Honing Cyber Attribution
Before news broke in July 2016 that the Democratic National Committee’s (DNC) private files had been hacked by foreign agents, FiveThirtyEight had pinned Democratic primary candidate Hillary Clinton’s chances of winning the presidential election at 60.2 percent, while Republican Donald Trump’s stood at only 39.7. By the end of the month, the forecast showed the race was neck and neck, with Trump holding a marginal lead.i More importantly, the leak seemed to have been strategically timed with the Democratic convention that same month. Although election polling is cyclical and former secretary Clinton’s popularity had been on the decline since mid-July, the news was certainly embarrassing for and (we can presume) harmful to her campaign, especially since it suggested DNC favoritism. DNC chairwoman Debbie Wasserman Schultz resigned in disgrace shortly thereafter.ii
The more frightening aspect of the hack was the length of time that DNC servers had been compromised without the intruders being detected (in the estimation of cybersecurity forensics firm CrowdStrike, more than a year).iii The sophistication of the attacks suggested foreign intelligence involvement rather than ordinary hacktivism and this sentiment has been echoed by the media since the attacks.iv Shortly thereafter, a hacker with the handle Guccifer 2.0 claimed responsibility for the attacks and released additional stolen DNC documents to the Hill. According to the report, Guccifer 2.0 is purportedly Romanian “with no strong political leanings,” although his/her actual national identity (if indeed the entity is a single person) is far from conclusive.v CrowdStrike and others have argued that the hacks should be linked to Russian hacker groups APT28 and APT29, nicknamed Fancy Bear and Cozy Bear, respectively.vi Unsurprisingly, Russian officials have denied any involvement. In an interview with Bloomberg News, Russian President Vladimir Putin praised the leaks as a “public good” but that “on a state level Russia [was not behind it].”vii
While non-state hackers have been waging cyber attack campaigns in the name of nationalist ideals for many years, the question of when and whether these so-called patriotic hackers are supported, or even sponsored, by their governments is often ambiguous.viii And, as is the case with researching most clandestine activities, few open-source indicators are usually available to connect sources with outcomes, especially when proxies act as intermediaries. One explanation is that states employ sympathetic cyber proxies in order to maintain the illusion of plausible deniability. Borrowing from a small body of political science research on the motives for state support for rebel and terrorist organizations, this idea has slowly been gaining traction in cyber circles.ix Yet, efforts to trace these types of relationships in specific instances have remained largely subjective, relying on informal “preponderance of the [technical] evidence” to make judgments about whether a group might be state sponsored, and cui bono (motive) to link groups to specific countries. This is an inductive approach that, while increasingly creative and sophisticated, can inadvertently lead to what statisticians call “Type I” errors—false positives.x This is because motives are as ubiquitous as means in cyberspace (and twice as idiosyncratic). This is a seductively dangerous problem: in cyberspace, much is uncertain and misinformation abounds. The United States wants to maintain its deterrent capacity, but it wins no allies—and threatens to abdicate the moral high ground—by punishing potentially innocent parties. After all, one of the core precepts of effective deterrence is that it must be clearly linked to a target’s behavior.xi
What is missing from such analysis is the question of opportunity. In my own research, using decision-theoretic formal (mathematical) models and legal analysis of international rules on sovereign state responsibility, I argue that it may be possible to predict the likelihood that a particular state is behind a given attack a priori. That is, if we can deduce based on objective indicators only those states that possess the capacity and incentive to delegate computer network attack (CNA) operations to non-state hackers in the first place—even prior to knowing anything about the characteristics of the attack—it would be possible to narrow the pool of suspects. In turn, this will reduce our propensity to make Type I errors, which have the potential to lead to circular reasoning and self-reinforcing animosity between governments. In the remainder of this article, I describe a model for making such a determination.
