State Outsourcing of Information Operations: From Attribution to Aspiration – Part I

[Richard Mackenzie-Gray Scott is the author of State Responsibility for Non-State Actors: Past, Present and Prospects for the Future (Oxford: Hart | Bloomsbury, 2022, re-issued in paperback 2024)]

This is the first part of a two-part post; see Part II here.

Information operations can impact societies in many ways. Whether by undermining specific human rights, for example, as a result of crossing the line between ‘lawful influence and unlawful manipulation’ of thought, or by eroding trust in democratic institutions, these operations pose multifaceted risks to domestic, regional, and international stability. A prominent example is the false claims created and spread through information and communications technologies during COVID-19, which stimulated distrust in the institutions, policies and people that sought to effectively address the pandemic. The relevance of international law to information operations is often taken as a given. Yet it is contingent on a number of factors. One such factor comes from within the body of rules that constitute the international legal order, which concerns whether any of the primary rules potentially applicable to information operations can actually be brought to bear on claims seeking to establish legal accountability. This factor arises because of the secondary rules that are inseparable from such claims, which also affect options for legal accountability more generally. But these secondary rules get neglected in related analysis and discussion, which in turn contributes to the assumption that international law is relevant to information operations, in particular with respect to pursuing legal accountability for their harmful impacts.

For a quick refresher, primary rules define the content of legal obligations under specific sub-fields of international law (for example, human rights law), and secondary rules stipulate, among other things, the general conditions for a state to be considered internationally responsible for wrongdoing (for insights on this distinction see the works of Anastasios Gourgourinis and Ulf Linderfalk). It is also worth recalling the helpful words of Alice Ollino from her book on due diligence: ‘the conceptual grounds for the dichotomy between primary and secondary rules should not be overestimated, and the distinction should not be taken as a logical necessity, but rather as a functional tool’ (page 188).

With the above in mind, when considering how information operations unfold in practice, the perspective being offered here suggests that applicable primary rules may often not actually be breached by such operations, even if they result in harm. What the content of primary rules say (on paper), and whether that substance can be legally invoked (in practice), are two different things. And there is slippage between them, referring to when practice does not – and in some cases cannot – measure up to what is stipulated on paper. This slippage is, in part, due to fundamental content under the law governing state responsibility being overlooked, namely that on attribution, the framework governing which is relied upon to identify whether a state can be considered internationally responsible for conduct that was contrary to an international rule, which thus applies to any such conduct that arises in the course of information operations.  

Time to Take the Blinkers Off

Before getting specific, three matters require clarification. First, the problems considered below are distinct from those concerning ‘technical attribution’, understood here as the process of gathering and relying on available evidence to identify the factual source of a particular information operation. Second, also separate is the matter of how to respond to information operations considering the risks involved. Third, generally speaking, the obligations contained in primary rules bind states, not non-state actors, such as companies or contractors. In order for one of these rules to be breached, therefore, the conduct that was contrary to its substance needs to have been undertaken by a state. Yet in the context of information operations, the actors carrying them out are often not states, but companies or contractors, including those outsourced to act on behalf of states. To claim that a particular primary rule was breached by conduct part of an information operation depends, then, on whether the state under scrutiny is considered to be the legal author of that conduct.

Here is where the attribution tests under the law of state responsibility come in. They exist to say when conduct should be considered that of a state for the purposes of assessing its international responsibility. In cases involving wrongdoing that arise from information operations, it is important to understand and underscore that for attribution to occur in these cases, a number of determinants need to align. What follows raises the uncomfortable doubt of how unlikely such alignment is in light of two realities. First, the actors undertaking information operations are frequently non-state actors, including those commissioned or sponsored by states. As noted by Matthias Kettemann with respect to the application of international law to cybersecurity issues more generally, ‘most attacks will be [technically] attributable to non-governmental protagonists or to protagonists whose association with governmental agencies cannot be proven’ (p.123). Second, and related especially to this latter point regarding establishing such associations, the legal framework addressing state responsibility for non-state actors tends to create difficulties for legal accountability. This counterintuitive reality becomes evident, and particularly thorny, when reflecting on the legal framework governing attribution, which predominantly consists of the International Law Commission (ILC) Articles on the Responsibility of States for Internationally Wrongful Acts, specifically articles 4-11 (note there also exist attribution tests beyond these provisions – see, for example, those examined in the work of Marko Milanovic). When digging into their details, it becomes evident that these attribution tests by no means provide a straightforward route to demonstrating that a state was responsible for a particular information operation.

The standard ‘go to’ attribution test over the years, when a state organ is not the actor that has allegedly undertaken conduct contrary to an international rule, but on the facts appears to share links with the actor that did, has been Article 8 of ILC Articles, which states:

Conduct directed or controlled by a State

The conduct of a person or group of persons shall be considered an act of a State under international law if the person or group of persons is in fact acting on the instructions of, or under the direction or control of, that State in carrying out the conduct.

