Towards a(nother) new model of attribution

Stewart K. Bertram | 21 July 2016

Actor attribution is a common issue and activity within the world of cybersecurity. At its core, the actor attribution process involves identifying the individual behind a malicious cyber event. This identification subsequently adds context to the event itself, with factors such as the nationality of the hacker and the level of complicity in their actions of his or her sponsor nation state being estimated.

Evidence of culpability at a level that would be acceptable in a court of law is obviously the ‘A grade’ standard for actor attribution. Unfortunately, in the case of cyber threats, this fidelity of data is rarely available. This causes a reliance on intelligence for attribution that, in turn, makes the whole process extremely problematic. This means that debates, such as the 2015 Sony hack, typically degenerate into circular arguments that amount to little more than tit for tat style claims and counter claims, leading to an ultimately unsatisfying end to the debate.

While conducting my own research into the attribution of cyber proxy forces to a nation state, I was struck by the possibility of a new way of assigning responsibility for a malicious activity to a nation state or group actor that relies less on technical indicators and more on international norms of behavior and a reconceptualization of cyber sovereignty. In short: a model that can be applied where evidence is weak, or there are known gaps in our information and collection. 

Let’s take the example of the Syrian Electronic Army (SEA), a group that has maintained a web presence in the form of htt[x]://www.syrian-es[.]com/ since 5 May 2011 and have used the multiple iterations of the site to promote their hacking actions ever since. The syrian-es[.]com site sits within an IP range run by SCS-NET, the arm of the Syrian Computer Society, which is also an arm of the regime tasked with Internet Service Provision in Syria. Given the media visibility of the SEA and the length of their campaign, is it really feasible that the Assad regime is unaware of this group? I would assume that the Assad regime is aware of the SEA, but I would propose that they are effectively complicit with (and hence responsible for) the SEA’s activities due to the regime’s lack of action, either through ignorance or a deliberate lack of action. I am, effectively, analogising the situation between the SEA and the Assad regime with the culpability of a nation state allowing its territory to be used for criminal activity.     

Within the above statement there are three dimensions that underpin the analysis:

  1. A reclassification of IP ranges and country specific domain names as the sovereign territory of a nation state;
  2. Responsibility being increasingly bestowed on a nation state, based on the length of time a campaign is active;
  3. The level of media awareness that a group creates.

If this were to be expressed as a graph, it might look something like the graph below.

Attribution Graph 

The second (duration of campaign) and third factors (media exposure) are particularly important within this framework because any marginally skilled hacker could enter a geographical IP space such as North Korea, compromise a computer and then run their operations from that location falsely attributing a series of events to an innocent nation. The factors of media exposure and duration of campaign mitigate this.

I believe that this article is an important step in the rethinking of how we consider attribution, incorporating both ‘soft’ factors, such as media exposure, and geopolitical factors with an underpinning of strategic logic and international norms. Possibly the core shift that this method would precipitate is a transference of responsibility on the part of the nation state, from an exclusive focus of stopping its own citizens from conducting malicious actions in cyber space to preventing sovereign territory from being used for malicious purposes.