When are CNA operations profitable for the aggressor? The obvious answer is that cyber attacks pay when they do maximal damage at minimal risk to the attacker. One might reasonably imagine that the utility offered by a cyber attack increases with effort (sometimes involving the burning of significant financial investments) and sophistication (smarter penetration with better obfuscation).xii It is generally assumed (although it is not universally the case) that higher levels of attack sophistication are associated with state involvement, and that therefore such attacks, when observed, may more likely be attributable to government actors.xiii The problem with using capability as a proxy for actor type is that it overlooks situations in which states may have chosen to aid or outsource illicit activity to non-state groups. This presumes there is some net benefit to the state for outsourcing a cyber operation. Yet what incentive would a state have to do this? When is support or sponsorships of private hacker groups beneficial?
The logic of principal-agent models is that a principal (here, the state) sees some benefit in delegating a task to an agent (non-state hacker or group). In standard economic and political science models, the advantage is in allowing the principal to avoid the opportunity cost of specialization; the agent can specialize and carry out specific tasks for the principal.xiv For instance, it would be a suboptimal use of time for presidential administrations to micromanage the implementation of domestic policy; instead, they create and delegate the particulars of the task to bureaucracies. But if governments have the ability to harness superior capabilities in cyberspace, this implies it is state military or intelligence apparatuses that maintain the edge in specialization, not their non-state counterparts. If so, there must be an alternative reason why some states see benefits in cyber conflict delegation.
Another problem with launching cyber attacks against a foreign adversary is that states may face a tradeoff between cost and effect. That is, the more effort is invested in an operation, the more damaging it is to one’s target (a “benefit”) but also the more liable the attacker is for the attack. Sophistication (clandestine capacity) can dampen this somewhat by obscuring the source of an attack, but innovations in attribution techniques mean there is nonetheless always a risk of being detected. Should an attack be successfully traced, the attacker can reasonably expect to suffer some form of reputational, legal, or material consequences to its international relations.xv As mentioned previously, this idea has led some to theorize that delegation to proxy hackers conveys plausible deniability for states. Although the network source of attack might be traceable back to a particular geographical location, the gap between who might be sitting behind the keyboard and who actually ordered the attack adds a further layer of difficulty in the attribution chain. If a CNA appears to originate from behind a particular state’s borders, the host government can disclaim responsibility by arguing that it had not launched any such attack itself, and that the true perpetrators are rogue hackers. Because host governments have the stronger jurisdictional position over private actors within their borders, victim states that cannot legally establish national responsibility for these actors have little recourse under international law when malicious agents are identifiable but go unpunished.xvi
The next step is to ask what factors engage sovereign responsibility for the acts of private nationals. While there is no universal or coherent source of international law regulating principles of state responsibility, the confluence of multiple secondary sources offers some suggestions: specifically, “persons exercising elements of government authority,” “conduct directed or controlled by the state” (emphasis added), rebel movements that later assume governmental roles, or “conduct acknowledged or adopted by the state,” according to the International Law Commission’s (ILC) 2001 Draft Articles on State Responsibility.xvii Although the draft articles are not themselves a binding source of law, they are presumed by many to be a rough articulation of lex lata custom and general principles. They also serve as an indication of how the international community might view the legitimacy of action (or reaction) against a government for harboring non-state hackers. In general, the articles illustrate that the more autonomy a non-state entity exercises, the less responsible its host government is for its actions. As government involvement grows more explicit and overt, a non-state entity can increasingly be seen as a de facto government agent.xviii Thus, in the case of cyber conflict, as support is increased, the benefits of outsourcing to proxies decrease.
This highlights the crucial tradeoff for would-be state sponsors: by investing in non-state hackers to improve their efficacy, states increase their vulnerability to the international consequences they seek to avoid in the first place by outsourcing. We can imagine that states try to manage this tradeoff by optimizing how much effort and sophistication is needed for a particular operation and what the probability/severity of consequences is expected to be. When a target is hardened, a great degree of support and direction is needed to help non-state actors accomplish their goals, but this increases the principal’s chances of being linked to the attack. In such a case, the host state’s dominant strategy may be to simply conduct the attack on its own, without relying on private agents who may threaten moral hazard or adverse selection problems.
