Managing Attribution and Statecraft in the Cyber Domain

(Extract from presentation prepared June 2021 as part of submission for MA in International Affairs with Cybersecurity from King's College London)

Cyber space and its growth?

As of 2012, every day cyber space was growing at a rate of two and a half quintillion bytes (Williams & Fiddner 2016: 216). In the US and Europe, over 90% of cyberspace is in private hands yet it is the governments of nation-states that are challenged with the responsibility of maintaining an environment that is trusted and secure as modern society increasingly relies on it for their work and daily lives. Malicious activity is a feature of the cyberworld just as much as it is a feature of the real world. Here I consider the challenges that states face when identifying and attributing hostile cyber behaviour, and the strategic considerations behind public attribution of an activity to another state.??

Cyberspace as a military domain?

Although it is primarily dominated by civilian use, cyber space is also recognized as a military domain and in many countries, governance falls under the department or ministry of defence or national security.? The North Atlantic Treaty Organisation (NATO), US Department of Defense and the UK Ministry of Defence recognize cyberspace alongside the military domains of air, sea, and land, while the US, also includes space as a separate domain (Crowther 2017: 63). Although there is debate about whether cyber can really be considered another domain because its’ characteristics differ by being both physical and virtual, it is still an arena in which the military needs to operate to defend critical infrastructure and in some cases conduct ‘policing’ according to the rules of the jurisdiction.

Cyber Space Definitions – Differing Focus?

Definitions of cyber space also differ in their focus on technology versus the human role. For example, the Cyberspace Policy Review (2009) defines it as the “globally interconnected digital information and communications infrastructure [that] underpins almost every facet of modern society” focusing on the infrastructure (Betz 2017: 1) while the 2009 UK Cyber Security Strategy defined it as “all forms of networked, digital activities, this includes the content of and actions conducted through digital networks.” The UK definition recognized the human role and it is this aspect of attribution that is the focus here. For more details on technical attribution techniques, the paper by Shamsi, Zeadally, Sheikh and Flowers (2016) provides an insightful overview of digital forensics, malware-based analytics and indirect attribution such as machine learning, genetic algorithms and attribution through social networks.???

What is attribution??

Attribution in the cyber domain means understanding who is responsible for committing a hostile or malicious cyber act. Once a hostile act has been identified, a state is then challenged with understanding the extent and impact of an issue and then, how to interact with the perpetrator.????

Boebert (in Shamsi 2016: 2889) suggests there are two types of attribution techniques (i) technical attribution which attempts to identify the host responsible and (ii) human attribution which is the process of identifying the person / identity of the person involved in the attack.??

Mejia (2014: 118) describes two approaches to state attribution including (i) direct attribution which means that “states are responsible for the acts or omissions of individuals exercising the state’s machinery of power and authority since these actions are attributed to the state even if the acts exceed the authority granted by the state” and (ii) Indirect Attribution which means that although actions by nonstate actors “are generally not attributable to the state, however, the state may incur responsibility if it fails to exercise due diligence in preventing or reacting to such acts or omissions.”??

What is cyber power??

As mentioned, following a process of attribution may reveal who is behind a hostile action. However, publicly attributing blame is a strategic activity which relates to cyber power as one component in achieving the political aims of a state. Betz argues that cyber power is no different from other types of power and defines it as “the use, or threatened use, of cyberspace and other resources to effect strategic aims in and through cyberspace against the resistance or wishes of others.” This reflects cyber-power’s role in the power of a nation-state alongside “political, diplomatic, informational, military, and economic power.”?

Forms of Cyber Power?

