations) with Russian state backing, it was not part formally of the Russian military. However, since the death of the company’s leader, Yevgeny Prigozhin, in 2023, the Russian Ministry of Defence now directly oversees many of the African operations previously run by Wagner, thus bringing them under greater state control.
Acknowledgment and adoption
Finally, Article 11 of the Articles on State Responsibility covers conduct that is not attributable to a state under other articles, but which can nevertheless be considered an act of a state if that state acknowledges and adopts the conduct as its own. Acknowledgment and adoption should be distinguished from mere support or endorsement. Sometimes a state acknowledges after the event that non-state actors have played a patriotic role in supporting the state. Under this article, if the state in question is effectively adopting the conduct as its own or fostering its continuance, this could make the state responsible for that conduct.
In the cyber context, Russia’s president, Vladimir Putin, acknowledged the role of patriotic hackers in 2017 when discussing the ‘theoretical possibility’ that they may have been involved in interference with US elections. Such comments would be unlikely to meet the conditions in Article 11 on their own, but if Putin had gone further and unequivocally endorsed the acts of the hackers as part of a Russian state effort, then this might have done so.
Non-state actors can easily acquire cyber capabilities off the shelf, cheaply and without any dependence on a state – this applies, for example, to ransomware-as-a-service tools.
It has been argued that the high attribution thresholds in the Articles on State Responsibility are ill suited to the realities of modern cyber operations. Some voices have called for different attribution determinants, involving a lower threshold of overall control or ‘soft control’. The current attribution criteria were developed in a period in which states used proxies to fight in wars with conventional weapons, such as guns and tanks; these were weapons that in the main only states could provide to proxies. But non-state actors can easily acquire cyber capabilities off the shelf, cheaply and without any dependence on a state – this applies, for example, to ransomware-as-a-service tools. However, changes to the present rules would likely take years to agree, even assuming there was the political will to do so – which would not be the case for those states that seek to benefit from the challenges of attribution. A more fruitful approach may be to focus on holding states responsible for harbouring and inciting malicious cyber actors on their territory, as discussed later in this chapter.
Even if proxy activity can be attributed to a state under the Articles on State Responsibility, it will also be necessary to establish that a violation of international law has occurred in order for that state to be legally responsible. In principle, the activities of a cyber proxy that are attributable to states – whether the proxy actor is conducting cyber operations against the critical infrastructure of a state or information operations in that state – may engage a number of rules of international law, including sovereignty, the prohibition on intervention in another state’s internal or external affairs, or international human rights law. For example, in their national positions on the application of international law in the cyber context, several states argue that a cyber operation against a state’s critical infrastructure, such as to interfere in a state’s electoral infrastructure to manipulate the vote, could violate the prohibition on intervention. A large-scale cyber campaign of disinformation, intended to sow distrust or sway public opinion (for example, encouraging citizens not to take a vaccine during a pandemic), could also violate the prohibition on intervention in certain circumstances as well as engaging obligations under international human rights law. The assessment of legality has to be conducted on a case-by-case basis with reference to the facts.
However, while there have been many public political attributions to date, no state has explicitly connected these to a violation of international law. Indeed, states rarely refer to international law at all when making political attributions, although sometimes they refer to international norms and rules in general terms. There are several reasons for this. Firstly, there is the unsettled state of the law in this area: states continue to discuss how international law applies in cyberspace and have differing views on the application of some rules, such as on sovereignty. Second, states may not wish to invoke a violation of international law for political reasons (e.g. for fear of retribution by the accused state). Some states prefer ambiguity around the rules, to give them flexibility to engage in cyber operations of their own. Even if states do wish to invoke international law (an option likely to be more attractive to less powerful states), they may lack evidence to back up the claim with sufficient confidence.
