“Your Account May Have Been Targeted by State-Sponsored Actors”: Attribution and Evidence of State-Sponsored Cyberattacks
This post is the latest installment of our “Monday Reflections” feature, in which a different Just Security editor examines the big stories from the previous week or looks ahead to key developments on the horizon.
The end of 2015 brought a flurry of announcements from tech companies, including Facebook, Yahoo, and Microsoft, promising to notify their users if the company believes that state-sponsored actors are targeting the users’ accounts. These state-sponsored-attacker notifications share features of other kinds of attributions. On the one hand, like the Mandiant report and other reports by cybersecurity companies highlighting state-sponsored cyberintrusions, private companies are responsible for the attribution. On the other hand, like the limited evidentiary disclosures made by the US government in attributing the Sony Pictures hack to North Korea, the companies withhold the evidentiary basis for the notifications in order to protect their detection methods and avoid tipping off attackers.
The notifications contribute to evolving debates about the requisite evidentiary basis for attribution of state-sponsored cyberattacks—debates over types of evidence, amounts of evidence, and levels of public disclosure that should be required for attribution in different contexts. The notifications also show that while standards of evidence for attribution are discussed in multilateral fora like the United Nations, states are not the only parties whose practice matters.
Google pioneered notifications to users about state-sponsored attacks in 2012. The company explained in a blog post at the time that in response to “specific intelligence—either directly from users or from [its] own monitoring efforts”—it would display a banner stating “Warning: We believe state-sponsored attackers may be attempting to compromise your account or computer.”
Facebook made a similar announcement in October 2015. In a blog post by Chief Security Officer Alex Stamos, Facebook explained that it would show users a warning if the company has “a strong suspicion that an attack could be government-sponsored.” According to the New York Times, in the wake of the Iranian nuclear deal and “[j]ust weeks into the new [Facebook] alert system,” numerous State Department officials who work on Iran and the Middle East received notifications that their accounts had been targeted by a state-sponsored actor.
In mid-December, Twitter, which had not previously announced a policy on state-sponsored attacks, notified some users that their accounts “may have been targeted by state-sponsored actors,” who were “trying to obtain information such as email addresses, IP addresses, and/or phone numbers.” (A copy a notification sent to another user is available here.)
On December 21, Yahoo Chief Information Security Officer Bob Lord announced that “Yahoo will now notify you if we strongly suspect that your account may have been targeted by a state-sponsored actor.” Microsoft followed suit on December 30, announcing in a blog post by Corporate Vice President for Trustworthy Computing Scott Charney that Microsoft “will now notify you if we believe your account has been targeted or compromised by an individual or group working on behalf of a nation state.”
According to the companies, they issue notifications for state-sponsored attackers in particular because, as Facebook explains, “these types of attacks tend to be more advanced and dangerous than others.” The notifications are intended to prompt users to better secure their account with the notifying company and other online accounts by, for example, enabling two-step verification, changing passwords, and monitoring for unusual activity.
Similarities to and Differences From Other Attributions to Nation-States
The state-sponsored-attacker notifications share similarities with prior attributions by both the private sector and the US government. On the one hand, the notifications (and the attributions supporting them) are done by private companies, like the reports on state-sponsored intrusions issued by cybersecurity companies like Mandiant and Crowdstrike that I discussed in an earlier post.
On the other hand, unlike the extensive technical details that often accompany such reports (see, for example, the Mandiant APT1 report), the state-sponsored-attacker notifications do not come with evidence to back up the attribution. Google’s post on the notifications explains: “You might ask how we know this activity is state-sponsored. We can’t go into the details without giving away information that would be helpful to these bad actors, but our detailed analysis—as well as victim reports—strongly suggest the involvement of states or groups that are state-sponsored.” Facebook’s post similarly states, “To protect the integrity of our methods and processes, we often won’t be able to explain how we attribute certain attacks to suspected attackers.” The invocation of secrecy to protect “methods and processes” echoes similar statements made by the FBI in announcing the attribution of the Sony Pictures hack to North Korea. The FBI press release explained that the “need to protect sensitive sources and methods” prevented the Bureau from sharing details of its evidence against North Korea. The FBI provided a general description of the evidence supporting the attribution, including, for example, “significant overlap between the infrastructure used in this attack and other malicious cyber activity the U.S. government has previously linked directly to North Korea.” But the lack of detailed information triggered significant skepticism within the security community, prompting FBI Director James Comey to release additional information several weeks later.
