Given the intricate labyrinth of the world wide web, an evidence-based framework is required to pin the blame on states for any attacks on critical infrastructure through cyberspace.
In recent times, geopolitical spaces have been abuzz with the alleged involvement of China, Russia and North Korea in cyberattacks launched against other states. Believed to have been executed either directly or indirectly through non-state actors, this spate of attacks has spooked the international community. In light of the threats posed to critical infrastructure (Ukrainian power grid attack); electoral systems (interference in 2016 U.S. election campaign); and nuclear assets (malware in the systems of Kudankulam nuclear plant), it is important to institute a coherent, evidence-based regime for attributing cyber attacks by nations.
When a cyber-attack is launched by hostile actors, attribution can assume different forms. At one level, analysts are preoccupied with the identification of the immediate perpetrators. This helps ascertain patterns or trends regarding the modus operandi of certain groups. At another level, analysts seek to pierce the veil shrouding hackers to unmask the entity that actually pulls their strings. As discussed in the 2012 Issue Brief of the Cyber Statecraft Initiative, the question changes from ‘who did it?’ to ‘who is to be blamed?’.
State attribution of cyberattacks falls within this second category. Foreign policymakers are more invested in tracing the role of geopolitical adversaries when it comes to cyber assaults. Towards this end, it is important to understand that the extent of state involvement in cyberattacks can vary substantially. It can be imagined as a spectrum, ranging from willful ignorance or encouragement to coordination and execution. In state attribution, fixing the degree of involvement is key, as it helps to determine what countermeasures can be legally pursued against the offending state.
Attributing cyberattacks to a particular state can have grave implications, both politically and legally. Therefore, state attribution needs to be predicated on an accurate assessment conducted at the cyber-forensic level.
On this front, there are some prevailing challenges, such as the Tools, Techniques and Practices (TTPs) deployed by hackers to cover their tracks. They operate from the dark web and take great pains to camouflage who they are or where they are acting from. For instance, they can buy servers or employ command and control centres from anywhere in the world. Malicious cyber actors can also disguise themselves by compromising innocent computers and using them as proxies to launch their attacks. Compounding this problem further is the potential use of proxy-chains, whereby one computer is used to access another until the hostile actor reaches the intended target.
These technical challenges need to be addressed through a combination of data mining, artificial intelligence, and human-computer interaction. Artificial intelligence is particularly relevant in improving the accuracy of attribution by examining patterns that human analysts may miss. The very TTPs that hackers use to erase their cyber footprints can be scrutinised to triage and contextualise cyber attacks. This helps to correlate them to known actors or identify potential attack vectors. As a matter of principle, states need to invest more in attribution technologies and incorporate them into their cyber security policy.
FROM PUPPET TO PUPPETEER
As already discussed, state attribution is premised on the idea that hackers are merely pawns acting at the behest or with the blessing of nation-states. Once technical challenges are surmounted and the immediate perpetrator is identified, the focus shifts to bigger fishes in the sea. While the international community has demonstrated a political resolve to acknowledge and attribute cyber attacks to states, this has not translated into a robust legal regime. There needs to be a mechanism in place to ensure that spurious allegations of cyber attacks are not levelled by states against their rivals, to further geopolitical motives.
At present, it is unlikely that states will agree to an ‘International Attribution Authority’ that centralises the investigation and communication of attribution, as it would entail a partial surrender of their sovereign rights. In this context, it might be more realistic for like-minded states to pursue bilateral and multilateral negotiations to formalise international best practices on state attribution. Emphasis should be on an evidence-based regime that fixes state responsibility in conformity with existing principles of international law.
CONTOURS OF A FRAMEWORK
States like Estonia have been leading the way to enhance cyber safety by leveraging existing principles of international law. In particular, they have emphasised a ‘due diligence’ obligation on the part of states to ensure that their territory is not used to adversely affect the rights of other states. In a similar vein, it might be instructive to identify other elements that need to be incorporated in a prospective framework on state attribution.
In attributing cyber attacks to a state, the burden of proof should be on the accusing state. It needs to demonstrate that its evaluation was devoid of any cognitive or confirmation biases at the intelligence and strategic level. For instance, if a series of attacks on a particular state seem to prima facie line up with Russian strategic interests, the analysts of the victim state should not interpret the evidence to support this hypothesis. Rather than analysing the data to confirm a preconceived notion, a hypothesis should emerge from an objective assessment of the data. For states reluctant to part with intelligence-based evidence or other sensitive information that establishes the involvement of another state, the use of redacted intelligence reports may be considered.
The attribution of cyber attacks, if based on probative evidence, can serve as a strong legal basis to undertake proportionate countermeasures, including sanctions. In this regard, international law needs to clarify the degree of state involvement that would attract legal sanctions. Would a state that coordinated the execution of a cyber attack attract the same legal costs as a state that negligently allowed its territory to be used as a hacker’s safe haven? These are issues that need to be settled through evolving state practice. In any case, the imposition of legal costs on the attacker and the sponsoring state will have the attendant benefit of increasing deterrence.
The COVID-19 pandemic has served as a jarring reminder of our increasing dependence on cyberspace technologies. Ensuring network security has become as important as policing state borders. At a time when launching cyber attacks could be perceived as an act of war, there needs to be a comprehensive international framework governing attribution and countermeasures. In the absence of the same, states might fall victim to specious and unsubstantiated allegations that lead to escalatory actions against them.
- Proportionate to their relative capabilities, countries should invest more in attribution technologies. This can enhance the reliability of forensic and digital evidence that is presented as evidence for establishing state involvement in cyber attacks.
- Intelligence reports that attribute cyber attacks to states should be objective and devoid of any confirmation biases.
- International law should evolve rules of evidence and standards of proof regarding attribution, based on best practices of states and existing legal principles.