- Home >
- Services >
- Access to Knowledge >
- Trend Monitor >
- Domain of Application >
- Trend snippet: Increasing attention is given to the issue of attribution in cyberspace
Trends in Security Information
The HSD Trendmonitor is designed to provide access to relevant content on various subjects in the safety and security domain, to identify relevant developments and to connect knowledge and organisations. The safety and security domain encompasses a vast number of subjects. Four relevant taxonomies (type of threat or opportunity, victim, source of threat and domain of application) have been constructed in order to visualize all of these subjects. The taxonomies and related category descriptions have been carefully composed according to other taxonomies, European and international standards and our own expertise.
In order to identify safety and security related trends, relevant reports and HSD news articles are continuously scanned, analysed and classified by hand according to the four taxonomies. This results in a wide array of observations, which we call ‘Trend Snippets’. Multiple Trend Snippets combined can provide insights into safety and security trends. The size of the circles shows the relative weight of the topic, the filters can be used to further select the most relevant content for you. If you have an addition, question or remark, drop us a line at info@securitydelta.nl.
visible on larger screens only
Please expand your browser window.
Or enjoy this interactive application on your desktop or laptop.
Increasing attention is given to the issue of attribution in cyberspace
the relatively short history of attribution of cyber-attacks, states have used different paths . While many initiatives hardly ever see daylight and are hidden from the scrutiny of public opinion, some states have also opted for more public forms of attribution through indictments under criminal law and political attributions – albeit with a very limited reference to international law and norms that have been violated.
Attribution can be broadly defined as the process of assigning responsibility for a (malicious) cyber activity to a specific actor on the basis of the available evidence, including all-source intelligence, forensic investigation, and taking into account the political context. Given the sensitive nature of such evidence and the implications that a decision about attribution might have on bilateral relations between the accuser and the accused, states maintain their exclusive right to attribute (or not)
a cyber operation based on their own methods, procedures and political interests.
Attribution strengthens the ability of an actor to identify those responsible for malicious activities in cyberspace and potentially hold them accountable. The capacity of a state to attribute is a key element in curtailing impunity in cyberspace and ensuring justice for the victims. But attribution
is not a silver bullet and should not be an aim in itself. A decision to attribute a cyber operation
to another actor should be strictly linked to a broader policy objective(s) that a state or a group of states wishes to achieve. Depending on the overall goal, the process of attribution embodies several concrete choices and dilemmas concerning the level of certainty for arriving at such decision, the quality of the evidentiary standards, or the concrete instruments available to a state in response to such malicious activities, ranging from issuing a statement to criminal prosecution or imposing restrictive measures.
The process leading to attribution is often lengthy and encompasses several stages with clearly identified thresholds:
•
Suspicion: any malicious cyber operation that is discovered leads automatically to the question ‘who did it?’ and ensuing speculations about potential perpetrators. This is how an actor – state or non-state – becomes a suspect. The notion of ‘suspicion’ and ‘suspect’, however, have different implications across disciplines. Whereas in criminal law suspicion has to be substantiated by an investigation (i.e. collecting and assessing the evidence) and follow well-established doctrines (e.g. the presumption of innocence until proven guilty), such strict rules are not always applied in international politics where suspicion could rest on solid (albeit sometimes covert) evidence but also on a hunch and personal convictions. The substantiation of suspicion also plays a role in whether or not states decide to act upon their suspicion.
Exploring the different approaches to attribution from an international law, a criminal law and a policy perspective, The Hague Program for Cyber Norms and EU Cyber Direct convened 20 international experts in a workshop in The Hague on 24 May 2019. The participating experts were from Europe, Asia, North and South America and had a background in international law, criminal law or policy. This policy brief includes ideas and opinions expressed during this workshop.
1
2020 Policy brief Three tales of attribution in cyberspace: Criminal law, international law and policy debates 1
-
Accusation: the shift from suspicion to accusation is the step that has attracted most attention, both in legal and in policy terms. When and on what basis does an actor decide to accuse another actor of a malicious activity – executed or planned – in cyberspace? Contrary to suspicion, an accusation is likely to bring about more scrutiny on both the accuser and accused. While accusation and attribution are frequently treated as the same, we make a clear distinction between these two processes whereby attribution is a step that may lead
to accusation. This distinction is important to make. While victims of a cyber-attack (that are technologically capable to do so) will often go through the process to come to an attribution of an attack – if only to improve their own defence mechanisms in the future – not all victims will decide to (publicly) accuse another state.2 In our view, therefore, most of the discussions about public attribution are de facto discussions about accusations by one actor against another. Especially public attribution opens up the discussion about the quality and transparency of the evidence leading to the accusation. -
Consequences: there is a general expectation that accusation leads to concrete actions and responses aimed at enforcing international or national law, often in the form of retorsion, countermeasures, or other types of sanctions foreseen in the (inter)national legal order. Such an approach is very reductionist and ignores other potential benefits that an accusation can bring, such as the right to respond and the obligation to assist in solving the problem. For instance, the attribution of an attack to the territory of a state gives the victim state the right to request assistance or compensation from that state. It is not unreasonable to expect that such request should be responded to in good faith and in the spirit of cooperation between states. Should such efforts fail and malicious intent of the other state become clearer, potential punishment could ensue. The debate about consequences is also the one where evidentiary standards matter most as it raises the issues of the legality, legitimacy and proportionality of the response.
