In a recent article in Contemporary Security Policy, Florian J. Egloff reflects on the contested nature of public attributions of cyber incidents and what role academia could take up.
In the last five years, public attribution of cyber incidents has gone from an incredibly rare event to a regular occurrence. Just in October 2018, the UK’s National Cyber Security Centre publicized its assessment of cyber activities conducted by the Russian military intelligence service (also known by its old acronym, the GRU). Clearly, publicizing activities that other political actors like to keep secret is a political act – but what kind of political act is it and what happens when a government publicly attributes?
For research on governmental public attribution, one can split the public attribution process into two phases: mechanisms that lead to public attribution and what happens after an incident is publicly attributed. Little research exists on either phase with regard to attribution of cyber incidents. This is problematic as our understanding of contemporary security policy rests on knowledge about what drives threat narratives, how and why particular attributions are introduced publicly, and how contestation of threat narratives takes place in the public sphere.
In a recent article for Contemporary Security Policy, I focus on the second phase of public attribution, namely, what happens after a government goes public about a cyber incident. Understanding this phase is important as public attributions of cyber incidents are one of the main sources from which the public learns about who is attacking whom in cyberspace, thereby shaping the threat perception of the general public. Most attribution judgements are published by governments, the private sector and a small number of civil society actors. To situate the knowledge space in which attribution claims are introduced, I reflect on such attributions as a source of knowledge about cyber conflict by identifying how they structurally shape our understanding of cyber conflict, in particular due to operational and (political, commercial, and legal) structural factors. In short, I argue that due to the commercial incentives on the private sector side and the political bias on the government side, public data about cyber conflict structurally induces distrust in the representativeness of public attribution statements.
I also focus on the contestation of public attribution claims in democracies and the consequences such contestation brings. Contestation is fundamental to democratic politics. The open debate, the ability of everyone to freely voice opinions, and the emergence of truth through democratic discourse is foundational to the public sphere of democratic polities. Thus, the ability to contest is a sign of healthy democratic politics. However, as I show in the article, this openness to contestation, coupled with an information poor environment, creates particular problems in the area of cybersecurity.
Attribution claims are introduced and contested, but even the possibility to perform attribution is questioned. Disinformation tactics are used to muddy specific attribution claims, leaving an electorate exposed to the coexistence of multiple “truths” and a fractured narrative of the past. Due to the secrecy attached to the attribution processes by governments, particularly due to concerns of intelligence agencies about sources and methods, governments are often reluctant to reveal the evidence underlying attribution judgments. These are ideal enabling conditions for other actors to contest governmental claims.
In a series of empirical examples (Sony Pictures in 2014, the Democratic National Committee in 2016, and NotPetya in 2017), I reflect on the drivers of contestation after an incident is publicly attributed and show how attackers and other constituencies with various political and economic motivations purport particular narratives. The Sony incident highlights the difficulty a government can have in convincing an electorate of its claims when there is no record of accomplishment in making attribution claims in public. The DNC intrusion shows how the attacker can take part in the meaning-making activities, in this case by actively trying to dispel the notion that the government knows who is behind a cyber incident. Finally, the NotPetya incident illustrates how actors seem to have learned from the contested cases. In particular, the coordination of attribution claims across different countries and entities was specifically designed to bolster the legitimacy and credibility of the attribution claims at the international level.
Finally, I reflect on how academia could provide a partial remedy. Academia, so far, has not been a strong participant in the discursive space around particular attributions. However, academia’s commitment to transparency and independence theoretically makes it well-placed to add to independent interdisciplinary contributions on the state of cyber conflict. Thus, I argue there is an increasing need for academic interventions in the area of attribution. This includes interdisciplinary research on all aspects of attribution (not just in cybersecurity), and conducting independent research on the state of cyber conflict historically and contemporarily. One of the main implications of my argument about research on contestation of attribution claims for democracies is that they need to be more transparent about how attribution is performed. This could enable other civilian actors to study cyber conflict and to thereby broaden the discourse on what is one of the main national security challenges of today.
Florian J. Egloff is a Senior Researcher in Cybersecurity at the Center for Security Studies at ETH Zürich. He is the author of “Contested public attributions of cyber incidents and the role of academia”, Contemporary Security Policy, Advance Online Publication, available here. A shorter policy analysis on the subject can be found here.
For more information on issues and events that shape our world, please visit the CSS website.