Cyber Attribution: technical and legal approaches and challenges
By Lukas Bundonis
The Center for International Law and Governance at the Fletcher School of Law and Diplomacy hosted a conference on cybersecurity and the law on September 14 and 15. Following is a review of one of the panels held during the conference.
The draft paper for this session can be viewed here.
In the world of cybersecurity, the attribution of cyberattacks and other related malfeasance to specific threat actors is a daunting task. The forensics involved in elucidating, let alone validating a specific malware signature are bad enough. The competition between security researchers to boost their credentials with a successful attribution is even worse. However, attribution remains a key component of both the successful defense of critical networks and the legal prosecution of would-be attackers. This dilemma begs a simple, but painful question: how can we make attribution better?
The Center for International Law and Governance’s September 14th conference on cybersecurity convened one of its six expert panels to answer this question. For this panel, Dr. Jeffery Taliaferro, an associate professor of political science at Tufts, offered commentary on a draft paper by Dr. Nicholas Tsagourias of Sheffield University and Dr. Michael Farrell of Georgia Tech. Arun M. Sukumar, a security expert from the Observer Research Foundation, moderated.
The paper, titled in its working state as Cyber Attribution: technical and legal approaches and challenges, argues that international organizations need sharper teeth if they are to pursue successful attribution. If this goal cannot be realized under the auspices of the current system, new frameworks and/or a new governing body must be created. To focus the discussion, Mr. M. Sukumar divided the presentation in two, tasking Dr. Tsagourias with expanding on the legal thrust of the paper first. Dr. Farrell followed with a technical perspective.
While Dr. Tsagourias acknowledged that attribution is difficult by nature, he contended that international organizations can address specific associated challenges if given the tools to do so. One such challenge is the lack of technical expertise among legal bodies like the International Criminal Court. If the evidence for a given attribution is highly technical or relies on subtleties that a non-technical professional might not easily understand, it creates a disconnect between the forensic analysts attempting to make a case and the attorneys attempting to prosecute it. However, the principle challenge he examined was the enormous burden of proof which rests more generally on attributors. Threat actors, with specific homage to those sponsored by nation-states, need not make a significant effort to maintain plausible deniability. Investigators must often tip the proverbial scales so heavily against these nation-states that there is no choice but to void that deniability.
Dr. Farrell’s presentation reinforced this point. He opened with a focus on the lifecycle of a cyberattack, displaying visuals to illustrate how an attacker gains, maintains, and either willingly terminates or unwillingly loses access to a target system. This process, known colloquially as the cyber kill chain, demonstrates that there are multiple points at which attackers can move laterally to evade detection by network defenders. However, it also demonstrates that if defenders are given the correct tools and training, there are also multiple points at which they can successfully purge would-be attackers. Every time an attacker scans or establishes a point of attack, they leave what Dr. Farrell calls “digital exhaust,” a kind of footprint that may allow investigators to unmask the intrusion.
Dr. Taliaferro unified these presentations with a few incisive remarks. The concern that attackers are too difficult to identify and the challenge of international legal bodies to staff themselves with a corresponding number of technical experts resolves to an overarching problem of justice. In attribution cases, the application of justice may unfold over such a long timeframe that the threat of punishment would be so non-threatening as to never raise concern in the belligerent actor. States can and have argued that even groups directly linked to their government are independent actors with a patriotic flair. Given these challenges, only time will tell whether the draft paper’s central thesis represents an achievable goal or an ideal that fails to stretch beyond the realm of academic consideration.