Author : Anushka Kaushik

Expert Speak Digital Frontiers
Published on Oct 21, 2019
Public attribution and its scope and efficacy as a policy tool in cyberspace

Introduction

The quest for stability in cyberspace has seen governments try and test various policy tools and processes with little success. Even as countries come together under the aegis of the United Nations – in the form of the sixth iteration of the UN Group of Governmental Experts (UNGGE) and the newly formed Open Ended Working Group -to arrive at a consensus on cyber norms, there are definitional disagreements on what constitutes ‘stability’. Usual suspects like China and Russia have continued to stress their approach to regulation and governance which stems more from information control and less from securing networks, which is unlikely to change in the near future. The need to develop global norms that should guide governments’ behaviour in cyberspace, however, has never been stronger. Due to the ubiquity of digital networks and the Internet, cyberspace is undeniably a domain to carry out targeted attacks that seek to destabilise a country’s services and infrastructure. Calls of ‘cyber war’ and a ‘Digital Pearl Harbour’ may be exaggerated and/or problematic but there’s no denying that there’s a dire need to revisit the old rule book – or publish a new one altogether – to monitor and regulate unlawful activities in cyberspace. Over the past few years, a number of cyber-attacks made global headlines owing not only to the sheer scale of financial and infrastructural loss but because they were attributed to nation-states or groups with direct affiliations to governments. WannaCry, a ransomware attack that impacted almost one hundred and fifty countries in 2017 resulting in the loss of billions of dollars, was publicly attributed to North Korea by the governments of the United Kingdom and the United States.

Public attribution of a cyber-attack is increasingly being used as a tool by governments to draw red lines of what constitutes acceptable state behavior in cyberspace. The rationale of calling out malicious behavior is simple enough but as this paper argues, is grossly limited in its application and the ultimate goal of ensuing stability in cyberspace. It’s important to note that public attribution is not a tool used only by states. One of the most significant and possibly game-changing trends in the field of attribution – and politics of cyberspace governance by extension – has been the level of involvement of private sector firms in attributing cyber-attacks to governments and non-state actors. According to the Cyber Operations Tracker created by the Council on Foreign Relations, 85% of cyber-attacks resulted in some form of public attribution between 2016 and 2018, where 15% of those were carried out by governments. The countries to which attacks were most commonly attributed were China, Russia, North Korea, and Iran<1>

Why public attribution?

Attribution in cyberspace is notoriously difficult. It is a mix of behavioral patterns, technical forensics, errors made, style and methodology of an intrusion, geopolitical circumstances, and historical relationships. Attribution goes beyond the simple action of finding out who’s responsible behind aggressive behavior online<2>. It typically involves analysis at three levels; the technical (how), the operational (what), and the strategic (who and why)<3>. To deem a state responsible for a cyber-attack, however, is a complex process not least because there is no universal source of international law regulating principles of state responsibility and malicious behavior. Currently, a confluence of secondary sources and bilateral agreements provides suggestions to maneuver international humanitarian law in the context of cyber incidents. As instances of state-directed cyber intrusions have increased significantly, numerous governments have also set up Cyber Commands in the hope to thwart attacks and mitigate consequences. The use of a proxy in cyberspace, defined as “an intermediary that conducts or directly contributes to an offensive cyber operation that is enabled knowingly, actively or passively, by a beneficiary who gains advantage from its effect”, by states has tremendous consequences for the attribution process as well as the formulation of global norms<4>.

Public attribution of cyber-attacks is regarded as an important policy tool in cyberspace governance and regulation. There are several arguments made in favor of the naming and shaming doctrine – which is a common method used to deter bad conduct of other nations<5>. These range from its use as a deterrent to its abilities in rallying several countries towards a coordinated response against malicious behavior. In October 2018, the governments of The Netherlands, UK and the US publicly accused Russia’s intelligence authority GRU of orchestrating a cyber- attack on the Organisation for the Prohibition of Chemical Weapons (OPCW) where investigations were being undertaken on the attempted assassination of Sergei Skripal<6>. Dutch Defense Minister Ank Bijleveld stated that this kind of public attribution was “intended as an unambiguous message that the Russian Federation must refrain from such actions”<7>. This somewhat coordinated international response harshly condemning Russia’s actions could contribute to the norms-building process and delineating what constitutes irresponsible behavior in cyberspace, as more countries establish red-lines.

