Understanding Attribution in Cyberspace: An Analysis of State Responsibility under ARSIWA Article 8 and the IT Army of Ukraine

The International Law Reading Group (ILRG) is happy to announce a session as part of its Early Career Research Exchange (ECRE) Series, hosting Klaudia Szabelka, who is a PhD candidate at the University of Glasgow. Klaudia will be presenting a paper on the international legal implications of Ukraine’s “IT Army” and its consequences for both state responsibility and individual liability . The ILRG is looking forward to discussing and exchanging ideas on this exciting topic!

 

The full abstract of Klaudia's research could be found below:

This paper examines the international legal implications of Ukraine’s “IT Army”—a large, loosely coordinated volunteer cyber collective activated after the 2022 expansion of Russia’s armed attack—and its consequences for both state responsibility and individual liability. While states increasingly leverage civilian digital volunteers for disruption and intelligence in armed conflict, existing doctrine offers uncertain answers about attribution and accountability. Through a doctrinal analysis of the International Law Commission’s Articles on State Responsibility (ASR), international humanitarian law (IHL), international human rights law (IHRL), and influential non-binding guidance (e.g., Tallinn Manual), combined with a structured case study of the publicly documented organization and tasking of the IT Army, the article maps when and how cyber conduct by volunteers may be imputed to a state and what legal exposure individuals face.

The analysis develops a four-tier “attribution continuum”—independent, coordinated, directed/controlled, and adopted ex post—to operationalize ASR Articles 4, 8, 11, and 16 in the cyber context. It argues that mere encouragement or information-sharing by officials is generally insufficient for attribution, whereas targeted tasking, operational vetting, or integration into command-and-control structures can satisfy “instruction or direction” or “effective control.” Even absent attribution, states may incur responsibility for failure to exercise due diligence to prevent unlawful cross-border cyber operations launched from or by persons subject to their jurisdiction. The article further clarifies the limits of countermeasures and necessity in delegating cyber responses to civilians, emphasizing that legally compliant countermeasures remain a prerogative of the state, not private actors.

On individual responsibility, the article shows that volunteer hackers remain civilians under IHL; when their operations constitute “attacks” or directly support hostilities, they risk losing protection from direct attack for such time and may incur domestic criminal liability or, in exceptional circumstances, international criminal responsibility where cyber means produce prohibited effects. Because volunteers lack combatant immunity, they face heightened prosecution/extradition risks, especially when operations cause physical consequences or significant functional damage.

The article closes with governance recommendations for states considering auxiliary cyber mobilization: transparent mandates, formalized auxiliary status with clear rules of engagement, compliance monitoring, harm-minimization and human-rights safeguards, and pathways for accountability. These proposals aim to reconcile operational imperatives with the integrity of the international legal order, offering a pragmatic framework for policy and practice where state and individual responsibility intersect in cyberspace.