By: Yahli shereshevsky, Michael Schapira and Nimrod Karin
What more could be said or done about the problem of cyber-attribution? Arguably, we are fully aware of the international community’s effective inability to assign state responsibility for malicious cyber-operations that violate international law. We also know perfectly well why that is so: lacking and lagging legal frameworks; intricate factual inquiries, demanding as well as constrained; and deep-seated institutional deficiencies on the inter-governmental level. The problem of attribution isn’t at all new, to be sure, nor is it confined to the present context, but it’s greatly exacerbated by key features of cyberspace as a domain of international conduct and relations, which enable state and non-state actors alike to operate with exceptional secrecy and enduring deniability.
Hence, while no state is likely to contest the problem’s very existence, neither should we expect any state to concede this problem strictly concerns her. Western governments would thus claim that only bad actors – from rogue governments and their proxies to individual black-hats – strive to evade responsibility for their cyber-activities, since only such actors and activities breach the law, deliberately and with malice. Said governments would also disclaim having any practical difficulties with identifying perpetrators and sponsors of cyber-operations directed against them for purposes of protecting national cyber-security, thanks to their respective and combined intelligence capabilities, both online and offline. Conversely, all supposedly bad actors would firstly disclaim any cyber-wrongdoing on their part, followed by claiming that Western governments conveniently hide behind classified evidence to make false accusations that suit their strategic and political interests. This, however, should presumably render all such actors committed to finding a genuine and robust solution to the problem of attribution, which they are certainly not. Then again, Western government are no more forthcoming in this respect, whereby they ostensibly undermine fundamental rule-of-law and democratic values, as well as compromise their long-term interests in global peace and stability.
The foregoing three factors underlying the problem – missing norms, intricate inquiries, and ineffective institutions – suggest neat division of labor in attempting to solve the problem, between legal scholars, computer scientists, and policy experts. In fact, nothing of this sort: relevant areas of law, tech, and policy constitute interlocking aspects of addressing each factor, which are themselves closely interrelated. However, neither the underlying factors or their crosscutting aspects are inextricable: ultimate solution must be fully integrative, but in attempting to get there can and should disentangle – impossible to tackle all at once, must start somewhere.
General description and composition of i-SCAPE: “lampposts” and “observatories”:
Lampposts: expending array of sensors, initially mounted on public cyber-infrastructure and similar strategic intersections, later deployed via individual users (mobile app, browser addon, IoT feature). Basically, one-way peepholes into global web traffic, each shedding light on limited area: scan cyberspace for certain indicators of malicious operations, also collect publicly available information on-demand regarding specific incidents, relay sightings to an observatory and evidence to cloud-based storage.
Observatories: control and processing terminals – initially one, add more if needed for redundancy or to increase capacity. Issue scanning and collection instructions for lampposts, manage stored data, interface with any external sources of information, conduct analysis and assessments in response to specific queries or according to presets. Ultimately, where possible, produce attribution claims in concrete cases.
Basic tasks and operation – detect, diagnose, designate:
Detect malicious cyber-operations as soon as possible, preferably in real-time or even during preparatory stages. To this end, firstly identify suspect activities or events, based on indicators of anomalous traffic; then, distinguish between malfunctions and malice-type events, based on probable reasons for observed irregularities.
Diagnose appropriate cyber-operations as prima facie violations of international law, in general or for certain states. To this end, collect basic forensic evidence regarding target, intended/actual effects, technology used (including exploits), duration and routing. Next, conduct preliminary analysis in order to pinpoint geographical origins and sketch tentative technological profile of perpetrator and accomplices – e.g., could this operation be carried out without state support or awareness?
Designate presumed violation as potential attribution claim vis-à-vis specific states, if and when warranted. To this end, construct reasoned account, addressing possible counterclaims and disclosing remaining gaps and doubts. In more advanced stages, seek to supplement internal evidence with external information sources – from publicly available news reports to parallel investigations by partnering cyber-security firms – adjust account accordingly. Lastly, estimate potency of possible claims according to type and other relevant circumstances.