Both a new national cyber strategy from the White House and a new cyber strategy document from the Department of Defense say the United States will attribute more cyber attacks as a way to deter and embarrass enemies.
The recently released national cyber strategy makes attributing malicious cyber activity that “that threatens United States national interests” a priority. But intelligence officials say attribution is a key building block in cyber deterrence and that the new emphasis is a way of laying the groundwork for future attacks.
“I see more of it … absolutely,” Jim Richberg, national intelligence manager for cyber in the Office of the Director of National Intelligence, told Fifth Domain during a September interview.
The government has started publicly attributing high profile cyber incidents to attackers. The Department of Justice named North Korean hackers in the cyber attack of Sony Pictures and the WannaCry global incident.
Richberg likened attribution to posting “No Trespassing” signs over property lines with no fences. “What you’re doing is you’re constructively saying ‘You’re not supposed to be here,’” he said.
If organizations don’t call out trespassers, then they risk ceding ground and losing the ability to control that area, he said. That can set a precedent that legitimizes the bad behavior.
Richberg said that by labeling this as bad behavior from the outset, it leaves the government the option of taking action in the future.
“I think there’s a case to be made for public attribution even if you can’t yet link it to something that allows you to stop it," he added.
Attribution in practice
Attribution requires two critical characteristics, one technical and one political.
On the technical side, the United States has several tools to provide policy makers what they need to understand circumstances and craft responses. This includes all the intelligence community’s resources, which encompasses not just the technical indicators of a particular cyber actor, but human sources that can provide greater context.
“The IC will continue to lead the world in the use of all-source cyber intelligence to drive the identification and attribution of malicious cyber activity,” the new cyber strategy reads.
According to press reports, highly placed human sources close to the Russian president contributed to the understanding of Russia’s cyber interference in the 2016 election.
In the absence of a forensic smoking gun, Richberg said all source intelligence organizations can point to other indicators of guilt such as actions similar to other similar cases, motives similar to certain actors or geopolitical contexts that are plausible for certain actors. They might only have moderate confidence without direct evidence, but, Richberg said, they owe policy makers a judgement and their job is to make tough calls on the basis of ambiguous information.
The other aspect to attribution is political. While the intelligence community has the tools to understand what happens, public attribution is a political and national level decision weighed by ongoing diplomatic events.
Occasionally, government officials believe there are reasons not to directly attribute activity because it could jeopardize other ongoing efforts on the international stage.
Moreover, these decisions to publicly attribute are also weighed against revealing sensitive sources or methods for figuring out who is responsible for a particular malicious cyber activity.
Richberg, in advocating for making more public attributions, noted that there does not need to be great detail for how the United States came to its determination, which can compromise sources and methods.
“To say I attribute with moderate confidence ‘This is the Martians and not the Venetians in this case because I see something about their infrastructure,’ there’s probably a lot of different points of infrastructure and a lot of different sources of access into it. I don’t think you’re giving anything away to the adversary,” Richberg said.
However, absent unassailable information, it can be easier for foreign hackers to hide behind the ambiguity. One former official described to Fifth Domain being in an international meeting where a Russian government official challenged the State Department’s top cyber official and said that North Korea was not responsible because no sufficient evidence has been provided.
Mark Pomerleau is a reporter for C4ISRNET, covering information warfare and cyberspace.