Cyber power manifests itself is through “direct coercion by one cyberspace actor in an attempt to modify the behaviour and conditions of existence of another”. Coercion can be exerted by non-state actors and compulsory cyber-power can be found in the interactions between non-state actors and states, and between non-state actors such as activists, hackers, states, state proxies, military alliances etc. Other forms of cyber power include “institutional” i.e. “via the mediation of formal and informal institutions” which refers to setting the norms and standards. Structural cyber-power which looks at how actors respect the structure which they are in – this is particularly critical given that information and data is one of the key attributes of the internet as the world moves towards an “information society”. The final type is productive cyber-power which looks at the ‘fields of possibility’ that constrain and facilitate social action, soft power and may mould the online discourse to the strategic advantage of one actor. This may also be known as public diplomacy and creates questions regarding ethical and unethical use of cyberspace to achieve certain aims.??

Malicious or hostile use of cyberspace?

So having started to consider the idea of ethical and unethical use of cyberspace we can consider two core types of potentially malicious use of cyber space by states. These include (i) espionage and military purposes (which includes surveillance, espionage, data theft and probing), and (ii) information operations usually leveraging social media via activity that helps to create uncreate unrest, help groups to organize protests and manipulate popular opinion on topics such as voting.?

We then start to see some blurring of the lines between ethical and unethical activity. If we then look at malicious cyber activity, we see that cyber attacks are on one end of a wide spectrum of activity that begins with scanning at its most benign, an activity which is not necessary illegal as was noted in the US Senate report following evidence that Russia conducted scanning of US electoral data as starting in 2014. So although the act was attributable, the legal framework was inadequate to take action..???

“Strategies for Cyberspace”?

During the past decade, nearly all countries have developed some form of cyber strategy. Some major powers have used the strategy to articulate their views of regarding state power in relation to their overall national agenda. States such as the US released “An International Strategy for Cyberspace” in 2011 and used it as hegemonic attempt to define and “own” global standards. Recognition of cyberspace as a provider of greater prosperity has made it an attractive domain but some countries also recognize its potential to threaten national sovereignty and their authority so therefore wish to define the parameters for others – which can be challenging given that cyberspace transcends borders.??

Christopher Tuck (KCL iLesson) highlights that “strategy should be about balancing ends, ways and means, regardless of whether the organisation is a state, state institutions, the military, a commercial organization or any other non-governmental organization. Strategy ought to serve a particular purpose, which in the context of a state’s security strategy is supposed to be a clearly defined political end.”????

Developing an Attribution Strategy?

Sheldon (2011:95) states that cyberpower does have a strategic purpose which “revolves around the ability in peace and war to manipulate perceptions of the strategic environment to one’s advantage while at the same time degrading the ability of an adversary to comprehend that same environment”? In terms of malicious cyber activity, an offensive posture appears to have remained the dominant position due to the speed of attacks, the focus on exploiting network and system vulnerabilities, the ubiquitous, global nature of cyber which removes geographic restrictions, the complications of attribution (Sheldon 2011: 98).??

A state has a responsibility to its people to defend itself. The right of the state to defend itself is set out in the United Nation Charter 51. In 2019, a specific charter for cyberspace was added.? The development of a legal framework that specifically covers cyberspace activities in international jurisdictions or by regions such as the EU.??

The Value of Public Attribution?

Public attribution is a highly politicised construct since it relates to the overall strategy of a state and its relationship with another, or several states. The decision to publicly attribute a state may be based less on evidence and more on a politically-motivated decision.? This is because the escalation of malicious cyber activity is viewed as a threat to the political stability and economic prosperity of nations.??

Egloff & Smeets (2021: 2) argue that “public attribution is believed to be an important measure to help create a more stable cyberspace.” This means that by opening identifying malicious behaviour, the general public will be aware, can make their own decisions accordingly and thus will have greater trust in governments.??

Indirect Attribution - Stuxnet?

One high-profile case was the Stuxnet case in 2009 in which a 500k malware worm was injected using a USB into the software of at least 14 nuclear and industrial sites in Iran, including a uranium-enrichment plan. This caused the software to speed up centrifuges which would then break. Constantly replicating and attaching itself to common office software, Microsoft Windows, every time a USB was inserted into an affected computer, the worm was shared with another. Iran has never publicly attributed blame but news leaks suggest that the actions were state-sponsored by Israel and the US.? However the worm went beyond the intended use and by 2012 was affecting the US causing the U.S. defense secretary Leon Panetta?to warn that the United States was vulnerable to a “cyber Pearl Harbor” that could derail trains, poison water supplies, and cripple power grids. Chevron then confirmed that Stuxnet had spread across its machines.?

