Indicting Russia's Most Destructive Cyberwar Unit: The Implications of Public Attribution
Gil Baram is a cybersecurity post-doctoral fellow at the Center for International Security and Cooperation at Stanford University and a research fellow at the Blavatnik Interdisciplinary Cyber Research Center, Tel Aviv University.
On October 19, the U.S. Department of Justice unsealed charges accusing six Russian military intelligence officers of an aggressive worldwide hacking campaign. According to the indictment, the officers, who are believed to be members of Unit 74455 of the Russian Main Intelligence Directorate (GRU), were responsible for some of the most high profile cyberattacks of the last few years, including the devastating NotPetya worm in 2017 that cost $10 billion in damages, the targeting of the French presidential election in 2018, the hacking of the 2018 Winter Olympics in South Korea, interfering with electric grid in Ukraine in 2016, and others.
Cybersecurity and national security experts [PDF] had long maintained that the attacks were Russia’s doing, and along with investigative journalists, were expecting this to become public sooner or later. The indictment is unlikely to change the way Russia operates in the cyber domain; however, it demonstrates clearly to like-minded countries that the United States will (eventually) hold Russia accountable for its devastating cyberattacks.
The detailed allegations raise the question: What motivated the United States to address them in public? This question is important for understanding the current dynamic between the United States and Russia. The covert nature of offensive cyber operations and the political challenges of the “attribution problem”—the question of who did it—further sharpen this question. At first glance, confirming the attack could be perceived as exposing the victim country's weakness. So, we could expect states to forego public disclosure for fear of publicizing their own vulnerability. However, there are several benefits to public attribution.
In a recent co-authored paper, I argue that the decision states face is not a binary decision between revealing or concealing that they have been victim of a cyberattack. Instead, there are a variety of responses, ranging from complete silence to full public attribution. An example of one of several mid-range options can be seen in Singapore’s response to the 2018 cyberattack that compromised its main health provider SingHealth. In this case, the Singaporean authorities revealed many details about the intrusion and attributed that attack to a nation state, but stopped short of naming the attacker.
There are multiple reasons why the United States would opt to publicly attribute these attacks to Russia. The attribution occurred two weeks before the U.S. presidential election, so this could appear to have been a partisan move on the part of the Trump administration, showing a strong stance against Russia. It could also be seen as a non-partisan move, meant to caution Russia that any interference in the upcoming U.S. election will be detected and could incur retaliation. Nonetheless, a U.S. Department of Justice official denied the indictment was related to the upcoming elections: “We charge the cases when they're ready to be charged,” the official said.
Certainly, one cannot dismiss the presidential election as a factor. Revealing damning information about Russia’s capabilities could influence public opinion in different ways, like convincing people that Russia could interfere in the election or demonstrating that the U.S. government has foreign interference under control. At the same time, however, there are at least three additional strategic reasons that could have prompted the United States to serve the indictment and make it public.
First is shaping rules of acceptable behavior. A recent paper suggests public attribution has a twofold aim of shaping the operational environment and establishing and sustaining rules of behavior. By describing the broad Russian campaign, which extended beyond the United States to include targets in France, South Korea, Georgia, and elsewhere, the United States reaffirmed its commitment to uphold international law and pursue wrongdoers in cyberspace. This sends a positive signal to both the American public and U.S. allies. Furthermore, in choosing the naming and shaming strategy—publicly identifying perpetrators and presenting them as undermining international law and acting in bad faith—the United States is able to point out bad behavior and reinforce rules for responsible state behavior in cyberspace.
Second is signaling capabilities. By publicizing its detailed indictment describing the global GRU operations, the United States demonstrates that it can infiltrate and map its adversaries’ networks. U.S. Cyber Command is able to accomplish this through its strategies of defend forward and persistent engagement [PDF].
Third is deterrence (which is closely linked to the second point). The United States is communicating not just its capabilities, but also its commitment to respond to future cyber offensives by Russia or other cyber aggressors. This strengthens its credibility, even if the notion of cyber deterrence remains nebulous. Although some question the ability of declassified indictments and other public statements to establish deterrence when not followed up by clear and visible actions, U.S. Cyber Command presumably works behind the scenes to convey this resolve convincingly, thereby maintaining U.S. deterrence and credibility where it counts.