Florian J. Egloff, DPhil, is a Senior Researcher in Cybersecurity at the Center for Security Studies (CSS) at ETH Zurich and a Research Associate at the Centre for Technology and Global Affairs at the University of Oxford.
Despite the increasing number of public attributions, few analysts have looked at how public attribution fits within the larger toolbox of statecraft. In a recently published article, I lay out what public attribution is, how we can explain it using the intelligence studies literature, and for what purposes it is employed (for more, you can also read this longer policy analysis [PDF] on the subject). In this shorter piece, I argue that public attribution serves different functions in the short, medium, and long-term.
What Is Public Attribution?
Public attribution refers to deliberately releasing information about the source of a cyber intrusion into the public domain. To better understand what public attribution is, I conceptually split attribution processes into sense-making and meaning-making processes. The sense-making process refers to establishing what happened in a cyber intrusion. This usually is an all-source intelligence effort that builds on top of digital forensics and incident response data. This differs from the meaning-making process, which entails deliberate actions that influence how others interpret a particular cyber intrusion. Public attribution is a meaning-making process where attributing information is introduced into the public realm, as opposed to using private channels.
Countering Threats, Shaping the Rules of the Game, and Building Customary International Law
In the short-term, public attribution is an element of a counter-threat strategy rooted in counterintelligence that addresses a specific cyber threat. In the medium-term, it is used to shape the operational environment with the aim of establishing and sustaining rules of the game. In the long-term, it has the potential to build customary international law through state practice.
Let’s start with the short-term purpose. Recently there was a prominent NSA and FBI disclosure of a GRU Linux implant [PDF]. This exemplifies the use of public attribution as part of a counter-threat strategy to communicate with an adversary at the strategic and operational level. It signals, “we see you,” while the technical analysis and context enhances the defense community’s ability to react. In response, adversaries have to pursue counterintelligence leads to learn how their operation leaked out and, depending on the defense community’s response, retool. Both can be grueling and costly.
In the medium-term, since the political rules of the game in the cyber domain are still unclear, one function of public attribution is to shape the operational environment with the aim of establishing and sustaining rules of behavior. This is a political effort where some states have decided to use public attribution to show the world which activity they find particularly undesirable. Although some states don’t care about being publicly outed—some could even view being publicly recognized as strategically relevant—the goal is to incentivize like-minded states, as well as particularly camera-shy states, to build their doctrines and capabilities alongside the rules of the game spelled out. In these cases it is important to acknowledge the power dynamics: it matters that it is the Five-Eyes, widely considered the most capable signals intelligence alliance, calling out other states. Moreover, ad-hoc attribution coalitions (e.g., in the cases of WannaCry, NotPetya, APT10, and Georgia) serve the purpose of bridging the credibility problem that arises at a domestic and international level when an attribution claim is based on undisclosed evidence.
In the long-term, public attribution can clarify state practice with regard to the application of international law. By referring to the specific rules of international law breached while publicly attributing an incident, as was the case with Georgia labelling Russian cyber intrusions as a violation of Georgia’s sovereignty, states are able to voice their objections to malicious behavior while clarifying how international law applies to cyberspace.
Three Implications for Policymakers
Much remains to be researched about public attribution. In the meantime, I make three recommendations to policymakers. First, policymakers should develop clarity around the long-term strategic objective of public attribution of cyber intrusions. This requires them to consider how public attribution contributes to the type of order they are trying to build in cyberspace. How does it contribute to the counter-threat strategy? How does it shape the rules of the game? What international legal order is desirable to govern cyber intrusions? How are these objectives linked? Having clarity on these questions enables a strategic approach to picking which cyber intrusions are particularly important to be publicly attributed, and which ones to remain silent on.
Second, and linked to the first, consider the anticipated second- and third-order effects of a steady stream of public attribution. How will others react to the public attribution strategy employed? What positive and negative effects does frequent attribution of and by the same state actors have? One negative effect, as I noted in my previous research, is the skewed baseline of cyber conflict that it introduces one’s own public to, which potentially reinforces relations of enmity with particular countries.
Third, the answers to the previous questions will not only guide governments on whether to publicly attribute but will also clarify the format of doing so. Different purposes can be coupled with different formats of public attribution. For the counter-threat purpose, for example, the NSA found that being specific about the adversary actively exploiting a particular vulnerability leads to a more rapid defensive response by the cybersecurity community. Likewise, to shape the rules of the game, it is important to spell out why one objects to a particular cyber intrusion and what one’s desired rules of the game look like. For the long-term building of state practice, governments should articulate the particular rules of international law that a cyber intrusion breached.