The past several weeks have been an exciting time in the realm of cyber security – and especially the more narrow, less understood field of (potential) “cyber war”. Starting approximately two weeks ago (writing on 25 June 2019), there began a bombardment of news, with reports that:
- The XENOTIME activity group started probing US electric utilities in mid-2018 (disclosure: this is research which I am deeply involved in through my employer, Dragos)
- The US allegedly has conducted extensive operations against the Russian electric sector in response to perceived Russian activity
- Russia in turn has promised “cyberwar” in response to US actions
- Iran has stepped up operations against US targets as tensions in the Persian|Arabian Gulf escalate (based on personal and professional work on this subject, I can confirm that Iranian-linked entities have definitely stepped up and expanded operations to US targets)
- And in response to the above actions as well as the downing of a (very large and expensive) US UAV, the US allegedly launched cyber operations against both Iranian weapons systems and Iranian intelligence operations
Overall, the world seems to find itself in a rather interesting position vis-a-vis the presence (and likely escalation) of what formerly was a very rare concept: cyber war. A core principle of warfare is knowing who the belligerents are in any scenario, thus determining who is the perpetrator of an attack – as well as the target for a first or retaliatory strike. In the realm of physical attacks, this is typically easy to discern (outside of proxy and irregular conflicts) due to pure matters of geography, physics, and material used to prosecute an attack.
The world of “cyber” however is different in that purely physical manifestations of source, direction, and technique are either hard to discern or completely non-existent – leading to the “attribution problem”. Much ink has been spilled on the issue of attribution: from think tanks to academic and professional commentary, all emphasizing the perceived difficulty in ssigning blame for cyber-nexus events. The central point to many of these discussions is that attributing cyber attacks to a discrete, definitive entity is at minimum difficult, and at worst impossible. While I share the latter view in the case of private security companies operating with incomplete information, I think the former holds for well-resourced, competent intelligence services that can effectively marry incident data with other intelligence sources, notably HUMINT and SIGINT. In these cases, attribution – while not easy – is definitely possible given time, patience, and good analysis of available data.
From this, attribution of attacks seems possible – yet there is still much argument on going beyond identification of perpetrator to the issue of deterring cyber attacks based upon a sense that attribution remains difficult and uncertain. Essentially, even if approachable, the difficulties inherent in attribution mean that one cannot effectively deter a cyber attack due to fundamental uncertainty of “who is responsible”. The problem may be solvable, but either contain such residual uncertainty or take so long to discern as to make results meaningless in attempting to respond to or preemptively deter a cyber attack. As stated above, I already find this argument to be faulty for certain well-resourced entities, but I also find abundant evidence publicly available that effective, public attribution of cyber events (even those falling short of “attacks”) is not only alive, but potentially effective as a mechanism of signalling resolve and establishing a baseline from which deterrence can be built.
Attribution requires identifying “who done it”, while deterrence demands a (roughly) definitive audience – I say “roughly” since demonstration of both a capability and willingness to use it can suffice to deter aggression in many cases. Yet in the realm of cyber effects, the nuances of attribution and follow-on responses (i.e., at what point does a cyber event accelerate from retaliation with cyber means to response via kinetic mechanisms?) makes things rather difficult from just saying “I have a big stick (or whatever) and I’m not afraid to use it.” The necessary corollary for such asymmetric, non-traditional events is also understanding with accuracy where such a “stick” should be swung in the course of events assuming that the target is non-obvious. Hence so much wringing-of-hands and rending-of-garments over the “attribution problem” for state-centric attacks and responses within the realm of cyber operations.
Yet I think this concern is overblown – and we’ve seen adequate evidence how state-sponsored organizations can effectively perform and (more importantly) communicate attribution to set up the baseline for follow-on deterrence operations. Starting in 2014, the United States embarked on a new path for communicating identification (if not perhaps resolve) in cyber operations when it indicted by name five members of the People’s Republic of China (PRC) for state-sponsored economic espionage activity. While related to economic (and ostensibly corporate) espionage, this marked a new phase in attribution by taking state and legal resources to establish responsibility and culpability for cyber actions to not only a state (PRC) but to specific representative of that state (the five named individuals).
On its face, this approach seems both irrelevant and ineffective, and has been pilloried by many. Yet this criticism – while valid in certain respects insofar as it has not resulted in a complete cessation of activity – is misguided, for this legalistic approach has been successful in less obvious ways. Chiefly, but difficult to absolutely prove, it has prevented an expansion (until relatively recently with some exceptions that I’ll address in a future post) of activity beyond either very limited incursions for strategic use or continued economic espionage. Secondarily, as I have commented earlier, it has also proven effective in messaging to domestic audiences that the US government has “eyes on” the issue and less obviously to foreign observers that US is capable of identifying and tracking such activity.
