The Attribution Problem Comes Back to Tallinn
Every major cyber-conflict conference eventually returns to the same unsolved problem: technical certainty about who launched an attack rarely translates into a political or legal response that sticks. That tension was the throughline of CyCon 2026, NATO's 18th International Conference on Cyber Conflict, held May 26-29 at CCDCOE's home turf in Tallinn under the theme "Securing Tomorrow." The event drew more than 600 senior decision-makers and over 100 speakers from 39 member and partner nations, working through 21 peer-reviewed papers split across legal, strategy-and-policy, and technical tracks (Belfer Center).
The legal track's headline idea was procedural rather than doctrinal: instead of inventing new attribution law, use the machinery of the newly opened UN Convention against Cybercrime — its cross-border evidence requests and 24/7 cooperation network — to move faster from "we know who did it" to "we can prove it to a court or a coalition partner." It's a pragmatic instinct. Attribution has always had two separable layers — the technical (forensics, malware fingerprinting, infrastructure tracing) and the legal-evidentiary (chain of custody, admissibility, foreign-state cooperation) — and the second layer is where Western responses to state-linked ransomware crews and GRU-adjacent botnets have historically stalled.
A Treaty Built With Beijing and Moscow at the Table
The catch is which treaty CyCon's scholars want to borrow. The Convention against Cybercrime was adopted by the UN General Assembly on 24 December 2024 and opened for signature in Hanoi in October 2025, where 71 states plus the European Union signed on; it needs 40 ratifications to enter into force (UN Office of Legal Affairs). As of May 2026, only three states — Qatar, Azerbaijan, and Vietnam — had actually ratified it (Wikipedia, UN Convention against Cybercrime).
The United States did not sign at Hanoi. The State Department's line was noncommittal — "the United States continues to review the treaty" — but the substantive objections were loud: the convention could criminalize legitimate security research and exposes companies to sweeping foreign data requests (The Record, Recorded Future News). Microsoft warned publicly that the text would "weaken human rights online." The Electronic Frontier Foundation, joined by a global civil-society coalition, went further: the convention "obligates states to establish broad electronic surveillance powers... without adequate human rights safeguards" and, critically, "fundamentally lacks a mechanism for suspending states that systematically fail to respect human rights or the rule of law" (EFF joint statement).
The Case For Borrowing the Convention Anyway
The CyCon proposal deserves a fair hearing before it gets a rebuttal. Western states already share evidence bilaterally through mutual legal assistance treaties, and that system is notoriously slow — often too slow to matter for a ransomware group that has already laundered its proceeds. A multilateral instrument with a standing 24/7 cooperation network, even an imperfect one, could shrink the gap between forensic attribution and usable legal process for cross-border data preservation requests, exactly the kind of technical-to-evidentiary bridge NATO members have lacked. Using an existing convention, however flawed, is also cheaper and faster than negotiating a bespoke Western-only cyber-evidence treaty from scratch — a process that could take a decade.
Why the Same Mechanism Cuts Both Ways
But a cooperation mechanism is reciprocal by design — that is its entire legal premise. China, Russia, and dozens of other states with dramatically different rule-of-law baselines are already signatories to the same convention CyCon scholars want to lean on. A framework built to help a NATO member compel evidence from a cooperative jurisdiction is, by the same treaty text, available to authoritarian signatories requesting data from — or about — dissidents, journalists, and NGOs operating in or through Western jurisdictions. Estonia knows this dynamic better than most NATO members: its own diaspora and Russian-language population have long been targets of exactly the kind of politically motivated data requests civil-society groups warn the convention could legitimize.
This is not a hypothetical concern invented by advocacy groups. It is the same objection that kept the US off the signatory list and that motivated Microsoft's public warning. Building Western attribution practice on a convention whose most committed early ratifiers (Qatar, Azerbaijan, Vietnam) are not exactly rule-of-law exemplars risks legitimizing a tool that will be used against the open internet as often as it defends it.
Procurement as the Quieter, Better Idea
The legal track's other major thread — building international humanitarian law compliance directly into military AI procurement, rather than relying on after-the-fact legal review of systems already in service — is the more defensible proportionate-regulation model on offer at CyCon this year. Front-loading IHL analysis into acquisition requirements avoids retrofitting compliance onto systems already fielded, and it doesn't require borrowing legitimacy from a treaty regime with three ratifications and a boycotting superpower.
The Proportionate Path
Estonia's own 2026 cybersecurity report shows why the underlying attribution problem is real and growing: DDoS incidents against Estonian targets rose to 48,176 in 2025, up from 39,967 the year before, alongside roughly €29 million in reported scam losses (RIA, Cyber Security in Estonia 2026). NATO's attribution gap is not manufactured. But the fix should be a Western-led evidentiary framework built among trusted partners — expanding NATO's existing information-sharing arrangements or a Five Eyes-adjacent instrument — not a repurposed UN convention whose own drafting history is a case study in why broad surveillance powers without suspension mechanisms invite exactly the abuse Tallinn's scholars are trying to solve for.