States are not being held accountable for the vast majority of their harmful cyberoperations, largely because classifications created in physical space do not map well onto the cyber domain. Most injurious and invasive cyberoperations are not cybercrimes and do not constitute cyberwarfare, nor are states extending existing definitions of wrongful acts permitting countermeasures to cyberoperations (possibly to avoid creating precedent restricting their own activities). Absent an appropriate label, victim states have few effective and nonescalatory responsive options, and the harms associated with these incidents lie where they fall.
This Article draws on tort law and international law principles to construct a comprehensive system of state accountability in cyberspace, where states are liable for their harmful acts and responsible for their wrongful ones. It identifies international cybertorts—acts that employ, infect, or undermine the internet, a computer system, or a network and thereby cause significant transboundary harm—as distinct from cybercrime and cyberwarfare. Not only does this term distinguish a specific kind of harmful act, it highlights how the principle of state liability for transboundary harms (which holds states accountable for the harmful consequences of both their lawful and unlawful activities) could usefully complement the existing law of state responsibility (which applies only to unlawful state acts). Imposing state liability for international cybertorts minimizes the likelihood that victim states will resort to escalatory responses, increases the chance that those harmed will be compensated, and preserves a bounded grey zone for state experimentation in cyberspace.
Rebecca Crootof, International Cybertorts: Expanding State Accountability in Cyberspace, 103 Cornell L. Rev. 565 (2018).