Response options where legal attribution is established
While states rarely refer to international law in public when making political attribution, they do carry out legal assessments internally. If it can be established that another state is responsible for proxy cyber activity that violates international law, several options are available to the state that is the victim of the malicious cyber activity. These include the rights to take countermeasures, refer the matter to the UN Security Council or bring an inter-state claim before an international court. Each is considered below.
Countermeasures
Countermeasures can be understood as a unilateral response, by the victim state against the wrongdoing state, that would normally be considered a violation of international law but for the fact that the measures are taken in response to a prior violation of international law by the wrongdoing state. In taking the countermeasure, the victim state seeks to compel the wrongdoing state to (1) stop its unlawful behaviour (if the behaviour is continuing), (2) restore the status quo and (3) provide reparation to the victim state. Due to the risk of abuse, the use of countermeasures is governed by strict conditions, set out in the Articles on State Responsibility.
The countermeasure taken by the injured state must be proportionate to the injury suffered, but need not take the same form as the original violation. For example, a response could consist of the victim state freezing the assets of the wrongdoing state. But sometimes responding in kind may be most effective – examples might include deploying a targeted ‘hackback’ that disables servers or disrupts cyber infrastructure in the wrongdoing state in order to terminate the wrongful cyber conduct. In practice, it can be hard to know how far states are responding to Russian proxies with countermeasures. Typically states do not frame their responses explicitly as countermeasures, and the measures in question, if cyber-related, are often taken covertly.
Several states have confirmed the applicability of the law of countermeasures to cyber operations, including the US, the UK, Australia, Canada, New Zealand, Japan, Singapore and several European states. Other states, including Brazil, China and Cuba, view countermeasures with more caution.
It should be noted that countermeasures are peacetime measures. In the context of the current Russia–Ukraine war, they are therefore relevant as a potential response by Ukraine’s allies rather than as an option for Ukraine. Countermeasures cannot involve the use of force. The only situation in which force could be used in response to proxy activity would be if a proxy’s cyber activity reached the level of an ‘armed attack’. In this situation, some argue that the right of self-defence under the UN Charter would permit the use of force that is both necessary and proportionate against a proxy when the state in which that proxy is located is unable or unwilling to take action to stop the proxy’s activities. Other commentators maintain that the use of force would only be permissible if the proxy’s activity is attributable to a state.
In exceptional situations, where there is a grave and imminent peril to an essential interest of the state, and the action is the sole means of safeguarding that interest, a state may be able to act to safeguard its interest, including against non-state actors, and justify its action under the plea of necessity. Unlike with countermeasures, there would be no need to attribute the malicious cyber conduct to a state, which in the proxy context would be beneficial to the victim state. Several European states, the EU and Japan have endorsed application of the plea of necessity in the cyber context. However, the plea of necessity is governed by stringent conditions, including that the response must not seriously impair the essential interests of any other state, and must be direct, proportionate and necessary.
Referral to the UN Security Council
Cyber proxy activity that amounts to a threat to the peace, a breach of the peace or an act of aggression could trigger the UN Security Council’s enforcement powers under Chapter VII of the UN Charter. This could include the council adopting a resolution that condemns states for threatening peace and security through malicious cyber operations. The council can also condemn states for allowing non-state actors to operate from their territory, if there is strong evidence of such activity, and can condemn the non-state actors involved as well.
The UN Security Council has not yet adopted a resolution specifically in relation to malicious cyber operations, although these have been mentioned in the council’s debates. For example, Estonia raised Russian attacks against Georgia in the UN Security Council in March 2020. Estonian Foreign Minister Urmas Reinsalu stated: ‘The intention of the cyber operation organized by the Russian Military Intelligence Service, the GRU, was to discredit Georgia and create confusion. This is yet another example of irresponsible behaviour and violation of stability in cyberspace by Russia.’ He added, ‘Raising this issue today at the UN Security Council table is historic, and demonstrates that behaviour undermining the cyberspace stability is not being ignored.’ A draft resolution proposed by the US in 2022 for strengthening sanctions against North Korea provided a detailed description of malicious cyber activities by the Lazarus Group, a North Korean state-sponsored hacker group, with attribution made by a UN Panel of Experts based on information submitted by member states and through its own research. The draft resolution attracted strong support but was vetoed by China and Russia. As this example reflects, use of the veto power significantly limits this route to accountability in practice.
