A recent article raised an important acknowledgement in the world of global, state-driven cyber attacks:  “the hacker blame game isn’t working anymore.”  The article maintains, and rightfully so, that tying governments to cyber attacks has been a tool states have traditionally used to not only bring attention to a particularly egregious cyber attack, but also to make offending states think twice about executing them in the future.  Per the article, the United States has been on the forefront of “naming and shaming” alleged state-sponsored cyber activities from China, Iran, North Korea, and Russia, using it as a tool in the past to deter cyber attacks.  However, the effectiveness of this tactic has not proven to be as successful as at first hoped, with the article citing recent Iranian cyber attacks on the U.S. elections, Chinese “Volt Typhoon” activity, and prolific Russian ransomware gang crimes as evidence of continued adversarial cyber malfeasance .  In short, the message is clear:  attribution lacks the punch it once had.

This is something that prominent cyber thinker James Lewis acknowledged in the article, saying, “You know it’s them, and they know you’re not going to do anything, so it really doesn’t have any effect.”  And while this revelation is bearing out to be the case, it begs the question if it was any real tool that states could be used to affect change.  Critics of this line of thought are quick to point out how the September 2015 summit between then President Obama and Xi Jinping at least temporarily achieved that very objective.  That agreement between the two governments stipulated that neither would engage in economic cyber espionage with the intent of providing competitive advantages to their respective companies or commercial sectors.  This was largely viewed as a huge accomplishment, given at this point, China was already largely perceived as the leading pervasive cyber threat to steal sensitive information and intellectual property.  China even signedsimilar deals in November 2015 with G20 nations, suggesting a positive change was occurring.

For a brief period, direct, diplomatic confrontation seemed to be a watershed moment.  Indeed, one U.S. cybersecurity vendor claimed that China-linked cyber activity decreased between September 2015 and June 2016, not only against the United States but other foreign countries, per the vendor’s findings.  But any gains were short lived as China quickly resumed the volume and scope of its proficient cyber espionage, finding immense return in the information it stole, as well as gaining footholds into high-value networks for further exploitation or other objectives.  A different U.S. cybersecurity vendor maintained that China was still conducting cyber espionage even after the Obama-Xi summit.  Despite the international publicity created by government accusations of Chinese cyber espionage, and private sector vendor reports echoing U.S. government intelligence language attributing cyber activity to China, and the United States charging Chinese military state actors with hacking, none had achieved the goal of deterrence.

This may explain partially why the United States has taken time in some instances to call out states.  In both 2016 and 2021, Obama and Biden took several months before publicly blaming Russia and China respectively for orchestrating cyber espionage activities against the Democrat National Committee  and Microsoft Exchange servers.  While improved tools and methodologies for attribution no doubt played a role in achieving higher confidence in identifying the states involved, it does beg the question if the United States was hesitant because it wasn’t sure what could be achieved by doing so in the first place if it didn’t already have an objective in mind.  With these two leading cyber powers tied to several instances of offensive cyber operations, deterrence was clearly not a realistic outcome.

So, what is attribution good for?  The article suggests that it helps get nations on board who may be suffering similar attacks against them by offending states.  The idea is that by forming these makeshift coalitions, economic and diplomatic pressure can be applied.  This makes sense, but there is little evidence showing where this has been an effective strategy.  Sanctions may be a go-to punitive response to state infractions but have proven to have limited value in deterring activity.  And if sanctions are imposed to inflict economic consequence for cyber infractions, when viewing some of the biggest cyber state actors involved in cyber malfeasance (e.g., China, Iran, North Korea, Russia) there does not appear any indication that they have succeeded.  

But there’s another angle where attribution plays a factor – active defense.  This principle has been adopted by the United States and gives it justification to conduct offensive cyber operations in advance of impending threats, the criteria of which has never been completely defined.

The same holds true for attribution and the threshold it must meet to warrant an offensive attack on a network in a foreign sovereign country.  Even after a successful “hunt forward” mission, so little is shared with the public as to the nature of the threat, and what the impact could have been should it have been successful.  Presumably, some of the 20+ hunt forward missions that have occurred were against state-affiliated actors, so why not make them public after the mission was completed?  It seems that would be an ideal time to “name and shame,” providing details of the intended attack, who was a part of it, and how they were going to do it with the international community.

Attribution has also played a role in joint government agency advisories that share threat information with the public sector.  This has been positive, tying suspected activities to states and educating the private sector on their tools and tactics.  In fact, there has been increased discussions about strengthening private and public sector partnership, including intelligence agencies, on all things cyber.  On paper, this seems good – even logical – as the assumption is that the government will more readily and expeditiously share information that can be leveraged and used in a timely manner.  Proactive and prepared cybersecurity in and of itself can be a form of deterrence.  However, traditionally the government has been stingy about sharing this type of information.  After all, even the Office of the Inspector General of the Intelligence Community 2023 report reaffirmed that over-classification, an over-abundance of data, and human and technological resource constraints have all hampered the ability to share threat data with the private sector.  How this will change remains to be seen, as well as what this will look like and if it will offer the private sector more bang for the buck.

It also raises some serious concerns that the continued intertwining of intelligence agencies into private sector under the veil of sharing could be abused to expand and increase surveillance, exploitation, and data collection, further putting civil liberties at risk.  After all, the government has a history of taking advantage of such relationships to willingly abuse civil rights and data privacy to support its objectives.  There is little talk about what will be done to ensure that these abuses won’t happen, or at least, what kind of system can be put in place to monitor for misdeeds with the authorities to hold offending individuals and organizations accountable.  Let’s hope that Information sharing should not be used as a diversion for other purposes.

Nevertheless, the problem of how to deter an adversary in cyberspace will remain for as long as the environment favors attackers, as there has been little consequence – whether politically, economically, or even in counter cyberattacks – to influence their change of behavior.  Even those attacks that have been notable (e.g., Stuxnet, BlackEnergy, Shamoonwiper) – have not produced a cyber retaliation suitable to compel states to stop or alter what they’re doing.  Unfortunately, today’s reality is that blaming a government for cyber malfeasance is as useless as blaming it for human rights violations, or any other infraction that brings states together to finger point.  States get called out, the public knows, some sanctions may or may not be imposed, but nothing changes.

And that seems to be where we are at.  There is nothing to compel deterrence, so states embrace the offensive knowing full well that they won’t receive a suitable response to compel them to do otherwise.  Even coalitions that form to counter state cyber threats may weaken depending on what kind of political, economic, security, or other trade-offs an offending state can offer coalition members.  Maximizing a state’s cyber capability via cyber weapons development; creating and leveraging advanced technologies; fostering close relationships with tech, Internet, and key private sector stakeholders; influencing Internet governances and standards; or some combinations thereof are the very things that will give a state the edge it wants over its competitors and adversaries.  States may say try to package up their justifications for pursuing this course of action any way they want, but their motivations are more alike than not.

Because it’s the same present inside, even if the wrapping paper is different.