Hacking attributionBolstering the credibility of attributing cyberattacks

Published 6 June 2017

Even as major cyber incidents receive high-profile press coverage, many segments of the general public are coming to dispute and question the credibility of the attribution findings — the declared identities of the perpetrators. Researchers review the state of cyber attribution and consider how to bolster the credibility of the process by making it more standardized and transparent. In particular, the report recommends the creation of an independent, global organization to investigate and publicly attribute major cyber-attacks.

Even as major cyber incidents receive high-profile press coverage, many segments of the general public are coming to dispute and question the credibility of the attribution findings — the declared identities of the perpetrators.

In a new RAND report, researchers review the state of cyber attribution and consider how to bolster the credibility of the process by making it more standardized and transparent. In particular, the report recommends the creation of an independent, global organization to investigate and publicly attribute major cyber-attacks.

The researchers assert that identifying the responsible party behind malicious cyber incidents is a necessary prerequisite for holding actors accountable. But reaching a cyber attribution finding is difficult. Technical, political and all-source indicators are all tools used in determining attribution, usually in some combination.

A further challenge is persuasively communicating a finding to an intended audience. Credibility hinges on several factors: strong evidence, demonstration of the requisite knowledge and skills for reaching a correct conclusion, a track record of accuracy and precision, a reputation for objective and unbiased analysis, and a transparent methodology that includes an independent review process. RAND researchers find that effective cyber attribution investigations will reflect these considerations and achieve public credibility.

Key findings
Cyber attribution efforts lack uniformity and credibility
— Analysis of recent cases indicates that the practice of attribution has been diffuse and discordant, with no standard methodology used in the investigations to assess evidence, nor a universal confidence metric for reaching a finding.

— In several cases, investigations were performed but no formal attribution finding was made public by the investigative entity or victim. Further, public statements of attribution have been met with suspicion, confusion, and a request for greater transparency about the investigation and the evidential basis.

Challenges in cyber attribution
— The first challenge concerns the difficulty of reaching a cyber attribution finding. Technical, political, and all-source indicators are all tools used in determining attribution, and usually are used in some combination.

— A second cyber attribution challenge concerns the issue of persuasively communicating a finding to an intended audience. Credibility hinges on several factors: strong evidence, demonstration of the requisite knowledge and skills for reaching a correct conclusion, a track record of accuracy and precision, a reputation for objective and unbiased analysis, and a transparent methodology that includes an independent review process.

— Effective cyber attribution investigations will reflect these considerations and achieve credibility in the eyes of the of the target audience.

Recommendations
— In light of the aforementioned challenges and insights, the authors propose and explore the nature of an international organization for cyber attribution, which this report refers to as the Global Cyber Attribution Consortium (the Consortium).

— This broad team of international experts would provide independent investigation of major cyber incidents for the purpose of attribution. Membership should include representatives from two sectors: (1) technical experts from cybersecurity and information technology companies, as well as academia, and (2) cyberspace policy experts, legal scholars, and international policy experts from a diversity of academia and research organizations. A credible and transparent attribution organization should not include the formal representation of nation-states, to avoid an appearance of bias and to protect transparency.

— The Consortium would work with victims or their advocates upon their request and with their cooperation to investigate cyber incidents using a diverse set of methodologies and would publish its findings for public review.

— In addition to providing a credible and transparent judgment of attribution, the Consortium’s investigations would help standardize diffuse methodological approaches, naming conventions, and confidence metrics that would advance shared understanding in cyberspace and promote global cybersecurity.

— The international community could use the Consortium’s findings to bolster network defenses, thwart future attacks, and pursue follow-on enforcement actions to hold the perpetrator(s) accountable.

— Read more in John S. Davis et al., Stateless Attribution: Toward International Accountability in Cyberspace (RAND, June 2017)