Attribution — determining the identity or location of an attacker or an attacker’s intermediary. In the case of cybersecurity, attribution is a particularly difficult problem as adversaries can mask their identity or even originate attacks from deceptive and unwitting locations (e.g. using a hospital’s network as a staging ground)23
As cyberspace has become increasingly weaponized, determining the perpetrator of an attack to impose costs on the attacker and prevent future attacks has become more important. In contrast to traditional crime, in many contexts, this determination is the result of private actors responding to a cyberincident, which is particularly salient when private actors accuse nation-states of criminal activity.A key policy question on attribution is: how should government engage with the private sector when the private sector publicly alleges that a particular actor is responsible for a given attack? In private, for purposes of research and intelligence gathering, attribution — connecting an alleged adversary to a given attack — has limited potential consequences. Furthermore, attribution is core to the functioning of researchers and security teams: knowing that a particular adversary is likely responsible for an intrusion enables drawing upon documentation on the historical tools and techniques used by that adversary to respond more quickly to an incident.24 Policy stances on attribution principally hinge on two positions: the government’s obligation to respond to a claim of attribution and the government’s validation of a particular company’s attribution of an attack to a particular adversary:
- Governments can have a standing policy where no obligation arises out of attribution. In practice, this would mean that if a company asserted that a given actor, whether a state or an individual, attacked an entity, the government would have no affirmative obligation to act on that assertion. Alternatively, government could be obligated to respond, and at least investigate credible claims of an attack against one of its citizens by a foreign or domestic actor.
- When the private sector makes public claims about the identity of a given attacker, governments have two choices: to affirm and (in)validate a claim or to avoid public comment.
The risks and benefits of policy also vary on these two axes:
- If a government’s policy is that no obligation arises out of attribution, then there are limited short-term potential collateral consequences if a company asserts that a particular actor is responsible for a given crime, with less opportunity for an incident to escalate into a diplomatic issue. In the long run, however, failure to attribute an attack could undermine a country’s deterrence posture, thereby inviting future attacks and undermining public confidence. Additionally, in the absence of government reaction to attribution, efforts to coordinate research on the actors behind a given attack may be delayed. Where a government has an affirmative obligation to act on attribution claims, the potential short-term collateral consequences are magnified. For example, if a state is accused of perpetrating an attack, the host state may risk worsening diplomatic and economic relations with the alleged attacker state if it affirms the attribution. The host state may also reveal capabilities or vulnerabilities that are better kept concealed. In the long run, however, attribution may improve a country’s deterrence posture, thereby limiting future attacks and building public confidence.
- A policy of validating private-sector claims of attribution risks private companies being effectively considered as government appendages, hampering the capacity of some businesses to operate outside of a given country (given associations with a national government). Furthermore, such a policy is fundamentally impracticable in the long run for multinational organizations. In the hypothetical case of country-related claims of attribution, if a company operates in 100 countries, any single country’s insistence to validate claims of attribution could be imperilled by a reciprocal differing response abroad. Multinationals are then forced to pick between customers and national demands.
Most commentators agree that while attribution is technically possible, in practice few private-sector actors have the capabilities to reliably establish it, and many are headquartered in the United States. The reliance on private-sector actors to engage in attribution, particularly given the geopolitical risks, may result in a system brittle to accusations of nationalism clouding judgement.25
Policy model: Attribution
Key values trade-offs created by attribution policy
Connecting policy to values
Attribution policy brings into high relief certain trade-offs between security, economic value, accountability and fairness:
Increased public-sector validation of private-sector attribution claims may improve security over the long run, depending on how such a policy is implemented. Greater private-sector firm awareness of how specific teams use particular tools and techniques to compromise networks will help inform efforts to develop technology and processes to mitigate these measures. However, of note is that the security improvement is to a greater extent contingent on understanding how specific adversaries operate rather than on the nation-state component of attribution itself, which is of limited practical value for most security practitioners.
The economic value of public-sector validation of attribution claims is ambiguous in the short run and positive in the long run. In addition to reducing cyberincident costs, public-sector validation will financially reward the few private-sector firms capable of establishing attribution as a form of “approval” testifying to the accuracy of a given firm’s work. But costs are also associated with building sufficient and sustainable attribution capacity in government and, in some circumstances, public-private sector collaboration may impact perceptions of a company’s independence.
An increased role for the government in responding to private-sector claims of attribution will increase accountability. The government’s heightened responsibility will not only increase its own accountability but also that of the private sector, whose attribution claims will be scrutinized. The private sector will either improve its own attribution capabilities, or it may defer entirely to the government to avoid both the costs and risks of being incorrect.
However, an increased role for public-sector validation will decrease fairness both in terms of security and economic value. Very few security teams have the operational capabilities to practically benefit from the public sector investigating and sharing the tools and techniques used by adversaries, particularly nation-states. Additionally, very few firms are able to establish an adversary’s identity. Those firms may be differentially financially rewarded by the market for proof of their capabilities affirmed by the public sector.