An inter-state claim
A state that is the victim of a malicious cyber operation carried out by a proxy actor could have recourse to dispute settlement mechanisms, for example by bringing an inter-state case before an international court such as the ICJ. The ICJ currently has an unprecedented 24 contentious cases on its docket, and an increasing number of states are intervening in cases. Ukraine has brought several inter-state claims before international tribunals in relation to Russia’s aggression against it, including some claims that have involved the attribution of proxies’ conduct to Russia. For example, in Ukraine and The Netherlands v. Russia, the European Court of Human Rights held that armed separatists in eastern Ukraine were under Russia’s control (‘once the armed separatists were formerly integrated into the military hierarchy of the Russian armed forces, they had the legal status of State organs, and were, accordingly, from that date de jure organs of the respondent State within the meaning of Article 4 ARSIWA’).
Ukraine has brought several inter-state claims before international tribunals in relation to Russia’s aggression against it, including some that involved the attribution of proxies’ conduct to Russia.
However, there are several challenges to inter-state litigation, particularly in the cyber context. First, it will be necessary to establish the existence of a dispute between two states. As noted above, to date states have refrained from characterizing cyber activity as a violation of international law or from framing the issue as a ‘cyber dispute’. States accused of malicious cyber activity are also unlikely to consent to an international court’s jurisdiction over the case. Even if they do so, evidence is likely to be difficult to obtain, as proxies employ tactics to hide their identity and location. States may also not wish to disclose evidence in court if this evidence has been obtained through intelligence or through the searching without consent of other states’ computer networks. There have been no international cyber disputes to date, but it is likely that states will seek to test this route in the future. We can also expect to see cases in which a cyber element features as part of a wider claim.
Response options where legal attribution cannot be established
Where the conduct of a proxy cannot be attributed to a state, but the identity of the proxy can be identified through technical attribution, there are other measures that can be invoked in response to the harmful behaviour. Political and diplomatic responses, including acts of retorsion, have already been discussed above. The principle of due diligence is also important in this context.
Due diligence
In 2015, the UN Group of Government Experts (GGE) agreed 11 norms of responsible behaviour in cyberspace (‘the UN cyber norms’), one of which was that ‘States should not knowingly allow their territory to be used for internationally wrongful acts using ICTs’. The 2015 GGE report applied this norm specifically to proxies, affirming that ‘States must not use proxies to commit internationally wrongful acts using ICTs, and should seek to ensure that their territory is not used by non-State actors to commit such acts’. The principle of due diligence is reflected in various sources of international law, including the case law of the ICJ, certain rules of IHL (as noted above), obligations under international human rights law, and the no-harm principle in environmental law.
The exact measures to be taken by the state on whose territory malicious cyber actors are operating will depend on the state’s capacity and the facts in each case, since due diligence is an obligation of conduct rather than result. Domestic measures might include taking steps to monitor cyber activity in the territory in question; ensuring the ability to communicate swiftly with international partners to provide notification of the malicious cyber activity by establishing robust computer emergency response teams (CERTs); and criminalizing harmful cyber activity.
At the international level, states have strengthened cooperation and notification systems (including through the UN’s Point of Contact Directory), such as enhancing CERT-to-CERT cooperation. Under the Framework for Responsible State Behaviour in Cyberspace, this is a practical example of a confidence-building measure that can strengthen trust between states in tackling malicious cyber activity and reduce the risk of escalation. But capacity-building is also important, since the investigation and prosecution of cyber operations is costly and resource-intensive.