Interacting with all these stages is the fact of disclosure or revelation. Disclosure can be part of the attribution process as a deliberate decision by the wronged state, but it can also be external: other actors like cyber security companies, private companies under attack, and other states can also disclose the fact that an attack is occurring or has occurred. In some cases it can even be the attacking state that reveals the attacks, often through proxies. The timing of disclosure also affects the options of the wronged state: a disclosure may compel a state to act – even though it perhaps preferred not to. In short: disclosure can be the result of an attribution process or
it can externally interact with it.
In the relatively short history of attribution of cyber-attacks, states have used different paths (see Figure 1). While many initiatives hardly ever see daylight and are hidden from the scrutiny of public opinion, some states have also opted for more public forms of attribution through indictments under criminal law and political attributions – albeit with a very limited reference to international law and norms that have been violated. These different legal and political tales however all have their own internal logic and rules. The following sections of this paper aim to shed some light on how these different stages of the attribution process are addressed
in the areas of criminal law, international law, and international policy.
2 For an analysis of why states do or do not make attribution public or overt see: Gil Baram and Udi Sommer. (2019). “Covert or not Covert: National Strategies During Cyber Conflict”, pp. 197-212 in: T. Minarik, S. Alatalu, S. Biondi,
M. Signoretti, I. Toolga and G. Visky (eds.) 11th International Conference on Cyber Conflict: Silent Battle. Tallinn: CCDCOE.
2
Fig. 1: Attribution of cyber operations: Four cases
The data used to create this visual can be found in the annex on pages 15-18.
Even though the focus of this paper is on legal, criminal and policy dimension of attribution, this graphic demonstrates the involvement of other actors and tools used to name suspected perpetrators. The cases suggest an increasing willingness of states to call out state sponsored cyber operations.
stage
Discovery Reaction Investigation Attribution Admission
type of attribution
civil society criminal diplomatic intel judicial
media political technical none
Belgacom
2010−12−01
start of operation
DNC hack
2015−07−01
Despite extensive political, judicial and media investigations, despite the evidence pointing to the GCHQ, this attack has never been attributed.
2012 2014
The hack on DNC has resulted in the most comprehensive set
of responses by the United States but limited international reaction.
2016 2017 2018
2016
The report by Belgian prosecutors believed to support allegations made by Edward Snowden in 2014.
2018
Special Counsel Robert Mueller’s report on the Investigation into Russian Interference in the 2016 Presidential Election
NotPetya
2017−06−01
NotPetya - and its predecessor WannaCry - was a wake-up call for the international community. Given the economic impact and adverse societal effects, NotPetya has triggered a series of coordinated attributions.
Jul Oct
Attacks against Georgia have seen an unprecedented pace of attributions and diplomatic responses to date.
Georgia 2019
2019−10−01
Oct
Nov Dec
Russia rejects unsubstantiated and politically motivated accusations.
Jan
Jan
Apr
For the first time in history cyber attacks are discussed at the UN Security Council on the initiative of Estonia, the UK and the US.
Feb Mar
2019
2020
2020 Policy brief Three tales of attribution in cyberspace: Criminal law, international law and policy debates
3
A tale of criminal law
Criminal punishment is considered to be the harshest intrusion into the personal rights of an individual by the state. Coercive measures and sentences, ranging from capital punishment and the deprivation of freedom to the seizing of objects, have a substantial impact on a person’s life. For that reason the use of criminal law as a reaction to an unlawful act is curbed in two strongly related ways: a) by means of the basic principle that criminal law should be an ultima ratio and b) by building in safeguards protecting the individual(s) involved and ensuring the integrity of the criminal process. These restrictions apply to the use of criminal law in general. We here highlight both the general use of criminal law and the specifics of relying on criminal law for the purpose of attributing unlawful cyber-incidents to a malicious actor. It is essential to first emphasize that a state as such cannot be criminally indicted, so the use of criminal law for the attribution of cyber incidents is exclusively related to acts carried out by individuals, which can be non-state, state-sponsored or even directly employed by a state.
-
a) Criminal punishment should be used only as an ultima ratio or as the last resort: a mechanism
that due to its profound impact is activated only when other – less intrusive – mechanisms are inadequate or disappoint. The ultima ratio principle is brought back to the rule of law and the monopoly on the legitimate use of force that lies in the hands of the state. The state is the only actor that can exercise coercive measures and punishment upon its citizens in reaction to unlawful behaviour, although it can delegate some of it to the private sector as has happened for example with botnet takedowns where the state coordinated with the private sector.3 At the same time, no one is above the law so the way in which coercive measures are conducted by state authorities is restricted by built-in safeguards. -
b) The rule of law protects the individual against arbitrariness by state authorities from the start of a criminal investigation (even before the individual is informed), throughout the prosecution phase and up to the moment of sentencing. This includes the (cross-border) gathering of evidence, the standard of proof, the admissibility of evidence, fair trial rights and extradition. These rules and principles make up the integrity of the criminal proceedings and are used here to contextualize criminal attribution for cyber incidents.