Public Attribution for a Strategic Political Aim?

By contrast, the Netherlands have made public attribution a key part of their Cyber Defense Strategy (Egloff & Smeerts 2021: 2) on the basis that “an active political attribution policy contributes to the deterrent ability and making the Netherlands less attractive as a target of cyber attacks. A state actor who (publicly) is held accountable for his actions will make a different assessment than an attacker who can operated in complete anonymity.” In 2019, the Dutch Defense Ministry announced that it had disrupted an attempted Russian cyberattack on the chemical weapons watchdog agency, OPCW which at the time was investigating a chemical weapons attack against the former Russian spy Sergei Skripal and his daughter in Salisbury, UK. According to Dutch authorities four agents from Russia’s GRU military intelligence agency were spotted in a car filled with electronic equipment “installed for the purpose of infiltrating the OPCW’s network” parked adjacent to OPCW headquarters in The Hague. The Russian agents were detained and then expelled. Public attribution was intended to send a clear message to Russia that it should not commit such acts.? The UK then supported the Netherlands with further public attribution by publishing additional accusations of attempted GRU cyberattacks to disrupt investigations of chemical weapons use.?

Conclusion?

In conclusion it can be seen that as cyber space will continue to grow.? Therefore nation states must be actively involved developing a regulatory framework and norms to govern whilst contributing the global governance.??

The challenge of anonymity in attribution will remain??

Whilst it creates a risk of retribution, public attribution can be a powerful deterrent in creating a safe, secure cyber space for society.?

?

?

Bibliography?

Betz, David J. (2017) Cyberspace and the Sate: Towards a Strategy for Cyber-Power. Routledge?

Crowther, Dr. Glenn Alexander (Fall 2017) “The Cyber Domain” The Cyber Defense Review.?

Egloff, Florian J. & Max Smeets (2021) “Publicly attributing cyber attacks: a framework” Journal of Strategic Studies DOI: 10.1080/01402390.2021.1895117?

Kusher, David “The real story of Stuxnet” 26 Feb, 2013. IEEE Spectrum.?

https://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet ??

Mejia, Eric F. “Act and Actor Attribution in Cyberspace: A Proposed Analytic Framework.”?Strategic Studies Quarterly, vol. 8, no. 1, 2014, pp. 114–132.?JSTOR, www.jstor.org/stable/26270607 . Accessed 28 June 2021?

Sanders-Zakre, Alicia (Nov 2018) “Russia Charged With OPCW Hacking Attempt”??

https://www.armscontrol.org/act/2018-11/news/russia-charged-opcw-hacking-attempt ?

Sheldon, John B. (Summer 2021) “Deciphering Cyberpower: Strategic Purpose in Peace and War” Strategic Studies Quarterly. pp95-113.?

Shamsi, Jawwad A & S. Zeadally, F. Sheikh, A. Flowers (2016) “Attribution in cyberspace: techniques and legal implications” Security and Communication Networks. pp2886-2900?

White House “International Strategy for Cyberspace: Prosperity, Security and Openness in a Networked World” May 2011???

https://obamawhitehouse.archives.gov/sites/default/files/rss_viewer/international_strategy_for_cyberspace.pdf Accessed 20 June, 2021?

Williams, Phy & Dighton Fiddner (2016) “Cyberspace: Malevolent actors, criminal opportunities, and strategic competition.” Carlisle: United States Army War College Press?

UN Charter – “Article 51 Charter of the United Nations” https://legal.un.org/repertory/art51.shtml ?

?King’s College London “The nature of the cyber domain” iLesson in Keats for Cybersecurity and the Information Age. Accessed May 13, 2021?