Public attribution of state attacks is used as one of the tools of deterrence within cyberspace<8>. The rationale is simple; exposure of a government’s malicious activities with credible and verifiable evidence will deter them from continuing bad behavior. Increased involvement of private sector firms – some notable examples include CrowdStrike and FireEye – has prompted many to call for a more proactive role by governments in public attribution. The gist of the argument is that firms are guided by commercial interests and to ultimately sell their services and thus, should not be the primary actors attributing malicious activities to nation-states<9>. Furthermore, attribution of cyber-attacks to governments can be seen as interference with a country’s foreign policy, possibly disincentivizing firms to publicly share information<10>.

A final case in favor of public attribution by governments is premised on the sheer lack of regulatory and arbitration processes to address malicious behavior in cyberspace. While countries deliberate on applying Law of Armed Conflict or International Humanitarian Law to cyberspace activities and the twin UN processes get underway, there is complete uncertainty whether a single source for cyberspace regulation can be developed or if such a regulation is even necessary. With no recourse to international law and mounting state-directed cyber-attacks including the increased use of cyber proxies, public attribution becomes one of the very few ways of responding to state aggression.

Limited efficacy of public attribution

How successful has public attribution of cyber-attacks proven to be? Citing involvement of limited actors, failure of consensus-building to impose strict measures, and its narrow scope as a deterrent, I argue that we shouldn’t exaggerate its efficacy as a policy tool.

Involvement of few states

Looking at past cyber incidents, one can safely say that the theatre of public attribution only has a few actors. The Five Eyes – US, UK, Canada, France, New Zealand, and Australia – and The Netherlands have been far more active in public denouncements of state aggression in cyberspace. This is a small number given the magnitude of suspected state-directed cyber intrusions. In 2018, the White House National Cyber Strategy stated the importance of “working in concert with a broad coalition of like-minded states” towards cyber deterrence however this coalition has hitherto remained limited<11>. There can be several reasons why more states aren’t participating in denouncements. Public attribution is a decision guided primarily by geopolitical considerations and foreign policy objectives. Governments could have compelling evidence against a nation-state and still choose not to publicly accuse a state given strategic, political, or even domestic factors. Further, while technical attribution abilities are improving, the risk of misattribution is still quite high especially with the use of false flags, as seen in the South Korean Winter Olympics in 2018<12>. Attribution to a nation-state must have a high degree of credibility and transparency for it to be an effective tool and public denouncement might not be a risk worth taking for many victim governments. If public attribution is exercised only by a handful of governments, its efficacy in both norms-building and as a deterrent is severely limited.

Failure of consensus-building in imposing strict measures

Without imposing real costs and measures, publicly denouncing a government – especially repeat offenders – can end up being a futile exercise. However, building consensus for imposing sanctions among members of the European Union, for example, has been tricky. While the implementing guidelines outlined in the EU Cyber Diplomacy Toolkit have listed restrictive measures like sanctions, the EU has generally neither attributed cyber-attacks nor taken measures against states which have been identified as perpetrators<13>. In the case of the OPCW cyber-attack on the headquarters in The Hague, very few EU member-states publicly voiced their support to The Netherlands in condemning the Russian Federation. Getting twenty eight member-states of the EU to unanimously agree on restrictive measures on a state accused of perpetrating a cyber-attack is not likely. In addition to geopolitical considerations that may sway decisions of certain member-states against restrictive measures, differing technical capabilities and threat assessment indicators are also factors in opting out of public denouncements even within the aegis of the EU.

Similarly, even as NATO Secretary-General Stoltenberg stated that the collective defense doctrine is applicable to cyberspace, the expectation that allies with differing intelligence capabilities and technical wherewithal will be on the same page in cyber attribution processes seems problematic. If the likelihood of public attribution being followed by concrete measures is low, denouncements alone might be ineffectual in the long-run.