For the current discussion, the latter of these is most important and relevant yet remains oddly ignored in most discussion. Standard conceptions of deterrence focus on the credible threat of responsive action to an event. In cyber matters, current deterrence models are frequently faulted for problems in proper, accurate attribution – yet several Western governments (and especially the US) have addressed this matter through legal mechanisms consistently for five years. Essentially, and relying upon a very American sense of legalist definitions of proof and attribution, the US has been performing extensive, detailed, and public attribution of cyber events for quite some time. This goes beyond the PRC indictments for economic espionage to include disruptive attacks conducted by North Korea to election interference operations authored by Russia.
To an ill-informed observer, this might seem like so much after-the-fact complaining about operations long-since concluded to little or no effect – but from the perspective of offensive operators (including those responsible for events covered by past indictments), such actions are more provocative than many would realize. While potentially revealing sources and methods to do so, such accusations highlight several important characteristics: first and foremost, the US government has the capability to identify – to the level of accuracy required by legal proceedings and extending to specific individuals – the perpetrators responsible for malicious cyber activity; second, the US is unafraid to disclose such findings publicly as part of a legal proceeding against such parties.
Put quite bluntly, the above constitutes the following message: “We can see you.” While many have criticized this approach as so much past-event hand-wringing, my assessment is such disclosures are calibrated for a more subtle purpose: to effectively communicate to adversaries that, despite popular assumptions on the difficulty of cyber attribution, the US government possesses and maintains clear visibility into such behavior to the extent that it can not only identify parties by organization, but individual operators by name. To date this may appear backward-looking and ineffective, but to think that other entities are not paying attention to such signalling would be ridiculous.
The missing aspect – at least from public knowledge – is a concrete response action aside from the legalistic presentation of evidence and information on identified attacks. To date, this is largely because all events, aside from election interference operations (which has been highly contentious for domestic, US political reasons), have fallen below a threshold of proportional response, existing mostly in the realm of spying, theft, and initial access operations. Yet by publicly demonstrating the capability to identify adversaries down to the individual operators responsible for conducting such action, the US (and allied) entities have clearly signaled the capability to concretely identify responsible entities for retaliation when the appropriate threshold is met.
Thus from a deterrence perspective, the attribution issue related to cyber events is seemingly resolved, at least from a government perspective. The mechanism for doing so might seem strange to an outside observer, yet in formulating these public, identifying disclosures in methodical, legal form, the US and related entities have shown clearly a capability and willingness to analyse, identify, and pursue adversaries to incredible levels of detail. Furthermore the legal approach can be viewed as a clear signalling of level of certainty in such assessments going well beyond classic intelligence analytic standards of confidence. Essentially, in adopting a public, legal mechanism of disclosure and identification the US (through its Department of Justice) is communicating quite clearly not just knowledge of activity and attribution, but also an overwhelming amount of evidence and certainty in such an assessment.
One perceived weakness in this approach is timing, as the time elapsed from event to indictment is typically measured in years. Thus, an adversary may perceive a period of uncertainty in which they can operate before positive identification and follow-on action. Yet this seems to rely on the public, messaging aspect of this type of disclosure – which takes some time and effort to establish – rather than the intermediate stages leading up to the final indictment. Thus, while it may take years to establish preponderance of evidence leading to identifying not just responsible organizations but named individuals, it takes significantly less time after incident identification to make lower-fidelity attribution to the originating state or organization. In this respect, timing becomes less of an issue.
Yet a far more significant issue is: “what next”. Essentially, the US has shown an effective, powerful way to resolve the attribution issue with real possibilities for strategic messaging and possible deterrence – but no one (US or other) has yet truly identified two items following identification: at what level do response operations take place, and what actions (proportional or otherwise) are taken. This is the real mystery at present as there are no (known) cases of direct response to cyber-nexus events, from Operation Ababil to the two Ukraine events to extensive election interference operations. As of this writing, there are clear examples of settling “who” is responsible but no examples of what consequences entities would face – the legal approach used in the US for public signalling implicitly carries the threat of law enforcement response, yet no one seriously expects (aside from rare cases where individuals make questionable travel decisions and are then arrested and extradited) such threats to actual manifest themselves. So while the issue of “who is responsible” may be resolved, there remains no clear consequence for what may follow after such identification.
Overall a template has been displayed to clear up, if not settle, the issue of positive, defintiive attribution of attacks, at least within the realm of well-resourced state entities. In this sense, the question of who is responsible is not only answerable, but assuming that initial conlcusions can be reached rather quickly even if the overwhelming evidentiary position of actual indictments takes yeas, can be achieved expediently. The next question – which I will consider in a future discussion – is what next, and this is where the realm of cyber deterrence has abjectly failed. Many can identify the source of their problems, but no state or private entity has yet established both the limits of and response to an identified hostile cyber action with any sense of clarity. It is on this that classical senses of deterrence within the cyber realm fall apart, and where more time and energy should be invested.