Cyber Operations, Artificial Intelligence and the Law of State Responsibility

Posted On - 9 June, 2026 • By - Dhruv Kaushal

cyber operations artificial intelligence state responsibility - A modern humanoid robot with digital face and luminescent scr

Introduction

The nature of State conduct has undergone significant transformation in the twenty-first century. Traditional international law frameworks were developed in an era when State actions were generally physical, direct and identifiable. However, rapid technological advancements have enabled States to conduct operations in the digital sphere through cyber capabilities, artificial intelligence systems and digital surveillance mechanisms, often with varying degrees of anonymity.

The framework governing State responsibility, particularly the International Law Commission’s Articles on Responsibility of States for Internationally Wrongful Acts (ARSIWA), was developed against a backdrop of conventional State conduct. Today, the increasing use of artificial intelligence, cyber operations and cross-border surveillance raises important questions regarding attribution, accountability and the adequacy of existing legal standards. These developments highlight the growing need to examine how traditional principles of State responsibility apply to emerging technologies.

The Classical Framework of State Responsibility

The doctrine of State responsibility requires two essential elements for an internationally wrongful act to arise: attribution of the conduct to a State and a breach of an international obligation. Article 2 of ARSIWA provides that both requirements must be satisfied before conduct can be characterised as an internationally wrongful act.

The rules governing attribution are contained primarily in Articles 4 to 11 of ARSIWA. These provisions attribute conduct performed by State organs, entities exercising governmental authority and, in certain circumstances, non-State actors acting on behalf of a State. The principles were developed through landmark decisions such as Military and Paramilitary Activities in and against Nicaragua (Nicaragua v. United States) and Application of the Convention on the Prevention and Punishment of the Crime of Genocide (Bosnia and Herzegovina v. Serbia and Montenegro), both of which examined State responsibility for the conduct of armed groups and non-State actors.^[1]

However, traditional attribution standards are increasingly challenged by modern digital operations. Artificial intelligence systems, cyber operations, automated decision-making tools, surveillance technologies and telecommunications infrastructure frequently operate through decentralised networks involving both governmental agencies and private entities. This makes identifying direct State involvement considerably more difficult.

Furthermore, ARSIWA functions as a framework of secondary rules. It governs the legal consequences of internationally wrongful acts but does not itself define the primary obligations that may be breached. In emerging technological domains, many of these substantive obligations remain uncertain or underdeveloped, creating a significant gap in the application of international law to cyber operations and artificial intelligence.

Artificial Intelligence and the Accountability Gap

The growing use of artificial intelligence by States has created what may be described as an accountability gap. AI systems often operate through machine-learning processes capable of producing outcomes without direct human involvement at every stage of decision-making. As a result, determining responsibility for harmful outcomes becomes increasingly complex.

For example, an AI-enabled system designed to influence financial markets or disrupt critical infrastructure may generate harmful consequences through autonomous processes rather than specific governmental instructions.

Under Article 4 of ARSIWA, conduct undertaken by State organs remains attributable to the State even where artificial intelligence systems are deployed by government agencies, military units or other State institutions. Difficulties arise, however, when States rely upon private technology companies, commercial software providers or third-party digital infrastructure for AI deployment.

In such circumstances, establishing the level of control required for attribution becomes significantly more challenging. International law generally requires evidence demonstrating a sufficient degree of direction or control before conduct can be attributed to a State. Consequently, States may avoid legal responsibility despite financing, facilitating or benefiting from harmful AI-enabled operations.

Another challenge concerns identifying the primary international obligation that has been breached. Many AI operations may cause serious economic, technological or societal harm without reaching the threshold of a prohibited use of force under international law.

The due diligence principle, reflected in the Tallinn Manual 2.0, seeks to impose obligations on States to prevent their territory or infrastructure from being used for harmful cyber activities. However, applying due diligence standards to artificial intelligence systems remains difficult because machine-learning models often operate as “black box” systems whose decision-making processes are not fully transparent. This lack of transparency complicates both attribution and accountability under international law.

Cyber-Attacks and the Problem of Attribution

Cyber-attacks present one of the most significant challenges to the modern law of State responsibility. The legal framework governing cyber operations draws upon established principles of international law, including the prohibition on the use of force under Article 2(4) of the United Nations Charter, the principle of non-intervention and the law relating to countermeasures.

