In the midst of rising tensions between the United States and Iran over tanker attacks and Iran’s downing of a U.S. drone, reports emerged that U.S. Cyber Command had launched a responsive cyber operation against a group linked to the Iranian Revolutionary Guard Corps. The following day, the Department of Homeland Security warned about “a recent rise in malicious cyber activity directed at United States industries and government agencies by Iranian regime actors and proxies.”
As cyber operations by both states heat up, non-governmental actors may play pivotal roles, not just as potential victims and collateral damage from states’ actions, but also as accusers of states. Non-governmental actors have attributed previous cyberactivities to Iranian-government linked actors and played an important role in investigating the Stuxnet attack on Iranian nuclear centrifuges. As I discuss in an essay published last week in the American Journal of International Law Unbound, non-governmental parties play an important role in the current decentralized system of publicly attributing cyberattacks to states.
An Uptick in Attributions
After years of handwringing about whether attribution of cyberattacks was possible, both governmental and non-governmental parties have publicly attributed cyberattacks to states in recent years. In February 2013, Mandiant—now part of the cybersecurity company FireEye—made a splash by publishing a detailed report accusing Unit 61398 of China’s People’s Liberation Army (PLA) of hacking 141 companies. The United States followed over a year later by indicting five PLA members for hacking U.S. companies to steal intellectual property. The last two years saw a significant uptick in governments attributing cyberattacks to other governments, including coordinated attributions by the United States, United Kingdom, and other allies of the WannaCry ransomware to North Korea and of attacks on chemical weapons investigators and antidoping authorities to Russia.
But more consistent than governmental attributions have been public attributions by non-governmental institutions, including companies, like FireEye and Crowdstrike, and other entities, including the Citizen Lab at the University of Toronto and the Electronic Frontier Foundation.
Differences between Governmental and Non-Governmental Attributions
As my essay details, non-governmental attributions differ from their governmental counterparts in several ways.
- Non-governmental attributions tend to be faster. Crowdstrike, for example, publicly attributed the 2016 hack of the Democratic National Committee to Russia months before the U.S. government did.
- Because governments are often unwilling to disclose intelligence sources and methods, non-governmental attributions are often more detailed than government accusations. Non-governmental attributions typically provide indicators of compromise and other technical information that enable security professionals to take defensive actions on their own systems.
- Non-governmental actors have different incentives than governments, so they have outed a broader range of governments and addressed a wider variety of cyberattacks. Governmental attributions often focus on disruptive attacks, like WannaCry, or intellectual property theft. But non-governmental attributions, like those by Citizen Lab, have also unmasked cyberespionage operations with human rights implications. Non-governmental actors have also attributed cyberattacks in circumstances, like the Office of Personnel Management breach, where governments, perhaps for diplomatic, security, or political reasons, have chosen to keep silent.
- Non-governmental attributions may have different motivations than governmental ones. Especially for companies that publish attributions, publicly outing state-sponsored attacks is good for business, demonstrating the companies’ skills and sparking positive press coverage.
- The consequences of publicly attributing a state-sponsored cyberattack differ based on the nature of the attributor. Governments face pressure to combine the attribution with responsive actions, whether indictments, sanctions, cyber operations, or even kinetic responses (if the initial cyberattack amounted to an armed attack). Non-governmental attributors aren’t responsible for such follow up.
The proliferation of non-governmental attributions carries with it some obvious risks. For example, a company launching an accusation against a government may spark diplomatic consequences—consequences that will be largely borne by the company’s home government (often the United States)—which could disrupt ongoing negotiations or other priorities. The detailed nature of many non-governmental attributions could also set expectations for the amount and kind of evidence governments should put forth, and governments may have difficulty meeting those expectations without compromising intelligence sources and methods.
At the same time, non-governmental attributions also offer some clear benefits. Prominent among them is greater transparency about what states are doing in cyberspace. This transparency comes from the faster, more detailed, and more diverse non-governmental attributions.
The Underappreciated Virtues of Decentralization
Several proposals in recent years have suggested centralizing attribution of state-sponsored cyberattacks in a new international entity. For example, the Atlantic Council has proposed a states-only council to do both attribution of cyberattacks and adjudication of related interstate disputes. Microsoft has suggested a multistakeholder body, including both states and non-governmental experts, modeled on the International Atomic Energy Agency. And researchers at the RAND Corporation have proposed a “Global Cyber Attribution Consortium” that, in contrast to the Atlantic Council proposal, would exclude governments entirely.
While these proposals have significant appeal, the differing features of governmental and non-governmental attributions highlighted above suggest some virtues in decentralization, and reasons to preserve a role for a multiplicity of attributors even alongside a future attribution entity.
To give just one example, having multiple and different kinds of attributors can capture the benefits of both speed and credibility, with some attributors publicizing attributions comparatively quickly and others over time adding their confirmations (or debunking earlier inaccurate attributions). The attributions of the DNC hack to Russia unfolded in this gradual, calibrated way: Crowdstrike attributed the intrusion to Russia in a blog post in June 2016; other researchers confirmed the attribution within weeks; the U.S. government confirmed the attribution in a statement in October and with economic sanctions (and other responses) in December 2016; Special Counsel Robert Mueller indicted Russian intelligence officers for the hacking in July 2018; and in October 2018, Australia,New Zealand, and the United Kingdom piled on with attributions of the DNC hack to Russia.
* * *
Cyber intrusions are already playing a significant role in the unfolding situation between the United States and Iran. Whether the respective governments choose to publicize the cyber-related aspects of their tense relations or not, non-governmental actors will be monitoring and quite likely publicizing both governments’ operations.
The full AJIL Unbound symposium on cyber attribution is available here, and in addition to my essay, it includes contributions from Monica Hakimi, William C. Banks, Berenice Boutin, Lorraine Finlay & Christian Payne, and Chimène I. Keitner.