Another issue is the degree of political or ideological alignment between a host government’s strategic objectives and its population of black hat “guns for hire.” States with larger hacker communities and better private cyber infrastructure have a larger pool of resources available to them. However, the cost of enticing prospective proxy actors depends on how sympathetic they are with the government’s goals. The marginal cost of inducing a hacker group to conduct cyber operations on behalf of the state is higher when the median member of the group disagrees with state policy (and, conversely, is lower when interests are convergent). When incentives are too low, state proxies will pursue their own agendas—a classic problem in principal-agent theory. States with sympathetic hacker populations avoid the problem of adverse selection (although they may face the inverse problem when hackers are very nationalistic but state policy is moderate).
My theory lays out the following basic premise: the extent of state support for non-state hackers should depend on (1) the alignment between state and hacker goals, (2) the degree of support needed relative to the difficulty of achieving a given operational aim, and (3) the value of a state’s objectives relative to the expected consequences of getting caught. Using a formal model, I calculate the comparative statics involved in whether delegation offers utility for states, and if so at what level support is provided.xix Although quantifying the value of a state’s particular political aims on a given issue is difficult and largely subjective, the assessment of “motive” is precisely the area in which cyber investigators already maintain a comparative advantage (through investment and innovation in forensic techniques as previously discussed). The framework offered in this article and expanded on in other papers should aid analysts in thinking carefully about which suspects with motive should be eliminated based on the means and opportunity criteria.xx
Particularly, all else equal, we should expect that states with nationalist hacker pools have a greater incentive to outsource, since agents’ services can be purchased more cheaply and political aims are likely to be pursued in earnest. Similarly, states whose hacker pools include a large number of highly skilled individuals or groups can be expected to better insulate themselves from any consequences of getting caught, since less support is required to make such hackers effective. Dichotomizing these worlds gives us the 2x2 representation depicted in Figure 1. When non-state hackers are highly sympathetic and highly skilled, outsourcing offers the most benefits to states, since they only need to refrain from prosecuting or extraditing offenders. States in this situation may even be able to plausibly claim not to be able to locate the parties responsible, even while ostensibly pledging to cooperate.
When private hackers are skilled but opposed to government policy, employing them requires significant side payments (such as threats or bribes). The encouragement required means national responsibility is more easily established under international law, although I argue that the inverse world—one in which hackers are unskilled but supportive—is riskier for sponsors.xxi Although tacit material support does not trigger national responsibility to the same extent as overt verbal support, states have not seemed reluctant to ascribe blame to suspected attackers regardless of whether the legal burden of proof has been met (which I argue is rarely possible).xxii
The closer a victim state can get to proving an accused state’s involvement, the more severe the reputational consequences. Importantly, however, this does not mean that the reputational consequences are nil for evidence below this threshold. Similarly, even if sponsors are operating beyond the reach of the law, victims may have a variety of retaliatory means (such as sanctions, but also potentially cyber reprisals) at their disposal that are also capable of skirting legal prohibition in much the same way. Host states probably recognize this fact, and thus they should be expected to perceive little value added to delegation when either (a) private hackers are unsympathetic to state interests or (b) available sympathizers are too unsophisticated to achieve any worthwhile foreign policy aims. The exception is among states that can levy financial or ideological incentives but lack their own in-house cyber expertise. In this way, states with weak internal cyber capabilities might adopt mercenary methods.