Capacity-building will be a priority for a new body, the UN Global Mechanism, which started work in March 2026 as a permanent forum for ongoing discussion of information security issues. However, the same challenges that hindered consensus in the Open Ended Working Group (OEWG) on Security of and in the Use of Information and Communications Technologies (ICTs) remain; indeed, the challenges are arguably heightened by today’s tense geopolitical climate and the relative absence of a US leadership role comparable to Russia’s influence at these meetings. Consequently, expectations for progress on accountability for proxy activities and for states to fully abide by the norms are limited.
Legal status
While the UN cyber norms are not legally binding on states, some states and scholars argue that norm (c), which derives from the ICJ’s Corfu Channel case, reflects a binding obligation. Indeed, the majority of states that have published national positions on the application of international law to cyberspace so far assert that due diligence is a binding obligation that applies in the cyber context; the same is true of the EU and African Union in their common positions.
As noted above, a violation of international law gives the injured state the right to take countermeasures under certain circumstances, and some states, such as France and Switzerland, have explicitly mentioned the right to take countermeasures where the due diligence obligation is violated. This is pertinent in the Russia–Ukraine context since the Russian government has not shown any sign of investigating the significant amount of cybercrime originating in Russia, some of which is reported to be part of Russia’s hybrid warfare operations. Indeed, Russia turns a blind eye to the activities of the perpetrators and denies that it is responsible for such incidents.
If a countermeasure were permitted in this context, the question would arise as to its permissible scope: whether it must be taken against the host state, or whether it could be taken directly against the proxy actor to supplement the failing state’s law enforcement obligation. Some scholars argue that while countermeasures are designed to target the legal interests of the wrongdoing state, there is no requirement that they be directed against the state itself, and that therefore it is possible to target non-state actors.
However, several states – including the US, the UK, Canada, Israel and New Zealand – consider that the principle of due diligence does not have the status of customary international law. The legal status of the norm is thus unsettled; indeed, the status of due diligence in international law generally remains a question of debate.
Other issues that remain unsettled are the standard of knowledge required to trigger due diligence obligations on the part of a host state (for example, whether it should be actual or constructive knowledge of the harmful cyber activity taking place on the state’s territory), and whether due diligence requires preventative measures or simply reasonable measures within that state’s capacity to bring the harmful activity to an end. Therefore, while many states agree that due diligence is important as at the very least an expectation of responsible behaviour in the cyber context, Russia’s long-standing failure to abide by the due diligence principle means that due diligence is likely to be of limited practical effect in constraining Russia’s use of cyber proxies. However, norm (c) and the due diligence principle are useful in encouraging other states to build up their capacity to cooperate on the investigation and prosecution of malicious cyber activity emanating from Russia, as discussed further in Chapter 4 below.
In addition, there would be value in ensuring that the accountability of states for harbouring and inciting malicious cyber activity on their territory is factored into frameworks being developed in other contexts – for example the work of the UN Working Group on the Use of Mercenaries mentioned above, the work of the International Law Commission on due diligence, and discussions about due diligence in the context of the UN Convention against Cybercrime (which focuses primarily on state obligations to prosecute individuals but would benefit from more explicit attention to state responsibility for harbouring or enabling malicious cyber activity).
Lessons should be drawn from accountability models developed in other domains. In particular, the evaluative and listing mechanisms of the Financial Action Task Force (FATF) (which identifies and publicly designates jurisdictions with strategic deficiencies in countering financial crime) and the preventative obligations contained in the United Nations Convention against Transnational Organized Crime (UNTOC) (under which states must actively suppress transnational organized crime rather than merely tolerate its presence) demonstrate that the international system already recognizes expectations of due diligence in tackling serious transnational crime. While the cyber context presents particular challenges – notably with respect to establishing attribution – these frameworks provide useful reference points for approaches to accountability for malicious cyber activity, including the value of an approach based on tackling whole ecosystems rather than particular actors.