According to the Tallinn Manual 2.0, a cyber operation may amount to a use of force where its scale and effects are comparable to those of conventional military operations. Incidents such as the 2007 cyber-attacks against Estonia and the Stuxnet operation targeting Iran’s nuclear infrastructure illustrate the disruptive potential of cyber warfare and cyber-enabled State conduct.^[2]

Nevertheless, the attribution of cyber-attacks under international law remains exceptionally difficult. Cyber operations are frequently conducted through proxy servers, botnets, compromised infrastructure and false-flag techniques that obscure the identity of the responsible actor.

Although intelligence agencies may possess technical evidence linking an operation to a particular State, public legal attribution often remains uncertain. This creates a significant challenge because inaccurate attribution may itself generate diplomatic consequences and undermine the legitimacy of any response.

The principle of non-intervention provides a relatively flexible framework for addressing many cyber operations. Activities intended to disrupt elections, banking systems, governmental communications or other sovereign functions may constitute unlawful intervention where they involve coercion in matters falling within a State’s domestic jurisdiction. As recognised by the International Court of Justice in Nicaragua v. United States, coercive interference in matters reserved to State sovereignty may violate international law even where the conduct falls short of an armed attack.

The law relating to countermeasures faces additional practical difficulties in cyberspace. Under ARSIWA, countermeasures must be proportionate and, where possible, reversible. However, cyber operations often result in irreversible consequences, particularly where data is stolen, corrupted or permanently compromised. Consequently, States frequently respond through sanctions, diplomatic protests and intelligence measures rather than formal legal countermeasures.

Digital Surveillance and Human Rights Concerns

The rise of mass digital surveillance has added another layer of complexity to the law of State responsibility. Modern surveillance technologies enable States to collect, process and analyse vast quantities of personal data across national borders.

Traditional international law has never expressly prohibited espionage. As a result, many surveillance activities generate significant political controversy without necessarily giving rise to recognised legal claims under general international law.

The more significant legal concerns arise in relation to individual rights. Article 17 of the International Covenant on Civil and Political Rights protects individuals against arbitrary or unlawful interference with privacy, family, home and correspondence. Contemporary interpretations increasingly recognise that these protections extend to digital communications and electronic data.

The United Nations Human Rights Committee has also indicated that human rights obligations may apply extraterritorially in certain circumstances. Consequently, States conducting surveillance activities targeting foreign individuals may incur responsibility where such activities interfere with internationally protected rights.

Commercial spyware technologies such as Pegasus further illustrate the accountability challenges associated with digital surveillance. States frequently procure spyware from private companies and deploy such tools against journalists, activists and political opponents.

In these situations, attribution once again becomes a central issue. Determining responsibility requires evidence that the surveillance activities were directed, controlled or authorised by the State. The commercial structure of the surveillance industry often enables both vendors and governmental actors to deny direct responsibility, thereby creating significant accountability gaps.

Conclusion

The traditional doctrines of State responsibility were developed in an era where State conduct was visible, direct and territorially grounded. The contemporary landscape has changed significantly with the emergence of artificial intelligence, cyber warfare capabilities and sophisticated digital surveillance technologies.

While the principles of attribution, breach and reparation remain the foundation of international responsibility, their application has become increasingly complex in the digital age. Artificial intelligence has created new accountability challenges, cyber operations have complicated the attribution process and digital surveillance has raised difficult questions regarding privacy, human rights and State accountability.

As technology continues to evolve, the existing framework of State responsibility will need to adapt to ensure that international law remains capable of addressing emerging forms of State conduct. Strengthening legal standards governing AI accountability, cyber operations and digital surveillance will be essential to preserving accountability, transparency and the rule of law in an increasingly interconnected world.

Application of the Convention on the Prevention and Punishment of the Crime of Genocide (Bosnia and Herzegovina v Serbia and Montenegro) (Merits) [2007] ICJ Rep 43, paras 398–407. ↑
See Rain Ottis, ‘Analysis of the 2007 Cyber Attacks Against Estonia from the Information Warfare Perspective’ (Cooperative Cyber Defence Centre of Excellence, 2008) ↑

Explore KSK Data Privacy Hub

Free compliance tools and expert guidance covering 75+ jurisdictions.

Global Regulation Finder DPDPA Scorecard DPDPA Guide GDPR Guide Cross-Border Transfers

Last Updated on 9 June, 2026

Subscribe To Updates

Join our list to receive important legal updates

By entering the email address you agree to our Privacy Policy.