Challenges in proving state-sponsored cyber attacks

29 March 2017

Nation state involvement in cyber attacks complicates an already challenging threat.

Cyber warfare has become a hot topic in recent months, with allegations of Russian interference in the US election and leaks revealing the actions of the US intelligence community.

In March, Wikileaks posted thousands of classified documents exposing the scale of the American spy agency’s extensive cyber warfare and surveillance programme. This followed a number of allegations that nation states – including Russia and Korea – may be behind cyber attacks against companies.

Most recently, North Korea was linked to cyber attacks against Asian banks, including last year’s USD 101 million theft from the Bank of Bangladesh. The code used in the attack against the bank was apparently linked to the hacking attack at Sony Pictures in December 2014 and attacks on banks and media companies in South Korea in 2013.

Cold war

Russia, in particular, is thought to have increased its cyber intelligence and warfare capabilities. Hackers with links to the Russian government are thought to be behind a number of cyber attacks, including an alleged hacking of US Democratic party emails and a separate incident involving TV5Monde.

The French TV station was taken off air in April 2015 by a cyber attack, initially claimed by a group calling itself the Cyber Caliphate. But subsequent investigations have attributed the attacks to Russian hackers.

Russia was already accused of involvement in cyber attacks against Ukraine, which is fighting a war against pro-Russian separatists in the east of the country. Last year Ukraine was hit by thousands of cyber attacks while in 2015 a cyber attack against a Ukrainian power company took out part of the power grid.


State-sponsored cyber attacks are not new. The US and Israel are widely believed to be behind the Stuxnet virus, which in 2010 caused significant damage to Iran’s nuclear programme.

But nation state involvement in cyber attacks is particularly problematic. It is difficult to attribute responsibility for cyber attacks while there is no single set definition of “cyber warfare”, although there are some particularly complex and ambiguous guidelines.

For example, the Tallinn Manual was drawn up in 2013 by the Cyber Defence Centre of Excellence (NCCDCE), which was established following the widespread cyber attack against banks and media in Estonia by a Russian hacker.

This detailed document defines “cyber warfare” as any act that might qualify as a “Use of Force” or “Armed Attack” as defined under Rules 10 to 13 of Article 2(4) of the United Nations Charter.

The manual sets out that a cyber operation can be considered an “armed attack” under international law, despite its inherent lack of use of traditional weapons. Any “use of force that injures or kills persons or damages or destroys property” would satisfy the definition of an armed attack.

However, acts of cyber intelligence gathering and cyber theft, as well as cyber operations that involve brief or periodic interruption of non-essential cyber services” would not satisfy the definition of an armed attack. It is very important to conduct a thorough gap analysis between terrorism and cyber programs, but also demand clarity from cyber insurers’ regulatory war and terrorism cover.

Download Cyber Decoder

For further information, please contact Sarah Stephens, Head of Cyber, Content and New Technology Risks on



Find out more

Read our Cyber Risks & Insurance Insights

Read more

Receive our monthly cyber risk newsletter