Attribution is what states make of it

It is high-time for the Europeans to wake up from their hopes and dreams to build norms and rules for state behaviour in cyberspace.

The ability to attribute malicious cyber incidents to an individual, group, or nation state is a critical tool that is increasingly shaping the foreign and defence policies on both sides of the Atlantic.

In the United States, the hack into the Democratic National Convention, and the subsequent political struggle on how to adequately deal with Russia’s interference in the 2016 US Presidential election, is still wreaking havoc across Washington. Despite the combined intelligence assessments of the CIA, DHS, FBI, and NSA, pointing the finger straight at the Kremlin for trying to influence the US election, President Trump has been continuously flip-flopping on the issue, stating in July that, “I think it was Russia, but I think it was probably other people and or countries. […] Nobody really knows. Nobody really knows for sure.” In August, Congress overwhelmingly approved a sanctions bill to counter America’s adversaries, which among other items also targets Moscow for undermining the cybersecurity of the United States. With President Trump reluctantly signing the bill and the State Department missing the October 1st deadline to implement sanctions, lawmakers on both sides of the isle have become increasingly weary of the administration’s reluctance to punish Russia. On October 27, the State Department finally announced that it will leverage sanctions against senior Russian officials and the nation’s defence and intelligence sector.

In Europe, the European Council finally moved forward with the development of a framework for a joint EU diplomatic response to malicious cyber activities, the so-called cyber diplomacy toolbox. While, in contrast to the US, no national election in an EU member state has so far become the victim of a sophisticated influence operation by a foreign nation state (although the 2017 French Presidential election came close), the continent has experienced numerous breaches and intrusions into the IT systems of NATO, the OSCE, France’s TV5Monde, the German Parliament, and numerous other European government institutions and private sector companies.

Yet, despite the growing political importance of determining ‘who did it,’ the public debate on the necessity to attribute cyber incidents is only slowly gaining traction. Speaking at DEFCON in 2016, Jake Kouns, CISO at Risk Based Security, for instance noted that for most companies and organizations it does not really matter who attacked you, “you got to deal with the breach, you got to deal with the problem. The fact that you got hacked is the issue.” Independent cybersecurity researcher Scot Terban made a similar argument three years prior in his talk at BSidesLV, which was adequately titled ‘Attribution Shmatribution! FIX YOUR S**T!’ Indeed, from a purely technical perspective a network defender will always focus on improving the security of his system first, rather than trying to punish the attacker. As Terban succinctly summarized, “better your environment, don’t be hooked up with China, China, China.”

At its core however, attribution is not a technical issue, but a political one. As such the purpose of attribution is deeply embedded in both domestic and international law, and plays a fundamental role in deterrence policies. In other words, attribution tackles thevery basic concerns about responsibility for actions that lead to conflict or harm. Secondly, cyberspace is an offense-dominant domain, primarily because the internet was not designed with security in mind, leading to a situation in which a dollar spend on offence buys far more than a dollar spent on defence.

One of the major stigmas that attribution is still contending with today, is the widespread believe that identifying the source of a cyberattack is impossible, because the attacker can use tools to cover his tracks and there is no physical act to observe. This technical conundrum, widely known as the ‘attribution problem,’ primarily stems from a limited understanding of the attribution’s multidimensional process, as well as the fundamental misconception that digital forensics alone can lead to a high-confidence attribution assessment.

Attribution is inherently a multidimensional process which takes into account information from a wide range of sources. According to Herb Lin, Senior Research Scholar for Cyber Policy and Security at Stanford’s CISAC, this includes: signal intelligence, human intelligence, open source intelligence, intelligence shared by allies and friends, pre-positioned implants on adversary networks for cyber-enabled intelligence collection, geopolitical circumstances, digital forensics, and historical comparisons and relationships. Indeed, according to Thomas Rid, Professor of Strategic Studies at Johns Hopkins University, the attribution of cyber incidents is “already more nuanced, more common, and more political” than generally acknowledged.

So why are attribution judgments still having such a hard time when it comes to determining ‘who did it’? Let us briefly look at one example in Europe to showcase the dilemma.

On April 8, 2015, a group portraying itself to be the Cyber Caliphate – e.g. the Islamic State’s Hacking Division -, took control of the website and social media accounts of TV5Monde, France’s largest global television network, and replaced the content with pro-ISIS propaganda. Simultaneously, eleven of TV5Monde’s broadcasting channels were knocked off the air completely for four hours.

In the immediate aftermath of the incident, several politicians, including then Minister of the Interior Bernard Cazeneuve, attributed the attack to the Islamic State, noting that “numerous elements converge to suggest the cause of this attack is, indeed, a terrorist act.” Meanwhile, media outlets around the globe ran with the headline: ‘French broadcaster TV5Monde hit by Islamist hackers.

It took more than two months for French investigators to dispel the public notion that the attack was conducted by the Islamic State. In June 2015, French judicial sources talking to both Reuters and AFP revealed that a preliminary investigation by the prosecutor’s office responsible for counter-terrorism led investigators to focus on the Russian cyber espionage group APT28 – which is widely believed to be associated with Russia’s military intelligence agency GRU. Responding to the news, Jen Weedon, manager of threat intelligence at cyber security company FireEye, explained thatthere are a number of data points here in common. […] The ‘Cyber Caliphate website,’ where they posted the data on the TV5Monde hack was hosted on an IP block which is the same IP block as other known APT28 infrastructure, and used the same server and registrar that APT28 used in the past.” Furthermore, metadata recovered from the digital evidence left behind on the affected machines at TV5Monde, confirmed that the code was written on a Cyrillic keyboard at times corresponding to the working hours in St Petersburg or Moscow.

Further details on the attack emerged in October 2015, when Yves Bigot, director-general of Tv5Monde, was interviewed by BBC’s Gordon Corera. According to Corera “the attack was far more sophisticated and targeted than reported at the time,” with the intruders leveraging seven different entry points to penetrate TV5Monde’s network in January 2015 – three months prior to the actual attack. Overall the conclusion was reached that the perpetrator’s aim was not espionage or even to conduct an influence operation – as first suggested – but to physically destroy hardware and take down the entire TV5Monde channel. Indeed, the only thing that saved the television network from total destruction was pure luck, as the station’s technicians were already in the building on other matters and could swiftly disconnect the affected machines.    

In June 2017, more than two years after the attack, France’s National Cybersecurity Agency (ANSSI) in cooperation with TV5Monde, made the unprecedented decision to hold a public presentation at the cyber security conference SSTIC2017, to reveal details about the investigation, the remediation process, and the lessons learned. To date, there has been no official government statement attributing the cyberattack on Tv5Monde to Russia, nor is it known whether Paris implemented any foreign policy responses in reaction to the attack.

The bottom line is that the attribution of malicious cyber incidents is inherently about what states make of it. Particularly in Europe, the persistent silence, political caution, and non-responsiveness to the myriad of cyber incidents on the continent, have emboldened foreign nation states to trample on international law and undermine global stability. It is high-time for the Europeans to wake up from their hopes and dreams to build norms and rules for state behaviour in cyberspace, and get their hands dirty by deterring and publicly calling out nation states and their malicious conduct in cyberspace.    

This article was originally published by in the Sept/Oct. 2017 Issue under the title “Can we survive a cyber war?

The European Council on Foreign Relations does not take collective positions. ECFR publications only represent the views of their individual authors.


ECFR Alumni · Former Cybersecurity & Defence Fellow

Subscribe to our weekly newsletter

We will store your email address and gather analytics on how you interact with our mailings. You can unsubscribe or opt-out at any time. Find out more in our privacy notice.