From Sony Pictures to NotPetya, there has been a steady uptick of governments calling out and identifying the perpetrators of cyber incidents. This shift partially reflects a more developed posture for governments responding to cyber security challenges. Cyber security remits have long been delegated to signals intelligence (SIGINT) agencies and specific cyber security bodies, yet calling out other states in such a public manner naturally involves a broader set of stakeholders — including the executive and various internationally-facing departments. Cyber security responses are therefore emerging as an increasingly important component of statecraft. Yet, the role of governmental public attribution remains under-analysed and misunderstood.
Governmental attribution claims are not conducted for the same marketing purposes as is often the case with private sector APT reports. Nor are governments attributing solely due to the level of confidence related to an aggressor’s identity — SIGINT agencies have long attributed internally without putting these assessments into the public domain. For governments, going public involves an altogether different set of considerations and cost-benefit calculations. Public attribution might represent an end in itself or simply be a first step for a government seeking to justify further action against an aggressor. If going public is an end in itself as a form of signalling, then a wide menu of options are available, each with their own trade-offs. Governments could simply blame a state without evidence, or they could provide technical information to back up their assertions. Alternatively, states could provide technical information exclusively, (allowing others to make an assessment on an aggressor’s identity). Even when governments refrain from publicly attributing, they are not necessarily passive — indeed, many governments will opt to signal to aggressors via more covert means.
An interesting development of late has been the emergence of multiple states attributing simultaneously. All of the Five Eyes community (Australia, Canada, New Zealand, the UK, and the US), publicly attributed the WannaCry worm to North Korea. They also tied NotPetya to Russia alongside Denmark, Estonia, Lithuania and Ukraine. These attribution coalitions contain interesting political dynamics. Cost-benefit calculations shift as more states attribute at the same time. We might not expect Lithuania to call out Russia independently, yet as part of a larger group there is at least some element of a safety in numbers. Going forward, we might start to see attribution cascades — as more states commit to attributing, it becomes easier for other states to join in with the political costs reduced. Indeed, at a certain point, states stand out not in going public, but through staying silent. As Thomas Rid noted in the case of NotPetya attribution claims, where was France and Germany?
Attribution coalitions have clear political merits. It is harder for an aggressor to deny their role in an operation when there are ten or more states attributing compared to just one. Group attribution also has underappreciated norm-building potential. When a significant and influential portion of the international community publicly comment, it is made clear that the behaviour of an aggressor is deemed unacceptable. Indeed, coordinated public attribution initiatives might provide a more productive and nuanced way to gradually develop norms when compared to previous efforts such as the UN Group of Governmental Experts (GGE) that were perhaps overly forced.
Governments therefore sit at an inflection point. Instances of public attribution have often been thin and sporadic, yet there is the potential for a more systemic approach going forward as governments ramp up their efforts and begin working together. There remains a lot that we do not fully understand however: what are the specific political outcomes and trade-offs attached to the various attribution messaging strategies; when should governments signal covertly vs publicly; what role will private sector firms play in such coordinated attribution statements (if any)? There are also question marks about the extent to which this is exclusively a ‘cyber’ issue — the West’s response to the Russian Skripal poisoning contains clear overlaps with this issue, suggesting that broader attribution strategies are beginning to form. For anyone interested in these issues, Florian Egloff is doing some really exciting research that is seeking to make better sense of attribution (at both a strategic and conceptual level), and one of the only researchers I know who is measuring these dynamics empirically, backed up with solid data.
In any case, the topics of attribution and threat intelligence are about to become more interesting — and above all, more political.