Unlike the other types of attribution, the state-sponsored-attacker notifications do not name the state involved. They simply inform a user that some “state-sponsored actor” has targeted the user’s account. Of course, upon receipt of a notification, some users may have a pretty good idea which state is targeting them, and the pattern of accounts targeted may reveal the state’s identity to the company or to the public if/when the notifications become public. That may be what happened with the Facebook notifications to State Department employees discussed above. Still, the notifications’ failure to name the particular state involved renders them somewhat less accusatory than attributions that name a specific state.
Evidence and Attribution of State-Sponsored Cyberattacks
As illustrated by the debate over the US government’s attribution of the Sony Pictures hack, accusations that states have undertaken cyberattacks raise questions about what type and how much evidence is necessary to substantiate attributions and about what evidence can and should be disclosed publicly.
The state-sponsored-attacker notifications may contribute to this debate by defining one end of a context-dependent spectrum. The notifications are made (1) by a private entity, (2) to individual customers, (3) without naming the attacking state, and (4) for the purpose of prompting the customer to take security measures. Each of these factors suggests that the stakes here are fairly low and correspondingly that the notifications might be justified by rather low levels of evidence that an attack has occurred and low levels of public disclosure of supporting evidence. None of the companies disclose the evidence on which they decide to issue notifications, and they describe the level of certainty about the attack using terms like “when the evidence reasonably suggests” (Microsoft) or when the company “strongly suspect[s]” a state-sponsored attack (Yahoo).
One notch further along the spectrum are reports by cybersecurity companies accusing governments of intrusions. Those are made (1) by a private entity, (2) publicly, (3) identifying the attacking state, and (4) for the purpose of helping customers and others improve security, but also potentially creating a deterrent effect through naming and shaming attacking states. The stakes here are higher because of the specificity and public nature of the attribution. For example, erroneous (or even accurate) attributions could prompt the accused state to take retaliatory measures against the accusing company (or against other companies from the same country over which the accused state has more leverage). The attributions could also create foreign policy difficulties for the US government if, for example, a company makes accusations against a foreign government at a sensitive time in bilateral relations. These risks might support requiring greater certainty about the attribution and more evidence to support it.
The evidence and disclosure standards for a government to accuse another government of a substantial attack—for example, an attack that disables or destroys critical infrastructure—might define the other end of the spectrum. In that circumstance, the accusation is made (1) by a government, (2) publicly, (3) specifically identifying the attacking state, and (4) for purposes that could include justifying responsive actions like sanctions or potentially use of force depending on the severity of the initial attack. Clearly the stakes in that situation are high. The 2015 UN Group of Governmental Experts report raises the evidentiary question in passing. In the section on the application of international law, the report notes that “accusations of organizing and implementing wrongful acts brought against States should be substantiated” (para. 28(f)). But the report does not explain or indicate that the GGE member states agreed on what kind of evidence or how much would “substantiate” accusations of internationally wrongful acts.
* * *
As I’ve noted in prior posts on private cybersecurity reports and the US-China cybersecurity deal, private parties are playing an increasingly important role in attributing state-sponsored cyberattacks. And the boundaries between private attributions and national security issues sometimes blur, as illustrated by Facebook’s notifications to State Department officials discussed above and by private parties’ claims to monitor China’s compliance with the September 2015 agreement not to engage in “cyber-enabled theft of intellectual property.” Evidentiary standards for attribution have already begun to and will continue to be worked out through practice in response to intrusions, but the attributions private parties have made and are prepared to make bring home that the relevant practice is not just the practice of states.