Attributing attacks: Political, technical and legal dimensions

Event report

In her opening remarks, Ms Marietje Schaake (Former Member, European Parliament) drew attention to the severity of current cyber-attacks targeting healthcare systems and hospitals by saying that an IT system can be rebuilt or reset, but that human ‘costs’ are often final and irreparable. We hear attacks being mentioned in the news, but we almost never hear about the following accountability, and difficulties regarding cyber attribution only add to this.

Ms Johanna Weaver (Special Advisor to the Australian Ambassador for Cyber Affairs) tried to define attribution in cyberspace by stating that: it is not new to the world; it may be done publicly and privately; it is a means for reaching other aims; and deeds can attributed not only to states, but also individuals and companies. Ms Camille François (Chief Innovation Officer, Graphika) added that attribution is not just ‘a set of technical hops to go through. It is an art of strategic, political considerations’. For the technical community, attribution means fact-finding, stated Mr Serge Droz (Board Chair, FIRST). Attribution has the eventual purpose to draw attention to particular actors, but the CERT community wants to stay away from blaming. Mr Jens Monrad (Head of Mandiant Threat Intelligence, EMEA, FireEye Inc) added that, from the operational perspective, attribution is more about how it was done, rather than by whom. Mr John Scott-Railton (Senior Researcher, Citizen Lab) pointed out that the cybersecurity industry and the intelligence communities developed a series of practices and language around attribution, but that there is a radical disconnection between this language and the political reality of public attribution discussions.

Weaver shared the practice of the Australian government on how they decide to make a public attribution. First, they go through a factual assessment which includes technical indicators as well as the broader context of the current geopolitical environment. Second, they do a legal assessment that looks at the law of responsibility, distinguishing between state and non-state actors. After the legal assessment, the government makes a decision whether to make the attribution public or not. The last step may be called political attribution, though Waever warned that is not the case.

Schaake asked why certain stakeholders would want to participate in the attribution process. François noted that many research institutes, when attributing, tend to follow specific sets of guidelines, and have a higher bar for showing their forensics. Companies like Microsoft, Facebook, Twitter, and Google participate in attribution to create a sense of accountability, ‘When they do that, I think it does create a sense of accountability from the private sector, more often than not, they’re saying we see you, we won’t let this activity happen on our services, but it is different from having a government attribution,’ François said.

Droz mentioned that civil society is not eager to involve itself in the attribution process. Scott-Railton added that corporate security players sometimes go to civil organisations to ‘help with security, name and shame attack viruses, put an intrusion detection box on a network and write a fancy report that does not highlight the issues of civil society’. It is rare to see this degree of clarity from governments and the private sector in cases that the Citizen Lab works on. François added that civil society often looks at places that are gigantic blind spots for people who work in national security, such as information influence operations.

During Q&A with the audience, the speakers also discussed the idea of independent public attribution mechanisms that can be built on transparent and strong attribution methodologies and principles, and include the private sector and academia.