These aspects should be relatively observable among states in the international system. Given that scholarship has provided a fairly clear picture of what the international legal repercussions will be for a given action with or without the use of proxy actors, it is also possible to qualify a state’s cyber capabilities and political aims, as a function of dyadic enmity and the salience of a given issue, as well as the degree of nationalism and skill exhibited by its hacker population (albeit with some error). Some of this research, particularly on foreign cyber strength, is already carried out by state intelligence organizations. Information on nationalism or ideological salience among private actors in cyberspace can be inferred through existing polling data and clarified through intelligence tradecraft and even additional social science research. Imputing rough approximations for these variables should give investigators a clearer idea about which states are (1) predisposed to outsourcing and (2) may have had the means, motive, and opportunity to do so in a recent attack. Most importantly, because gathering post-attack forensic evidence is difficult, time-consuming, and expensive—not to mention the fact that private firms are often reluctant to disclose breaches when they are detected for fear of looking weak on data security—this framework should allow us to narrow the list of suspects by process of elimination without knowing any of the technical details of the case.
Cyber attacks will continue to pose problems for national security for the foreseeable future, and the proliferation of Internet access, which partially levels the playing field between states and individuals in the cyber domain, means the threat of patriotic (or otherwise non-state) CNA will no doubt increase should no developments intercede to alter our current trajectory.xxiii The framework espoused in this paper proposes a method of differentiating between plausible and truthful deniability when non-state attacks do occur. Specifically, when the permissive conditions outlined above overlap with forensic indicators in a given instance, we have a match. This adds to the persuasive content of attribution reports while also reducing the likelihood of false positives. Readers should also be optimistic because the conditions under which states should rationally choose to delegate are narrower than commonly envisioned, which implies that these types of cyber conflicts are fewer, more controlled, and that the principals behind them can be held accountable.
Justin Key Canfil is a PhD candidate in political science at Columbia University. His research focuses on international law, technology, and national security issues.
i. Nate Silver, “2016 Election Forecast,” FiveThirtyEight, 29 June 2016.
ii. Hayley Walker, “Sanders Calls for Wasserman Schultz to Resign After Email Leaks,” ABC News, 25 July 2016.
iii. Dmitri Alperovitch, “Bears in the Midst: Intrusion into the Democratic National Committee” (blog, CrowdStrike, 15 June 2016).
iv. Sam Thielman and Spencer Ackerman, “Cozy Bear and Fancy Bear: Did Russians Hack Democratic Party and If So, Why?” Guardian, 29 July 2016.
v. Ian Swanson, “Guccifer 2.0 releases new DNC docs,” Hill, 13 July 2016.
vi. Alperovitch, “Bears in the Midst: Intrusion into the Democratic National Committee.”
vii. Jake Rudnitsky, John Micklethwait, and Michael Riley, “Putin Says DNC Hack Was a Public Good, But Russia Didn’t Do It,” Bloomberg, 2 September 2016.
viii. For a history, see Jason Healey and Karl Grindal, eds., A Fierce Domain: Conflict in Cyberspace, 1986 to 2012 (Vienna, VA: Cyber Conflict Studies Association, 2013).
ix. For recent examples, see Erica Dreyfus Borghard, “Friends with Benefits? Power and Influence in Proxy Warfare” (PhD dissertation, New York, NY: Columbia University, 2014), and Idean Salehyan, David Siroky, and Reed M. Wood, “External Rebel Sponsorship and Civilian Abuse: A Principal-Agent Analysis of Wartime Atrocities,” International Organization 68, no. 3 (2014), 633-661; Seul Ah Choi and Namkung Gon, “State-Led Back-Scratching Alliance in Cyber Warfare,” Korean Journal of International Studies (2013), Ryan Hang, “Freedom for Authoritarianism: Patriotic Hackers and Chinese Nationalism,” Yale Review of International Studies (2014), and Jessica Chen Weiss, Powerful Patriots: Nationalist Protest in China’s Foreign Relations (Oxford University Press, 2014).
x. See, for example, "APT1: Exposing One of China's Cyber Espionage Units" (report, Mandiant, 18 February 2013)
xi.Carl von Clausewitz, On War, Michael Howard and Peter Paret, eds. and trans. (Princeton, NY: Princeton University Press, 1989 (1832)); Robert A. Pape, Bombing to Win: Air Power and Coercion in War (Ithaca, NY: Cornell University Press, 1996); Thomas Schelling, Arms and Influence (Westport, Conn: Praeger, 1977); and Martin Libicki, “Cyberdeterrence and Cyberwar” (Rand Corporation, 2009).
