Authored By: Arshika Sharma
LNCT University Bhopal
This article evaluates the efficacy of the classical framework of State responsibility— codified in the ILC’s Articles on Responsibility of States for Internationally Wrongful Acts (ARSIWA, 2001)—in regulating three seminal challenges of modern statecraft: artificial intelligence (AI), interstate cyber-attacks, and pervasive digital surveillance. It contends that foundational attribution thresholds, forged in the era of kinetic paramilitary conflict, are incompatible with algorithmic conduct characterized by technical complexity, operational deniability, and legal opacity. After identifying the systemic “fracture lines” within these domains, the article proposes a tripartite reform strategy: establishing a robust due diligence standard for AI and cyber operations, developing doctrine to address the cumulative impact of sub-threshold operations, and formulating a treaty-based framework to address the human rights implications of global surveillance.
The Classical Framework and Its Fracture Lines
The doctrine of State responsibility hinges on two cardinal inquiries: the attributability of the conduct to a State and the existence of a breach of an international obligation. ARSIWA Article 2 is laconic on this point, requiring only attribution and breach to trigger responsibility. However, the application of these rules is far from seamless.
The attribution criteria (Articles 4–11) are grounded in the ICJ’s jurisprudence in Nicaragua and Bosnia v. Serbia, which centered on paramilitary forces. These thresholds are inherently ill-equipped for the operational realities of cyber warfare and AI deployment. This gap is not merely cosmetic; it is structural. Furthermore, the “primary secondary rule” distinction falters here; ARSIWA provides the consequences of a breach (secondary rules) but assumes the existence of clear primary obligations. In the digital frontier, these primary rules remain contested or nascent, leaving the framework unable to anchor responsibility effectively.
Artificial Intelligence: Attribution Without a Human Hand
The integration of autonomous systems introduces a profound accountability lacuna: the divergence between machine-learning outputs and the human chain of command. When an AI-driven tool operates without discrete human intervention at every juncture, decisions emerge from opaque datasets and reward functions rather than identifiable sovereign orders.
While conduct by State organs is attributable under Article 4, greater complexity arises when States utilize commercial AI or third-party infrastructure. The “effective control” test is notoriously stringent; a State merely financing or enabling an AI system may evade responsibility despite foreseeable and substantial harm. Furthermore, the ontological opacity of neural networks—where decision pathways are often indecipherable even to their creators—undermines the “knowingly” requirement of due diligence. This strategic modularity in AI supply chains allows States to leverage technical ambiguity to remain largely unaccountable.
III. Cyber-attacks: Use of Force and the Identification Problem
The legal oversight of cyber operations is predicated upon the prohibition of the use of force (Article 2(4) of the UN Charter), the principle of non-intervention, and the law of countermeasures. Per the Tallinn Manual 2.0, a cyber operation constitutes a “use of force” when its scale and effects mirror conventional kinetic warfare.
However, attribution in cyberspace remains categorically distinct from conventional conflict. The use of proxy infrastructure and “false-flag” malware renders public legal attribution geopolitically sensitive and evidentiary-heavy. This creates an environment where the victim State bears the risk of “false positive” attribution, while the aggressor externalizes the costs of its conduct through successful deniability. Consequently, States often bypass formal countermeasures in favor of diplomatic protests or extra-legal intelligence operations.
Digital Surveillance: Sovereignty and Human Rights
Mass digital surveillance presents a unique nexus of legal dilemmas. While interstate espionage is not expressly proscribed under general international law, the surveillance of private individuals increasingly engages international human rights law. UN resolutions affirm that the right to privacy (Article 17, ICCPR) extends to digital communications, even extraterritorially.
The proliferation of commercial spyware, such as Pegasus, exemplifies the accountability crisis. The industry’s business model—where vendors license tools but States operate them—is engineered for plausible deniability. This creates a regulatory vacuum that domestic torts and export controls cannot fully address, leaving a significant normative gap in the international legal order.
Toward a Reconstructed Framework
To bridge these gaps, three reformative pathways are essential:
Tailored Due Diligence: Transitioning toward an “environmental” model of responsibility, where control over digital infrastructure generates a positive obligation to prevent transboundary harm.
Aggregation Principle: Recognizing that a sustained pattern of “sub-threshold” cyber operations can, in the aggregate, constitute a prohibited use of force.
Human Rights Treaty-Building: Drafting a multilateral instrument specifically addressing mass surveillance and the obligations of “proximate enablers,” including private technology firms.
Conclusion
The doctrines of State responsibility were conceived for an era of soldiers and territory, not algorithms and code. While the core principles of attribution and reparation remain valid, they must be refined to constrain conduct that is technically sophisticated yet legally elusive. Maintaining doctrinal conservatism risks rendering the law obsolete, while total abandonment of established thresholds risks destabilizing international restraint. The path forward requires a rigorous recalibration of existing laws to match the technological ontologies of the twenty-first century.
