The complexities of public attribution

A look at the complexities of public attribution and why nation-states doing it will have real-world implications.

Over the past couple of years, we have seen an emerging trend from nation-states, or a consortium of nations publicly attributing cyberattacks to a particular adversary. In the game of spies spying on spies, it has become a game of whodunnit that can have repercussions in the real world.

Now, you may have read about APT actors on this blog or seen reports from our colleagues in the cybersecurity space in the past, but that work came from security researchers — and security researchers tend to avoid doing specific public attribution and will instead talk about clues such as the language the attackers speak, target location, and indicators of compromise (IOCs). They may even give APTs names like Fancy Bear, Equation, Desert Falcons or APT27, which may (or may not) contain hints about the characteristics of the threats.

Their actions may annoy those responsible, but this is not, say, the United Kingdom pointing a direct finger at Israel or the United States holding a press conference with indictments against members of clandestine services in Russia. As I said, there are consequences to such attribution — but as they say, all is fair in love and war.

Earlier in the month, during the Security Analyst Summit, Florian Egloff of the center for Security Studies discussed this topic during the SAS Unplugged session of the conference.

Egloff wasted no time getting into the real-world consequences of these public outings or shaming from governments around the world, which have ranged recently from sanctions to the expulsion of diplomats. The past few years have seen cybersecurity emerge as a key focal point of foreign policy. This area ranges from building out stronger investment to attribution and prevention and potentially adding public attribution to incident response.

These responses include some actions that are meant to deal direct harm to an adversary. Some actions could include offensive measures or burning a toolkit of a nation-state attacker by sharing samples with Virus Total.

This threat-response evolution continues, and in the past year, we have seen nations publicly name an actor in conjunction with one another and with policies that have taken center stage. So, what does the future hold?

There is no silver bullet answer here, those who study threat response and those who work in government will continue to keep an eye on the issue. If you’ve read this blog recently, you also know that APT groups have continued their covert actions.

Governments’ mandates to protect their lands and people has now expanded to include the cyberworld, which has become just as important as the physical world when it comes to warfare.