Narrow scope as a deterrent

For public attribution to be an effective deterrent, it has to be credible and evidence based. Unsurprisingly, states have been reluctant to reveal too many details about their attribution processes and how they reached certain conclusions, which are usually arrived at through a mix of technical, operational, and strategic factors. While there are obvious incentives for this decision, not providing substantial proof hurts the credibility of the government attributing an attack as well as allows a certain level of plausible deniability to the accused state. Further, according to the 2015 UNGGE report, countries must substantiate claims of international wrongdoings by states. In the case of the Wanna Cry attribution in October 2018, the US provided almost no public evidence that led them to believe it was North Korea and did not reveal plans for retaliatory measures, arguing that the aim was to increase accountability. Almost a year later, in September 2019, the US Department of the Treasury announced sanctions targeting Lazarus and two other hacking groups, believed to be affiliated with the North Korean military. The Catch-22 at play – where governments cannot reveal their attribution processes but need to show credible proof for effective cyber deterrence - renders the abilities of public attribution as a deterrent limited especially if it’s neither followed by concrete measures nor supported by additional states.

Conclusion

Given that there’s currently no regulatory mechanism or consensus on what constitutes appropriate behavior in cyberspace, there are limited options at the disposal of policymakers to address rapidly growing tensions precipitated by state sponsored cyber aggression. As cyber-attacks increase both in number and scale, some countries have used public denouncements of accused governments as a way to enforce accountability and deter future attacks. This strategy can be useful and plays an important role in affirming culpability of malicious behavior. However, its application is limited for three reasons; the involvement of only a few states, the failure of consensus-building to impose strict measures, and its narrow scope as a deterrent.

The credibility of attribution still remains a challenge, more so since states are constrained by how much their intelligence authorities can actually reveal while communicating to the public. Alternative mechanisms like stateless attribution by the RAND Corporation, for example, which calls for a Consortium that would provide an independent investigation of major cyber incidents and would ideally exclude the formal representation of nation-states, have potential to introduce a greater level of credibility<14>. Additionally, companies like Microsoft have previously suggested an international body for peer-reviewed technical attribution for major cyber-attacks. While it’s difficult to predict how viable such a model will be, working on standardizing and framing attribution could improve the process considerably.


This essay originally appeared in Digital Debates — CyFy Journal 2019.


Endnotes

<1>Cyber Operations Tracker”, Council on Foreign Relations, last modified July 1, 2019.

<2> Kaushik, Anushka, “Attribution in Cyberspace: Beyond the ‘Whodunnit’”. GLOBSEC. May 2018.

<3> Rid, T & Ben Buchanan. “Attributing cyber-attacks” Journal of Strategic Studies, 38, no. 1-2. December 2014.

<4> Maurer, Tim. “Of Brokers and Proxies”. In Cyber Mercenaries: The State, Hackers, and Power, 1-68. Cambridge: Cambridge University Press 2018.

<5> Baker, Stewart, “The Attribution Revolution”. Foreign Policy. 17 June 2013.

<6> Crerar, Pippa., Jon Henley and Patrick Wintour. “Russia accused of cyber-attack on chemical weapons watchdog”. The Guardian. 4 October 2018.

<7> Sanders-Zakre, Alicia. “Russia charged with OPCW hacking attempt” Arms Control Today. November 2018.

<8> Painter, Chris. “Deterrence in Cyberspace”. Australian Strategic Policy Institute, June 2018.

<9> Rich, William. “The US leans on private firms to expose foreign hackers”. The Wired. 29 October 2018.

<10> There are several arguments furthered in favour of the increased involvement of private sector firms including sophisticated technical attribution capabilities, credible and evidence-based deterrence, which are not within the purview of this paper.

<11> National Cyber Strategy of the United States of America. September 2018

<12> Greenberg, Andy. “Hackers have already targeted the Winter Olympics – and may not be done”. 1 February 2018.

<13> Ivan, Paul. “Responding to Cyber Attacks: Prospects for the EU Cyber Diplomacy Toolbox”. European Policy Centre. March 2019.

<14> Davis, John S. II, Benjamin Boudreaux, Jonathan William Welburn, Jair Aguirre, Cordaye Ogletree, Geoffrey McGovern, and Michael S. Chase, Stateless Attribution: Toward International Accountability in Cyberspace. Santa Monica, CA: RAND Corporation, 2017.

The views expressed above belong to the author(s). ORF research and analyses now available on Telegram! Click here to access our curated content — blogs, longforms and interviews.

Author

Anushka Kaushik

Anushka Kaushik

Anushka Kaushik is currently running the cybersecurity policy programme at theGLOBSEC Policy Institute in Bratislava and is responsible for the organisationsresearch efforts and initiatives in ...

Read More +