Honing cyber attribution: a framework for assessing foreign state complicity.

• Author: Cantil, Justin Key
• Position: Report

Concerns about state-directed cyber intrusions have grown increasingly prevalent in recent years. The idea that state principals can obfuscate their involvement in such attacks by delegating operational tasks to non-state agents poses a particularly significant challenge to international enforcement and remedies. Gaps in international law, coupled with obstacles to detection in such cases, may make it more difficult to bring sponsoring states to justice. This paper offers a roadmap for assessing the propensity of states to delegate to non-state actors and correct for false positives in standard (typically more technical) cyber attack attribution methods. I conclude that the conditions under which attacks are likely to have been backed by sponsoring states occupy a much narrower window than conventional wisdom suggests, and that the universe of transgressors can be identified when standard indicators overlap with specific conditions.

**********

Before news broke in July 2016 that the Democratic National Committee's (DNC) private files had been hacked by foreign agents, FiveThirtyEight had pinned Democratic primary candidate Hillary Clinton's chances of winning the presidential election at 60.2 percent, while Republican Donald Trump's stood at only 39.7. By the end of the month, the forecast showed the race was neck and neck, with Trump holding a marginal lead. (1) More importantly, the leak seemed to have been strategically timed with the Democratic convention that same month. Although election polling is cyclical and former secretary Clinton's popularity had been on the decline since mid-July, the news was certainly embarrassing for and (we can presume) harmful to her campaign, especially since it suggested DNC favoritism. DNC chairwoman Debbie Wasserman Schultz resigned in disgrace shortly thereafter. (2)

The more frightening aspect of the hack was the length of time that DNC servers had been compromised without the intruders being detected (in the estimation of cybersecurity forensics firm CrowdStrike, more than a year). (3) The sophistication of the attacks suggested foreign intelligence involvement rather than ordinary hacktivism and this sentiment has been echoed by the media since the attacks. (4) Shortly thereafter, a hacker with the handle Guccifer 2.0 claimed responsibility for the attacks and released additional stolen DNC documents to the Hill. According to the report, Guccifer 2.0 is purportedly Romanian "with no strong political leanings," although his/her actual national identity (if indeed the entity is a single person) is far from conclusive. (5) CrowdStrike and others have argued that the hacks should be linked to Russian hacker groups APT28 and APT29, nicknamed Fancy Bear and Cozy Bear, respectively. (6) Unsurprisingly, Russian officials have denied any involvement. In an interview with Bloomberg News, Russian President Vladimir Putin praised the leaks as a "public good" but that "on a state level Russia [was not behind it]." (7)

While non-state hackers have been waging cyber attack campaigns in the name of nationalist ideals for many years, the question of when and whether these so-called patriotic hackers are supported, or even sponsored, by their governments is often ambiguous. (8) And, as is the case with researching most clandestine activities, few open-source indicators are usually available to connect sources with outcomes, especially when proxies act as intermediaries. One explanation is that states employ sympathetic cyber proxies in order to maintain the illusion of plausible deniability. Borrowing from a small body of political science research on the motives for state support for rebel and terrorist organizations, this idea has slowly been gaining traction in cyber circles. (9) Yet, efforts to trace these types of relationships in specific instances have remained largely subjective, relying on informal "preponderance of the [technical] evidence" to make judgments about whether a group might be state sponsored, and cui bono (motive) to link groups to specific countries. This is an inductive approach that, while increasingly creative and sophisticated, can inadvertently lead to what statisticians call "Type I" errors--false positives. (10) This is because motives are as ubiquitous as means in cyberspace (and twice as idiosyncratic). This is a seductively dangerous problem: in cyberspace, much is uncertain and misinformation abounds. The United States wants to maintain its deterrent capacity, but it wins no allies--and threatens to abdicate the moral high ground--by punishing potentially innocent parties. After all, one of the core precepts of effective deterrence is that it must be clearly linked to a target's behavior. (11)

What is missing from such analysis is the question of opportunity. In my own research, using decision-theoretic formal (mathematical) models and legal analysis of international rules on sovereign state responsibility, I argue that it may be possible to predict the likelihood that a particular state is behind a given attack a priori. That is, if we can deduce based on objective indicators only those states that possess the capacity and incentive to delegate computer network attack (CNA) operations to non-state hackers in the first place--even prior to knowing anything about the characteristics of the...