The anonymity that cyberspace provides is an all-too-valuable asset for malicious cyber actors, none more so than nation-states, which can fully exploit the cover of cyber operations for plausible deniability while still achieving strategic objectives. Peeling back the cover of anonymity and “lifting the veil” to identify the culprits of cyberattacks is critical to aligning actions with consequences and diminishing unacceptable behavior globally.
Given the complex weave of a globally interconnected system, cyber attribution—or the process of identifying and disclosing responsibility for malicious cyber operations—typically involves piecing together sometimes ephemeral digital clues, analyzing patterns of behavior, and finding similarities in tactics, techniques, and procedures with those of known threat actors. For nation-states, this process goes beyond a single-threaded technical exercise and involves significant use of both classified and unclassified intelligence sources to not only identify the threat actors perpetrating the attack but also the government, organization, or company that may be supporting or directing the operation. Take the deluge of cyberattacks that Russia has launched against Ukraine over the past year: U.S. and U.K. leaders have been especially quick to respond, and, after analyzing the evidence, publicly assign blame to the cyber actors—and the Kremlin that directed them—in an effort to mobilize those affected and minimize the harm caused.
Cyber attribution is a particularly critical element of an effective government response to cyber threats. It sets the stage and provides a public, political rationale for using instruments of power—be they diplomatic, financial, or otherwise—to curb and deter bad behavior. It is because of these consequences that states undertake a very formal and rigorous process of intelligence gathering and analysis before any determination is made. Though the process is often criticized for being lengthy and late and many times validating what is already assumed, the potential for state conflict requires a level of confidence and surety that only a rigorous process can provide. The diligence and discipline also act as a natural check against false flags and hasty assignments of blame—a worthwhile tradeoff given the potential implications of getting it wrong.
But cyber warfare’s relevance in real-world crises increasingly requires surety and speed. The difficulty of achieving both at once has necessarily led to greater collaboration among defenders. No single nation-state or private company has the full picture of cyberspace threats, and it is only through collaboration and the pooling of resources that a critical mass of data points and evidence can be achieved quickly and with sufficient surety to underwrite the public actions that may result.
Intelligence-sharing partnerships, such as those among NATO countries and the Five Eyes, are critical to confirming the identity of an actor and bolstering the rigorous attribution process that each state undertakes. Indeed, cyber defense in foreign policy can be increasingly characterized as a collective endeavor. Largely in response to cyber operations by China, Russia, North Korea, and Iran, the United States and its allies have increasingly used collaborative attribution to hold these states accountable and as a basis for diplomatic negotiation, economic sanctions, or the deployment of countermeasures. In 2020, the European Union took the unprecedented step of sanctioning China, Russia, and North Korea for previous attacks. In 2018, the United States, the United Kingdom, Canada, Australia, New Zealand, and others collectively attributed the NotPetya ransomware attacks to the Russian military. This kind of unified approach showcases the collective resolve of the international community and sends a strong signal that malicious behavior in cyberspace will not go unnoticed or unpunished. Collective action shares and dilutes the retaliation risk and financial cost that any one of them would bear if they were to make such a declaration alone.
Collaboration is by no means limited solely to states. The role of the private sector in cybersecurity is central as the predominant provider of cyber infrastructure and as “first responder” to most incidents, including many that ultimately trigger state action. To that end, the private sector has played an increasingly vital role in cyber attribution. Technology providers and cybersecurity companies have direct access and a scale of visibility to link individual attacks together into a discrete campaign that can be analyzed and then attributed to a single culprit. They are often the first to discover a large-scale campaign—and the first to provide a means to identify the perpetrator. When unveiled, the findings can create political will among the targets and governments to take formal action, including retaliation. Among the first and most notable such findings came from the American cybersecurity company Mandiant, whose APT1 report in 2013 exposed a large-scale cyber campaign by China’s military. The report brought to light an issue—Chinese intellectual property theft—that until then had largely been limited to classified or policy channels, and it also set the tone for the role that the then-nascent cybersecurity industry can play in attribution. Security firms like Novetta, Symantec, Crowdstrike, and others followed suit, helping to steer and focus U.S. and allied attention to emerging threats.
Though the private sector’s role in cyber attribution is essential, it can have real-world consequences when the line between it and governments blurs. Assignment of public blame by a private-sector entity can create implicit agency if governments shape their positions or act against a foreign government. Compounding this challenge are differing norms and perceptions among states on the relationship between government and industry. Put simply, the Chinese or Russian governments’ own close relationship with—or control of—industry may cause them to misread a U.S. company’s attribution as a proxy for U.S. action. In this context, it is imperative that we preserve and safeguard the private sector’s role in ensuring the resilience of our infrastructure and contributing its insight to cyber threats and avoid making it an active combatant in the deployment of powers reserved to states.
The ongoing conflict in Ukraine has demonstrated that cyber warfare is, and will continue to be, a dimension to state competition and geopolitics, as will cyber attribution. Establishing the intent and identity of the actor matters as much to private companies—which need to tailor defense to the operation at hand—as to states, which may need to mobilize public policy. Though the international community has made progress, attribution must continue to evolve to be more open, collaborative, and fast, built on ever-strengthening networks of information sharing, and bolstered by credible, public evidence.
The complexities of technology and sophistication of malicious actors to conceal their activity will never trend downward, nor will the consequences of cyberattacks. The stakes will get higher as the attribution problem gets harder. Working together and drawing on our collective strengths across borders and between the public and private sectors is the only way to avoid missteps and set a more sustainable path in cyberspace. As the cybersecurity industry has evolved, emerging collaboration and coordination has been essential and will continue to be ever more so in avoiding incidents or misunderstandings in international affairs.
Chris Inglis served as the first National Cyber Director within the Executive Office of the President from June 2021 to February 2023. In this role, he served as President Biden’s Senior Advisor for Cyber Issues and led the development of the 2023 National Cybersecurity Strategy. Prior to this role, he retired from the Department of Defense in January 2014 after 41 years of federal service, including 28 years at the National Security Agency and seven and a half years as its Deputy Director. Inglis began his career at the NSA as a computer scientist followed by tours in information assurance, policy, time-sensitive operations, and signals intelligence organizations. His military career includes more than 30 years of service in the U.S. Air Force and Air National Guard; he retired as a Brigadier General in 2006 and holds the rating of Command Pilot. After retirement from federal service, Inglis continued to serve in a variety of national security positions, including as a U.S. Naval Academy Looker Distinguished Visiting Professor for Cyber Studies, member of the U.S. Defense Science Board, trustee of the National Intelligence University, Managing Director at Paladin Capital, and Commissioner on the U.S. Cyberspace Solarium Commission.