A few weeks ago, one of my clients sent me an article. He thought it compelling and urged me to read it. He was right, since it contains an interesting approach to the problem of attribution of cyber attacks.
Attribution (‘who dunnit?’) is one of the key problems of responding to cyber attacks for several reasons. It can take quite a while until IT forensics reveal the actual actor, if possible at all. More often than not the culprits have hidden themselves successfully behind fake identities and proxy servers, preferably in other countries.
Take for example the 2007 cyber attacks on Estonia: the attacks traced back to computer servers all over the world, including the US, but it was clear Russian patriotic hackers were behind it (see Jeffrey Carr’s analysis for instance, Inside Cyber Warfare, 2009).
But attribution is important. Why? Because the actor and his nature determine the target and legal context of response: should it be law enforcement, counter terrorism, military, or even something else? Without absolute certainty on the origins of the attack, a lot of policy makers dare not to move.
In ‘Beyond Attribution: Seeking National Responsibility for Cyber Attacks’, Jason Healey of the Atlantic Council takes a different approach from the technical, bottom-up one. Instead of placing the emphasis on back-tracing the bad guys, he focuses on the responsibility of the State. We do not need to know exactly who pressed the button, we just have to turn to the State of his most probable origin and ask it to stop the attack.
A State can respond in different ways, ranging from full cooperation, to ignoring the request, and even to participating in the attack. From a policy and diplomatic point of view this opens all kinds of existing ways to conduct a dialogue with that country (right up to military response).
This is an extremely interesting approach, because until now, the attribution problem more or less took the cyber discussion hostage. That discussion is still technology dominated and thus approaches attribution from a bottom-up direction: can we prove it 100% with technical evidence? Usually you can’t or it takes a very long time. Healey’s approach bypasses that hurdle and addresses the responsibility nations have under international law. And that makes good sense, because there is always more intelligence than just cyber traces. Human intelligence, geopolitical events, open source… it can all give a very clear clue about who’s behind an attack or where it is originating from, especially the larger ones.
Take the cyber attacks on Georgia (2008) or the digital espionage at Google and several other American companies (2009/2010). It soon became quite clear where the responsibility lay for those attacks, although those countries were not necessarily conducting it themselves.
This is a very appealing move forward in the international fight against cybercrime. However, it will probably be less attractive for countries with a flourishing hacker scene AND full control over their part of the internet, because it will take away their current escape (“We are not the ones attacking you and not able to stop everything that takes place on the internet…”, or “We are a victim as well!”). And it may require some diplomatic muscle too, persuading such countries to cooperate. But if stopping cyber attacks is your immediate concern, State responsibility is definitely your ally.