Whenever a website has issues, we immediately think of hackers – maybe Russians. But how do you understand when a State really is responsible for an attack, and how do you hold it accountable?
"It was Russian hackers!", you hear every time a website stops working. In fact, often there has been no attack, but only some errors in the management of the IT systems involved. In other cases there may indeed have been an attack, but by different perpetrators. But when the attacker really is a state, be it Russia or another, how do you figure it out and hold it accountable? The issue is that of cyber attribution.
Attribution is a pre-existing concept in international law, but cyber attribution poses some new problems. What is the situation in Italy? How does the European Union respond? How and when is the time to blame an external actor and how to react?
Attribution in international law
"Attribution" in international law is the process of identifying the perpetrator of an attack or operation carried out against a state. It is an important concept, also in relation to art. 51 of the United Nations Statute, which recognises that "nothing in the present Charter shall impair the inherent right of individual or collective self-defense if an armed attack occurs against a Member of the United Nations". Most states in the world (including those of the European Union) agree that existing international law also applies to cyberspace. This would mean that an attack on a state, even if carried out with "cyber weapons" and not with conventional weapons, would imply a right to react. On the issue of countermeasures, however, there is no consensus at the UN level; for example, in June 2017 the Governmental Group of Experts (UN GGE) was not able to report on the issue. The reaction, however, is not necessarily warlike: in this and other cases, "sanctions" are often applied such as freezing of accounts, travel bans, etc., or simply behaviour that is deemed unacceptable is publicly denounced.
Such a right presupposes however that the origin of the attack is identified and identified in a credible way – and the attribution, in order to have value, must be public. However, public attribution is necessary not only to provide the legal basis for a reaction, but also to politically convince Parliament, public opinion, allied countries, etc. of the need for it.
It is appropriate to specify "public", because there is also a "classified" attribution, shared for example by security agencies with the government alone, but based on intelligence sources too secret to be shared with allies or with the public (for example because the presence and identity of an agent would be revealed): in these cases, however solid the attribution may be, the possibility of a credible public attribution is limited.
In the following part of the article we delve into the issue of attribution of cyber attacks, but the problems with attribution are not new and are not just related to computer science. In an article on this topic, Thomas Rid and Ben Buchanan of King's College London cite for example the casus belli that led to the First World War, the murder of Archduke Francesco Ferdinando in Sarajevo. Austria-Hungary attributed that attack to Serbia and declared war. Was the killer, Gavrilo Princip, really a Serbian agent? The issue is debated, but the millions of deaths remain.
The attribution of cyber attacks
In debates on the attribution of cyber attacks, there is a widespread belief that the main challenges are technical and mainly related to the difficulty of finding concrete, incontrovertible evidence. Rid and Buchanan contest these beliefs by stating instead that attribution is not a technical problem, but above all a political one – it is what the States do with it. It is not an exact science, but in a certain sense "an art": each case is different and has many nuances; it is a function of what is politically at stake.
Beyond the difficulty of the case, there are also situations in which it is not considered worthwhile to start structured investigations, for example if the perceived damage is limited. And if a case is difficult, a state may decide not to devote time and resources to it.
We need to understand the how, what, who, and why of an attack, but the first step in attributing an attack is to understand that an attack happened. Unlike what one might think, the attacker does not always reveal that they have carried out an attack. Indeed, if the goal is to steal information for an extended period, it will be important not to be identified and not to show that you have access to that data. Attacks are often detected thanks to "compromise indicators”, following anomalous behaviour of the IT systems or periodic checks.
Many attacks do not exploit technological vulnerabilities, but human weaknesses, such as classic phishing emails. The way an attack is made can reveal information about the attacker: if, for example, they use extremely complex tools, they will probably be a state actor; the times of the attacks can indicate the attacker's time zone, the words used their language, and a mistake can of course be fatal.
Sometimes the geopolitical context of an attack can immediately lead to suspicions, but this is probably an exception. Understanding the motivation for the attack is difficult, but it is an important part of the attribution process, which is therefore not merely technical.
If the tools have been used previously for other attacks, the perpetrator may be the same. Some recurring attackers are called advanced persistent threat (APT), particularly sophisticated groups believed to be acting on behalf of a state or directly emanating from it. These groups are assigned, usually by cybersecurity companies, names – naturally unofficial – such as APT1 (a Chinese group), Equation Group (USA), and Fancy Bear (Russia).
Rid and Buchanan emphasise how communicating the attribution is part of the attribution itself – a fundamental element, to be regarded as a goal in itself. Given the risk of revealing their sources and methods, agencies often tend to err on the side of caution. However, there are at least some good reasons to give more details: to increase the credibility of the message and the messenger, to improve the attribution itself, and to allow a better collective defense. In this context there is also a role for private companies: as early as 2016 Herbert Lin, of Stanford University, wrote that in recent years their role had grown, and the US Department of Defense itself acknowledged that public complaints made by private actors also had a role of dissuasion. However, it is important to stress that the final decision on attribution is always political, and is also influenced by political issues, not only by technical ones.
What Italy and the European Union do
Every year the Italian secret services update the Parliament, and the country, with respect to cybersecurity: the 2019 Italian national security document was published in 2020 together with the Report on information policy for security. Among other things reported, there is an increase in "unidentified attacks".
Of course, Italy is not the only European country to have suffered attacks. Attacks on Estonia during a clash with Russia over the displacement of a Soviet-era statue in Tallinn made a sensation in 2007. Although attribution is the responsibility of individual member countries, the European Union is attempting to give unitary answers, in particular with the Cyber Diplomacy Toolbox (CDT) – a framework for a unified EU diplomatic response to cyber attacks, adopted in June 2017. A few months later, some implementation guidelines were adopted. Some measures envisaged by the CDT require attribution as a prerequisite for their application, and "cyber penalties" are also envisaged.
According to Paul Ivan , Europe in the World Programme Senior Policy Analyst, member states and EU institutions should – among other things – do more to develop common threat assessments and a common culture of attribution of cyber attacks.
Russia and the usual suspects
Russia has been repeatedly accused of cyber attacks in recent years, but in fact, note Sven Herpig and Thomas Reinhold (in a contribution to an edition of the Chaillot Papers entirely dedicated to Russian cyber strategies), only in few cases was there credible public attribution.
One was in 2018, when the United Kingdom, Denmark, the United States, and Australia publicly attributed to the Russian government the cyber attack "NotPetya", which hit the whole world, starting with Ukraine. Canada instead attributed the attack to "actors in Russia". Other countries made support statements. Paul Ivan points out that although there were several EU member states and the Cyber Diplomacy Toolbox had already been adopted, the EU has failed to agree on a common attribution.
Another notable case involved the attack on the Organization for the Prohibition of Chemical Weapons (OPAC), condemned by the European Council, again in 2018. The states did not explicitly refer to Russia, but president of the European Council Tusk, European Commission's Juncker, and High representative for Foreign Affairs and Security Policy Mogherini did.
But apart from these cases, in which lack of unanimity does not help, blaming Russia without really being able to demonstrate its responsibilities risks being counterproductive – it cannot convince public opinion and the international community, and at the same time (and perhaps paradoxically) still contributes to strengthening the country's image of power.
This publication has been produced within the project ESVEI, supported in part by a grant from the Foundation Open Society Institute in cooperation with the OSIFE of the Open Society Foundations. The contents of this publication are the sole responsibility of Osservatorio Balcani e Caucaso Transeuropa.