xii. Andy Greenberg, “Here’s a Spy Firm’s Price List for Secret Hacker Techniques.” Wired, 18 November 2015.
xiii. Scholarly commentary at SIPA Summer Multi-Disciplinary Workshop on Cybersecurity (Chatham House Rules) (New York, NY: 21-24 June 2015).
xiv. Ariel Rubinstein, “Perfect Equilibrium in a Bargaining Model,” Econometrica 50, no. 1 (1982), 97-109; Robert O. Keohane, After Hegemony: Cooperation and Discord in the World Political Economy (Princeton, NJ: Princeton University Press, 1984); and Keith Krehbiel, Information and Legislative Organization (University of Michigan Press, 1992).
xv. In addition to the reputational costs possibly incurred vis-à-vis other states for duplicitous acts of aggression, CNA of sufficient magnitude might engage a target state’s lawful right to self defense under Article 51 of the United Nations Charter. Responses to attacks below this threshold (arguably the preponderance of cyber conflicts to date) are covered in the international law on countermeasures, which govern permissible methods of non-forcible retaliation. These could include a variety of coercive instruments, such as treaty suspensions or diplomatic and economic sanctions. For a detailed analysis, see Michael N. Schmitt, ed., Tallinn Manual on the International Law Applicable to Cyber Warfare (Cambridge: Cambridge University Press, 2013).
xvi. Lori Damrosch and Sean Murphy, International Law, 6 edition (St. Paul, MN: West Academic Publishing, 2014).
xvii. See “Draft Articles on Responsibility of States for Internationally Wrongful Acts, with Commentaries” (International Law Commission, 2001); also a number of International Court of Justice (ICJ) cases for hints about how international arbiters are likely to interpret responsibility, including case concerning U.S. diplomatic and consular staff in Tehran (United States of America v. Iran, ICJ, 15 December 1979), case concerning military and paramilitary activities in and against Nicaragua (Nicaragua v. United States of America, Merits, ICJ, 27 June 1986), as well as several ad hoc tribunal cases, including 3,900 conducted by the Iran–United States Claims Tribunal beginning in 1981.
xviii. For a formative application of the spectrum of control to cyber conflict, see Jason Healey, “The Spectrum of National Responsibility for Cyberattacks” Brown Journal of International Affairs (2011).
xix. Justin Key Canfil, “The Causes and Consequences of Proxy Conflict in Cyberspace” (working paper, earlier versions presented at the SIPA Cyber Workshop, 23 March 2016, and distributed at the SIPA Cyber Proxies Conference, 25 July 2016). Please contact the author at [email protected] for more information.
xxi. For example, the revolutionary government in Iran verbally expressed support (although did not materially aid) student protestors who stormed the U.S. embassy and took a number of diplomats hostage in the infamous 1979 Iran hostage crisis. In the subsequent case United States vs. Iran, the ICJ ruled that these utterances were sufficient to elevate hostage-taking action to the de facto state policy of Iran, thus engaging Iranian national responsibility for the act of aggression.
xxii. See Nicaragua v. United States. The logic is that a state may provide material aid to a non-state organization without knowledge aforethought of the latter’s malicious intentions; Formally, denote a state’s attribution capabilities as A and the burden of proof under international law as L. Then A £ L in practice. Legal standards tend to be very strict on questions of national responsibility (see Iran–United States Claims Tribunal for examples). In other words, legal standards are typically beyond what most victim states are capable of or willing to demonstrate through the provision of forensic evidence, especially considering the narrow conditions under which a particular cyberattack can be shown to constitute a violation of international law and the accused state is willing to agree to arbitration.
xxiii. Joseph S. Nye, Jr. “Cyber Power” (report, Harvard Kennedy School Belfer Center for Science and International Affairs, May 2010).