The next time you see “It was the Russians/Koreans/Iranians…” add a huge pinch of salt…:
Even after tracing back to a particular country, analysts still need to determine whether an attack was state-sponsored. To maintain deniability, hostile governments often rely on third-party actors, which they know will never testify in foreign courts.
This leaves relatively few options for identification. According to the DNI’s 2018 Guide to Cyber Attribution, the most important indicator is “tradecraft”—the tools, techniques and procedures associated with a given attacker. But even these can be copied by a careful observer, as a Russian group reportedly demonstrated with Iranian techniques just last year.
Consider a hypothetical: It is now November of 2020, and Trump has lost the election by a thin margin. But before Biden can take office, the Pennsylvania Bureau of Election Security announces that their databases had been hacked, potentially affecting results in a key swing state. Irate, Trump quickly blames Iran and announces his intention to launch retaliatory strikes. “Not so fast,” say congressional Democrats, who are convinced that Russia was behind the operation.
If this scenario were to play out, it’s far from clear what a U.S. response would look like. The DoD’s first-of-its-kind Cyber Posture Review included nothing on identification, escalation, or “thresholds” – in contrast to its nuclear posture sibling. Strategic planners should know what level of attribution confidence would justify a military response, were a cyber-attack to hit U.S. infrastructure tomorrow. Unfortunately, our cybersecurity doctrine still treats it as an issue to be solved extemporaneously.