Attribution of cyber incidents is a reoccurring concern. Russian involvement in the 2016 U.S. presidential election remains a contentious issue, and on Tuesday, the White House publicly linked North Korea to the WannaCry ransomware attacks from earlier this year. This kind of public attribution by the U.S. government is noteworthy given that the government rarely pins responsibility for cyber incidents squarely on foreign governments.
But importantly, private-sector companies have also been developing sophisticated computer forensic capabilities that help them provide their own attribution of foreign government involvement in cyberattacks. Marketing their work as threat intelligence, these companies apply techniques as sophisticated, or perhaps sometimes more sophisticated, than U.S. intelligence agencies. This dynamic is novel because in other areas of statecraft, government agencies hold the monopoly on tools to identify state-sponsored activity and thus serve as gatekeepers for open discussion about it.
And so the policy issues become: How should the U.S. government address the growing capability of private-sector companies when it comes to attribution of cyber incidents to the public? Does this capability align with U.S. interests, or does it risk undermining U.S. government interests and activities?
Part of the answer may lie in the differences between incentives and equities between these two stakeholders. The primary interest of the intelligence community (upon which attribution by the U.S. government relies), is to provide relevant and timely information to decision-makers. And before attribution can occur, there must be a very high level of confidence in the source and quality of the technical indicators that inform attribution. The government must also weigh the consequences of unwanted escalation or strained diplomatic negotiations before publicly accusing a sovereign nation of malicious cyber activity.
Private firms, on the other hand, do not necessarily face the same constraints or potential repercussions. For them, identification and attribution of advanced persistent threats can bring prestige and media attention, increasing consumer demand for their cybersecurity or threat intelligence services. Private-sector companies are also quite agile, able to integrate many forms of information quickly, from disparate sources, and with fewer restrictions (such as classification) relative to those faced by government entities. This agility allows them to produce more timely notifications for their clients, and in some cases, the public, enabling them to apply mitigating security controls more quickly.
This is still a risky game to play, however.
On one hand, private-sector attribution of nation-state cyber activity may provide a vehicle for open and unrestricted debate concerning the roles and norms of international cyber activities. Further, it may even facilitate bilateral discussions by allowing nations to reference the information collected by the private sector, without appearing aggressive itself.
On the other hand, private sector companies do not bear the potentially grave consequences to publicly-made attributions. First, if private-sector attribution is incorrect, or incomplete, any kind of disclosure may only confuse readers, especially if multiple sources provide conflicting information, as is sometimes the case when naming an attack type. Even (or especially) when threat intelligence companies collaborate with each other to produce coordinated messages, if these messages differ from government notices, or are timed differently, this can weaken the government's position. Further, as private-sector capabilities grow, local media, and other nations, may tune out government rhetoric, undermining international relations. Premature attribution of an attack by a private company could also pressure a government to react publicly, potentially further destabilizing any ongoing negotiations. Of course, misattribution is a concern for both private-sector companies as well as government agencies.
In response to these issues, there has been increased policy research seeking to address the associated risks. One approach could be the creation of an independent, international consortium that would consolidate cyber incident attribution. This entity could enforce a standardized framework for threat actor naming conventions, provide transparency of indicators of compromise and develop a uniform reporting style for confidence levels of reports. While there are many challenges to establishing such an organization, this work highlights the growing need for alternative solutions to address these policy issues.
Given these potential tensions, some relevant and unresolved questions become apparent: Is closer coordination between the U.S. government and the private sector desirable? And if so, under which conditions, and how, should the U.S. government foster this relationship?
As more nation-state cyber activities occur, the need to address and resolve these questions will likely only increase. Inevitably, the U.S. government will need to determine whether to embrace and foster private sector capabilities and relationships, or ignore and avoid them.