When the Democratic National Committee realized they had been hacked in April 2016, they turned to experts from a private company: the cybersecurity firm CrowdStrike. Within a day, the company had identified two Russian state-sponsored hacking groups inside the DNC network. Within a few weeks, it publicly explained its analysis in a detailed blog post. It wasn’t until months later that the US government publicly confirmed Russia’s role.
William G. Rich is an International Affairs Fellow at the Council on Foreign Relations. From 2015 to 2018, he served as the US Treasury Attaché to the UAE and Oman. He previously held counterterrorism and intelligence roles for the US government overseas and domestically.
As government-backed hackers in Russia, China, Iran, and North Korea continue to infiltrate and attack American companies, it’s often private cybersecurity firms, rather than the US government, that are publicly assigning blame. By stepping aside to let private firms expose nation-state hackers, the US government preserves its intelligence capabilities and options to retaliate. It’s an informal arrangement that has been good for business and government and bad for state-sponsored hackers.
Unfortunately, it’s a situation that is too good to last. Though cybersecurity firms are proliferating, there are no agreed-upon standards for making accusations of cyber-attack, increasing the risk that business incentives will tempt companies to name culprits without sufficient evidence. States themselves may even spread misinformation about the source of an attack. As the waters get muddied, the government needs to take on a larger role in naming and shaming state-backed hackers.
The process of assigning blame for cyber-attacks, known as attribution, is a mix of art and computer science. It requires weaving together subtle forensic clues with past attack methods, current operational techniques, and knowledge of adversaries’ geopolitical objectives to identify a likely perpetrator. Hackers are always looking for new ways to cover their tracks or throw blame on others.
Successful attribution makes hackers’ jobs harder. As the risk of getting caught goes up, the likelihood of a country conducting an attack to obtain illicit information declines. When cybersecurity firms are able to call-out nation states for engaging in data theft, destruction, and espionage, hackers and the countries that employ them must consider real costs in the form of public embarrassment and potential retribution.
Nation-states that conduct cyber-attacks, unlike criminal groups, are sensitive about their reputations and the impact that accusations of hacking have on their foreign policy interests. We know this because of the vehement denials issued by countries caught in the act. Even North Korea, known for its reclusive behavior, regularly denies accusations of hacking.
American government agencies are often loathe to speak publicly about the origin of cyber-attacks because they fear exposing their methods of monitoring nation-state hackers. Officials commenting publicly can also undercut efforts to pursue prosecution, apply diplomatic pressure, or retaliate in other ways. So the US government has been perfectly happy to let private companies take the lead while they formulate a response. But by avoiding public comment, the United States is forgoing a powerful tool in deterring attacks: timely public exposure that causes hackers and their sponsors to question the value of such activity.
In exceptional cases, the US Department of Justice or Intelligence Community have officially attributed attacks. These attributions tend to be detailed and laced with damning facts, like the identities of specific foreign government hackers and names of military or intelligence units involved. Official announcements—particularly in the context of criminal indictments—can be powerful deterrents, but they are infrequent and require considerable time and resources, sometimes coming years after the attacks have occurred.
For now, private security firms continue to lead the way on public statements of attribution. But their work is not done for altruistic reasons alone; cybersecurity firms’ ultimate goal is to sell software and services. In particular, there is value in being the first company to publicly attribute an attack because it is typically the firm most widely cited in the press.
The most prominent of these private companies are believed to adhere to high technical standards. But as the cybersecurity sector gets more competitive, firms will seek to distinguish themselves by capturing headlines. The cybersecurity industry is expanding rapidly—by some accounts, at 15 percent a year—and new firms are constantly entering the market. These up-and-comers will be under pressure to make a name for themselves by attributing attacks quickly and loudly. Because there is no standard for what attribution looks like, these firms have flexibility in how rigorous their assessments are. Attribution will become less and less reliable as firms race to the minimum level of certainty before going public. Hackers may even exploit this phenomenon by deliberately including misleading clues to ensnare firms.
There is also real risk of so-called attribution pollution, spurious claims of responsibility. It’s not hard to imagine a situation in which malicious foreign cybersecurity companies are founded simply to provide erroneous attribution or to dispute others’ conclusions. Indeed, we got a taste of this in the 2014 North Korean hack of Sony Pictures, when credible companies offered competing narratives to the official attribution. The uncertainty lasted weeks, undermining efforts to hold North Korea accountable. Although those disagreements appeared to be legitimate, the situation underscored that for states seeking to avoid responsibility, eroding confidence in attributions can be an effective tactic.
Owing to these factors, the value of private attributions will decline—that much is obvious. Already, the Justice Department is increasingly naming hackers in documents, and US Cyber Command has begun posting samples of malicious code in a public repository. But it’s clear that the US government needs to partner with private firms to better share information about malicious actors and establish industry-wide standards and methods for attribution.
It won’t be easy. It’s not in firms’ interest to share proprietary data and techniques with their competition. But without a major effort to share intelligence and set attribution standards, the small island of accountability provided by private cybersecurity firms will be subsumed in the ever-rising ocean of malicious activity.