This test was finalised by the ILC after it incorporated an invention of the International Court of Justice that lacks legal grounding, namely the ‘effective control’ test (see pages 70-107 of my book for all the juicy details). Yet this test receives repetitive referencing in both commentary and practice. The scrambling of it has continued over decades, including a recurrent play off against another judicial invention: the ‘overall control’ test from the International Criminal Tribunal for the former Yugoslavia. This overflow of content regarding one made-up approach to attribution, sometimes treated as though it were the only approach, has diverted attention away from a significant matter. The ICJ-ILC final combo enshrined in Article 8 supplanted the original test under this provision (see this 1974 ILC Report at pages 283-286 for further details):

Attribution to the State of the conduct of persons acting in fact on behalf of the State

The conduct of a person or group of persons shall also be considered as an act of the State under international law if
(a) it is established that such person or group of persons was in fact acting on behalf of that State

When compared to the final version of Article 8 known today, the original ‘acting in fact on behalf of’ a state test has considerably more utility and value for both academic work and for legal and political practice, especially when considering information operations.

How so? In sum: the original test leaves more space for different people to work with when assessing factual links between states and non-state actors, including those involved in judicial practice. Applying this potential overarching rule as the starting point for assessing state responsibility for non-state actor wrongdoing is arguably preferable than relentlessly applying some of its indicators (‘instructions’, ‘direction’, ‘control’) as though they were positive law. It is time to take the blinkers off when approaching questions of attribution that concern the factual links between states and non-state actors, and look beyond the final version of Article 8, towards the original version of this provision, especially when considering its history – particularly with respect to the alteration (for the details on this matter see pages 71-86 of my book). Situations where a state intends to undertake conduct via a non-state actor that will likely result in wrongdoing are precisely the sort that Article 8 struggles to capture. And information operations are one of the most prominent contemporary examples of this case type.

A short(ish) story illustrates this point (spoiler alert! It’s not hypothetical). Say one state fancied undermining a vaccination effort to combat a pandemic, and it decided to do so by implementing an anti-vaccination campaign across multiple social media platforms, which ultimately contributes to widespread loss and suffering. But this state is not daft enough to carry out the associated operations itself. No, no, no. Why risk international law saying it did something that it did? This state knows full well that the operations need to be attributable to it in order to engage its responsibility for violating rules like non-intervention or the human rights of affected individuals. Instead, it appoints a private contractor to do the dirty work. And of course, we cannot know whether this contractor has been empowered by the law of this state to act for it, because if such a law does exist, it remains buried within a classified contract or procurement agreement. So, just like that, Article 5 of the ILC Articles is rendered futile, which reads:

Conduct of persons or entities exercising elements of governmental authority

The conduct of a person or entity which is not an organ of the State under article 4 but which is empowered by the law of that State to exercise elements of the governmental authority shall be considered an act of the State under international law, provided the person or entity is acting in that capacity in the particular instance.

Unless the empowered by domestic law requirement is read out of this provision when applying it, which has been done, and might please the states that never wanted this requirement to be included in the provision (see pages 52-57 of my book), then attribution on this basis seems fairly unlikely.

Not to worry, however. To make things look good, our dear old anti-vaxxer state orders an official review of the related information operations, which, oddly enough, finds that state officials did not maintain sufficient ‘control’ over the contractors. Nor does this review find any evidence that state officials issued directions or instructions in the course of any specific operation. What a first sight appears to be incompetence may actually be engineered, as despite the potential to attract public and political censure, a demonstrable lack of state control over such contractors facilitates the position of a state seeking to avoid legal accountability. The impending Article 8-type analysis can almost be felt. Some of us know it all too well, and the legal advisers of our anti-vaxxer state surely do: ‘The law says…’ No, hang on. Let’s be accurate: ‘Those that invented what may or may not be “the law” say that this information operation undertaken for the state, by actors appointed by the state, was not actually for the state’. Sound a bit bonkers? Heard of General Dynamics Information Technology? The company is apparently pretty flush, what with all the business it has been getting. From what state, you ask? Have a guess before clicking. But remember, those state-sponsored information operations undermining all those primary rules are not acts of the state, ok. In case you forgot why, Tsvetelina van Benthem, Talita Dias, and Duncan Hollis provide a nice, clear reminder: ‘It is important to emphasize at the outset that all of these international legal obligations [applicable to information operations] require attribution of certain wrongful conduct to a state’ (page 1230 – emphasis original).

The above story tells but one of countless others in which states are able to avoid their legal obligations under primary rules, thanks, in part, to the overuse of a few attribution tests suffering from overprecision. But an antidote exists: the ‘acting in fact on behalf of’ attribution test. It has been hiding in plain sight since the 1970s, with traces of the test dating back to at least the 1920s. It just needs to start being used again. So, when considering factual links between the two, to begin assessments about whether a state should be considered the legal author of conduct undertaken by a non-state actor, the questions to ask, in order, are, first, was the non-state actor acting in fact on behalf of the state in question, and, second, what, if anything, indicates that. To be clear, such indicators can still include ‘instructions’, ‘direction’ or ‘control’ as per Article 8, but, crucially, without them being the only indicators. Should this approach not be taken, then it remains unlikely that any conduct during information operations that is contrary to international rules is going to be considered that of states commissioning or sponsoring those operations, because outsourcing to non-state actors allows those states to avoid their legal obligations, meaning the substance contained in those rules cannot be legally invoked due to non-attributability. To put it a bit differently, taking the usual route, meaning applying whatever ICJ-ILC combo of attribution test to whatever set of facts, will likely just lead to more unaccountability – where international law ends up saying that states are not legally responsible for information operations that they factually contributed to or caused.