State actors abuse the ability to cyberattack anonymously or through proxies, which allows them to evade the consequences and avoid retaliation. Before we determine what we should and should not do in reaction to a cyberattack, we need to make sure we correctly attribute it to its source.
“Currently, one of the predicaments is that states are able to do very bad things and get away with it, scot free”, says Prof. Yuval Shany, the head of The Federmann Cyber Security Center – Cyber Law Program and the chair of the UN Human Rights Committee.
There are currently no international agencies responsible for naming the actual entities behind the dummy cyberattackers. Prof. Shany, alongside Exeter University and the Dutch government, are researching this in a feasibility study, looking to borrow ideas from other areas where attribution is important, among them proliferation of nuclear and chemical weapons.
A lot of attacks take place on infrastructure, software and platforms that are run by private tech companies. Those companies presumably have better understanding of their systems, and of how the attacks were initiated. "The question is whether the more suitable model for such an attribution agency is a private model or a public model", says Prof. Shany. "There have been private companies that have conducted research and came out with specific conclusions as to who's done it, who was behind it. [But] because they are private companies and because they do this for pay, there are some questions that are often raised as to whether they are generating findings that would be sufficiently independent and impartial from the client that actually ordered this service".
Wars have rules, and they will have to be refreshed, perhaps even restarted, when killer robots and AI will join the battlefield. “One area in which we have done research is what are the very rules of the game”, says Prof. Shany. “There is some specific tech development project which we are monitoring that have to do with the interplay between technology and humans, and the way in which human decision making in the battlefield is going to be increasingly enmeshed with technology”.