Western capitals are increasingly reaching for a distinctly legal instrument in their response to state-backed hacking: coordinated public attribution paired with collective political condemnation. Recent reporting from the Council on Foreign Relations captures the trend in sharp relief, documenting a case in which allied governments and NATO jointly named the People's Republic of China as the source of hostile cyber activity and framed that activity as a matter of national and collective defense.

According to CFR's tracking of China-related developments in Europe, the alliance did not treat the incident as a routine security nuisance. <cite index="2-1">NATO issued a statement condemning the malicious cyber campaign, observing a "growing pattern of malicious cyber activities stemming from the" PRC.</cite> The framing matters. By characterizing the conduct as part of a sustained pattern rather than an isolated intrusion, the alliance signaled that it views such operations through the lens of ongoing state responsibility rather than episodic criminality.

European officials struck a similar note. As CFR reported, Czech Foreign Minister Jan Lipavsky cast Chinese cyber operations as an assault on the fabric of democratic society. <cite index="2-0">"Through cyberattacks, information manipulation, and propaganda, [China] interferes in our society," Lipavsky said,</cite> adding that his government had a duty to defend against it. That vocabulary—interference, defense—deliberately tracks the language of international law, which prohibits coercive intervention in the internal affairs of other states.

Attribution as a legal act

For lawyers working in this field, the significance lies less in the technical forensics than in the decision to attribute publicly and collectively. Under the customary international law of state responsibility, wrongful acts must be attributable to a state before any lawful response—countermeasures, for instance—may follow. Attribution is therefore not merely a naming-and-shaming exercise; it is a predicate for legal consequence. When several states and an alliance attribute the same conduct in concert, they build a shared evidentiary and normative record that is harder for the accused state to dismiss as unilateral posturing.

Coordinated attribution also helps consolidate contested norms. Successive UN processes have affirmed that existing international law applies in cyberspace and that states should not knowingly allow their territory to be used for internationally wrongful acts. Yet these commitments remain thin without enforcement. Joint condemnation of the kind CFR describes operates as a form of decentralized enforcement: it publicizes alleged breaches of agreed norms and raises the political cost of continued violation, even where formal adjudication is unavailable.

A documented pattern

The framing of Chinese operations as a "pattern" is consistent with the broader empirical record. CFR maintains a long-running catalogue of these incidents; <cite index="8-1">the Digital and Cyberspace Policy program's cyber operations tracker is a database of the publicly known state-sponsored incidents that have occurred since 2005.</cite> That database underscores why attribution has become a recurring instrument of statecraft: state-sponsored intrusions are now a persistent feature of international relations, and governments increasingly treat the decision to attribute as a policy choice with legal and diplomatic weight.

The turn toward collective attribution is not without difficulty. Attribution in cyberspace is famously uncertain, and states rarely disclose the intelligence underpinning their conclusions, which can leave allegations open to charges of politicization. There is also no agreed evidentiary standard in international law for attributing cyber operations, meaning that the persuasiveness of a joint statement rests largely on the credibility of the governments issuing it rather than on any tribunal's findings. And condemnation, however unified, stops short of the binding legal response—countermeasures or Security Council action—that would give attribution teeth.

Why it matters

For the international law of cyber conflict, episodes like the one CFR documents are incremental but consequential. Each coordinated attribution adds to a growing practice that may, over time, harden into clearer expectations about state conduct online and about the permissible responses to it. The Czech and NATO statements suggest that European actors, in particular, are willing to treat hostile cyber operations as questions of sovereignty and non-intervention rather than as technical incidents to be managed quietly.

Whether that practice matures into enforceable norms will depend on consistency, evidentiary transparency, and the willingness of states to follow words with lawful action. For now, the message from Brussels and Prague, as relayed by CFR, is that attribution itself has become a deliberate tool of legal and strategic signaling.

Sources - China in Europe: May 2025 (Council on Foreign Relations) — https://www.cfr.org/articles/china-europe-may-2025 - Cyber Operations Tracker (Council on Foreign Relations) — https://www.cfr.org/cyber-operations/