How To Get To “Reasonable Certainty” on a Russia Finding

If you had a choice between blaming a cyber attack on a foreign individual or on a foreign government, who would you be better off blaming?

If you said government, you’d be right; especially if you were a government or quasi-government agency. The reason is that under international law, when attacked, a government only has recourse against another government. If the attack was conducted by a group of individuals or “non-state actors”, those individuals would have to be under the control or direction of a government in order for you to respond with your own use of force.

And it’s not enough for you to simply claim that a non-state actor is part of a government agency like Crowdstrike did with Fancy Bear and Cozy Bear. You have to prove attribution at the nation state level; not beyond a shadow of a doubt, but with reasonable certainty.[1]

What Constitutes Attribution?

There are legal requirements that nation states must follow for assessing the attribution of a network attack against a target in their country by another state.

Thus, the general rule is that the only conduct attributed to the State at the international level is that of its organs of government, or of others who have acted under the direction, instigation or control of those organs, i.e. as agents of the State.[2]

Since the vast majority of discovered breaches and cyber attacks that damage networks are conducted by non-state actors, attributing those attacks back to a State becomes a highly complex challenge that’s governed in large part by principals embodied in the Draft Articles on the Responsibility of States for Internationally Wrongful Acts.

The actions of individuals and groups are not governed by international law, only the actions of States — with two exceptions [3]:

  • When they are acting on the “instructions of a State”
  • When they are acting “under its direction or control”

Is the Russian Government Responsible for the Actions of Russian-speaking Hackers?

It appears that Russian-speaking hackers were responsible for a number of attacks related to the election, with the exception of the Arizona and Illinois election database attacks. There’s plenty of technical evidence to support that theory. There is also ZERO technical evidence to connect those Russian-speaking hackers to the GRU, FSB, SVR, or any other Russian government department.

If it cannot be shown with reasonable certainty that those hackers were controlled by or acted under the instructions of the Russian government, then it becomes a federal law enforcement matter.

If, on the other hand, there is evidence that shows this was a Russian government run operation, then the U.S. government is entitled to respond in kind.

Present the Evidence

The ODNI/DHS statement’s opening paragraph ends with their rationale for placing blame on the Russian government:

“We believe, based on the scope and sensitivity of these efforts, that only Russia’s senior-most officials could have authorized these activities.”

I have no explanation for what the author of that statement was thinking when he or she composed it. It is, in my opinion, ludicrous on its face. There is nothing about the attacks against the DNC, the DCC, high profile email accounts like Podesta’s, or even election data bases like those in Arizona and Illinois (that the ODNI/DHS statement specifically excluded) which preclude them from being attacked by any individual hacker or hacker team from anywhere in the world, on their own, and without any government control or direction.

The CIA has allegedly determined that the Russian government acted to help Trump win because they didn’t release any Republican emails. However there’s a simpler explanation. The Russian people, and that includes Russian hackers, love Donald Trump and hate Hilary Clinton. So the hackers involved in this attack only released the Clinton emails.

Is this really so surprising? After all, the French people love Jerry Lewis. If Jerry Lewis were running for President against Hilary Clinton, French hackers might very well have done the same thing as Russian hackers: attack Hilary’s campaign and hope that Jerry wins. Would that have mean’t that the French government directed the attacks? Not at all. Would it be possible that the French gov’t directed the attacks? Sure, but you can’t just claim it. You have to prove it to a level of reasonable certainty.

An Independent Commission

What we need today is an independent bi-partisan commission composed of individuals with sufficient technical understanding to review the source evidence behind the ODNI/DHS statement and ask hard questions of those involved, up to and including the executives of the commercial cybersecurity companies that had a hand in the U.S. government’s finding of responsibility against the Russian government. Let’s get to reasonable certainty, please.

NOTES

[1] Kenneth P. Yeager v. The Islamic Republic of Iran, Iran–U.S. C.T.R., vol. 17 , p. 92, at pp. 101– 102 (1987): “in order to attribute an act to the State, it is necessary to identify with reasonable certainty the actors and their association with the State”

[2] Draft Articles on the Responsibility of States for Wrongful Acts, Chapter II, Paragraph 2, (53 UN GAOR Supp. (№10) at 43, U.N. Doc. A/56/10 (2001))

[3] Schmitt, Michael N. and Vihul, Liis, Proxy Wars in Cyber Space: The Evolving International Law of Attribution (May 31, 2014). I(II) Fletcher Security Review 55–73 (2014). Available at SSRN:http://ssrn.com/abstract=2388202