The Attribution Game: The Challenges and Opportunities of cyber attribution in policy-making

Reuters/Jonathan Erst
‘Human lives and the security of the state may depend on ascribing agency to an agent. In the context of computer network intrusions, attribution is commonly seen as one of the most intractable technical problems… as dependent mainly on available forensic evidence.’ ‘Attributing Cyber Attacks’, Prof. Thomas Rid & Ben Buchanan

The question of “Who-done-it?” dominates all efforts from the crime scene to the court of law; a case can only be considered solved when the culprit of the crime has been identified and convicted. In the era of DNA identification and video monitoring, this strict guilty-versus-innocent divide poses little issue in the physical realm where an excellent standard of criminal investigations can be observed in most developed countries.

This vision is nevertheless out of touch with the reality of the attribution process in cyberspace.

While forensic evidence can be acquired — ‘Indicators of Compromise’ (IP addresses, domain names, etc.) and unique attack signatures (patterns of behaviours, malware utilised, etc.) — it is extremely difficult for experts to identify any one set of culprits without significant risk. High potential cyber attacks are typically designed to cloak the identities of their designers and are often founded on the basis of deceiving the target from realizing the true extent of the damage incurred until it is too late, often resulting in infection of IT networks without visible effect for months after the network intrusions were made. This lag allows for infections to assimilate themselves into the crowd of Internet traffic before the attack by displaying regularly innocent patterns of behaviour. For example, cyber security firm Fireye’s investigation of Operation Poisoned Hurricane in 2014 detailed how malware trying to infiltrate the networks of several Asia-based internet service providers and other private businesses by disguising itself as routine internet traffic with genuine digital certificates. As the extent of damage of cyber-attacks are unknown, hidden or unforeseen, ‘digital crime scenes’ cannot be investigated in the same vacuum that forensic experts enjoy in the tangible sphere.

The issues of attribution are both what makes cyber such an enticing realm for would-be attackers and such a problematic issue for statesmen.

Extending the issues previously detailed into the context of International Relations, it’s easy to see how incorrect attribution can cause a cascade of undue escalation and insult by the accusing party. Tracing a given attack to a server or network of servers within a state does not clearly implicate that state’s government itself as a perpetrator nor does it assume that state is passively complicit or even aware of the attacks being launched. Individuals and small groups are perfectly capable of launching major cyber attacks, as the computer is the ultimate force multiplier, and IP addresses can be easily ‘spoofed’, or bounced endlessly around the globe through proxies to confuse solid attribution.

Many policymakers may be willing to make logical jumps in the attribution process due to its inherent lack of clarity. The lack of certainty surrounding cyber attack attribution allows statesmen to blame geopolitical adversaries for the attacks. No one is standing in the room pointing a smoking gun at the targeted computer. Furthermore, ‘militant’ cyber actors are not necessarily associated with a state, and governments can easily distance themselves from inconveniently uncovered hacking groups they covertly support. For example, were an attack akin to the Shamoon Attacks perpetrated by the Shia-affiliated ‘Cutting Sword of Justice’ on the Saudi state oil firm Aramco in 2012 to happen again, Iran would inevitably be blamed for tacit complicity if not direct involvement, regardless of its actual agency in the attacks themselves. Attribution in this circumstance is not concerned with technical evidence of guilt, but rather with the Saudi government’s foreign policy narrative that Iran is behind all seditious actions in the region, from chemical weapons in Syria to Shi’ite militia atrocities in Iraq, to the Houthi movement in the Yemen.

On the other hand, intentional misattribution –in the form of scapegoating to non-state actors– presents a convenient tool for statesmen in some circumstances. Offence is at a massive advantage in cyber. When securing a network from attack, one must ensure the constant safety of every single system on the defended network. When an attacker attempts to access a target network, only one server or device must be compromised to gain access to a network. The logical threshold for the use of force in cyberspace is thus low. This incentive towards offensive action is amplified by the fact that statesmen can easily pass off responsibility and liability onto non-state actors, such as so-called ‘hacktivists’, from which they can disassociate state intelligence agencies and militaries.

‘Hacktivists’ represent both an easy scapegoat for aggressor states and a convenient culprit for victim states because, as pointed out in a WIRED article pointed out last year, ‘[hacktivists”] geopolitical interests and motives often jibe with a state’s interests.’ Cyber is not simply a revolutionary gimmick to be dealt with by niche experts and private corporations. Just as the airplane quickly went from being invented to being a crucial part of national defence, commerce, and transportation, states are already realising the political utility the Internet provides is now central to the execution of policy. Cyber is both damaging and useful to states’ national interests, but it cannot be ignored, as its uses and effects are clearly set to increase, not decrease.

The unconvincing inaccuracy of cyber attribution has also led to a growing mistrust of the public sector. Some corporate actors have even sought help from private contractors which hire ex-hackers to conduct retaliatory attacks on behalf of those companies. The lack of confidence in the state’s ability to perform its most basic security duties is a threat to the very raison d’être of law enforcement. This phenomenon reduces the state’s ability to control its response in the face of potentially politically damaging cyber attacks. Furthermore, as Thomas Rid coins it, when it comes to conducting investigations as they, unlike private companies, often have the mandate to collect from a wider scope of information, covertly or otherwise. The outsourcing of cyber-security dulls down the credibility and efficiency of a state’s response to cyber-attacks.

Ultimately, attribution is what the actor makes of it. Avoiding ‘attribution fixation’, the obsession of ascribing agency to an actor, will be essential in how successfully governments and companies can use the cyberspace as a means to their ends. It can be a tool for geo-political advancement, a technical obstacle to overcome, or a damaging libel risk for states with active domestic hacking communities. Cyberspace cannot be viewed as a problem, nor as a solution. It is an operational space like any other, though currently popularly misunderstood and lacking the regulations and norms of kinetic battle spaces.

This article was originally written by Jackson Webster and myself on Strife Blog. Strife has a brand-new website from which you can read great informative content on anything conflict-related.