Attribution of a criminal act to an individual – although this terminology is hardly used in the national criminal law context – is preferably done at an early moment, with the ultimate goal of discovering who is responsible and which individual(s) should be prosecuted. Identifying a first suspect could be called an investigative hypothesis for attribution. This is done at the start of the search for evidence with the purpose of making the search targeted; but attribution is also the process of finding proof to confirm the first suspicion. Attribution at the start of the search for evidence is necessary due
to the protection of the individual by a set of fair trial rights laid down in the basic human rights instruments such as the European Convention of Human Rights and the EU Charter for Fundamental Rights and Freedoms. The moment of activation of the fair trial rights is the moment of the criminal charge. In other words, from the moment an individual is informed of the criminal charge against him, he can rely on a set of rights safeguarding his position such as the presumption of innocence, the right of access to an independent and impartial tribunal and the rights of defence. These rights
3 Benoit Dupont. (2017). “Bots, cops, and corporations: on the limits of enforcement and the promise of polycentric regulation as a way to control large-scale cybercrime”. Crime, Law and Social Change, 67 (1): pp. 97-116.
4
continue to protect the individual for the full length of the criminal proceedings until a decision is made by a final judgment. The level of certainty a court should base a judgment on is – due to the mentioned intrusion level of a criminal sentence and the impact it has on an individual’s life – high. Most Anglo-Saxon criminal justice systems work with the “beyond a reasonable doubt” threshold, whereas most continental criminal justice systems maintain the “intime conviction” or the reasonable certainty of the judge. The evidence gathered should thus convince the judge or court with reasonable certainty that the individual has committed the criminal act in question. For a criminal attribution the evidence should thus be strong and public. Yet the gathering of evidence for the purpose of a criminal investigation is strongly linked to the availability of national resources and is almost exclusively governed by national laws. The conditions for obtaining evidence, the admissibility of evidence and the excluding of evidence are all governed by national law. This can be explained by the close connection between a state’s (historical, political, cultural, religious, etc.) identity and its criminal justice system. It may therefore result in differences between states in when or how they criminally indict for a similar – or even the same – cyber-incident.
Once evidence is available and admissible, attribution or criminal indictment is unproblematic.
The difficulties lie in gathering the evidence in a cross-border – or in the case of a cyber-incident:
a global – setting. Traditionally, for the majority of states worldwide the mechanism of mutual legal assistance is established for this purpose, whereas for the EU member states the mechanism of mutual recognition is the primary mode of cooperation. However, in the context of cyber-incidents much of the evidence will be of a digital nature. The mentioned cooperation mechanisms are not necessarily adequate for the reliance on digital evidence. They lack swiftness in exchanging evidence and are dependent on trust between states. Trust between states is challenging enough when
a traditional type of cross-border crime is concerned; it will be an even higher hurdle when relations between states are contentious as is usually the case with cyber-attacks where states are prepared to escalate to the level of a (public) attribution. Although efforts are made to improve this situation – for example the European Commission’s e-evidence proposals4 regulating the obtaining of digital evidence from service providers within EU member states and in third states – focus should be
on trying to improve the means and cooperation mechanisms between states on collecting reliable evidence. It should be noted that trust makes the exchange of evidence easier, but attribution
tends to come in play when there is a lack of trust.
Accusation in the context of criminal law may also lead to the “instrumentalisation” of criminal law for political purposes. For example, the FBI indictments under criminal law pinpoint individuals –
and not ‘states’ – and require evidence that has to stand up in a court of law. Obviously, indictments of individual members of the PLA or the GRU implicate the Chinese and the Russian state respectively and clearly signal political discontent with state behaviour. That may actually be their main purpose, but therein also lies a problem. The use of indictments and criminal law – a trend exemplified by
the approach of the United States – should be a goal in itself in terms of law enforcement, instead of instrumentalising criminal law into the service of foreign policy goals. This may happen in cases where a state does not extradite nationals or where no extradition treaty exists between the two states involved. When grounds for refusal of extradition are known in advance or could reasonably be expected, such practice seems to be an intended misuse of criminal attribution. Major actors
in international cyber operations such as China, Russia and France have laws in place that forbid
4 Council of the European Union. (2019). “Regulation of the European Parliament and of the Council on European production and preservation orders for electronic evidence in criminal matters – general approach”. 10206/19, 11 June 201 9.
2020 Policy brief Three tales of attribution in cyberspace: Criminal law, international law and policy debates 5
the extradition of their own citizens; many other countries as a rule also do not do so in practice. Moreover, when political tensions or human rights concerns stand in the way of extradition to the state that indicted them and the prosecution can therefore never take place, the criminal attribution becomes nearly futile. The purpose of such attribution is not criminal punishment but seems to be political. Additionally, the judicial review of the collected evidence is missing. The instrumentalisation of criminal law is therefore diametrically opposed to the principle of ultima ratio and to the protective mechanisms explained above.