애국적 해커와 사이버공간 국가책임 공백: ‘실효적 통제’ 기준의 재검토

Conflicts and geopolitical tensions over the past decade, including the Russia-Ukraine war, have highlighted the prevalence of cyber operations conducted by state-aligned civilian groups targeting critical infrastructure. Notable examples include Chinese private entities reportedly hacking foreign governments, the pro-government Syrian Electronic Army’s campaigns against Western media, and Israel’s military responses to Hamas’ cyber attacks. However, as of 2025, the ICJ has yet to adjudicate any cases directly concerning incidents in cyberspace, underscoring the persistent difficulty of establishing international legal responsibility for malicious cyber operations, even when technical attribution is feasible. The challenge is exacerbated by the strategic use of proxies — particularly “patriotic hackers,” non-state actors who align with State interests while maintaining operational independence. Their activities exploit the inherent ambiguity of cyberspace, allowing States to pursue strategic objectives with plausible deniability and further complicating legal attribution. The academic community has extensively debated the adequacy of the ICJ’s “effective control,” widely regarding it as insufficient to address the unique complexities of modern cyberspace. Focusing on the phenomenon of patriotic hacking, this article examines alternative attribution standards suggested in international legal scholarship — including “overall control,” “flexible control,” “virtual control,” and the “complicity standard.” Each model is assessed for its strengths and weaknesses in bridging the gaps in State responsibility for cyber operations. Finally, the article explores the ICJ’s potential role in addressing attribution challenges in cyberspace and considers directions for modernizing the law of State responsibility.