Attributing Cyber Attacks
In cyberspace, it is impossible to identify with certainty the origin of an attack, which makes it difficult to enforce the right to self-defence. The law of war requires that the initial cyber attack must be attributed before a counterattack is permitted. As a result, any decision to retaliate is risky. Uncertainty about the adversary’s intentions manifests itself in a “security dilemma” unique to cyberspace. In order to guarantee their cybersecurity, states are forced to confuse the tactical modalities of attack and defence, which can only result in increased tensions and general insecurity for all actors.
With the high risk of escalation in cyberspace, restraint plays a central role in crisis management. In April 2015 after the hacking of White House and State Department messaging, allegedly by Moscow-backed hackers, the Obama administration preferred the option of leaks to the press pointing to the responsibility of Russian hackers. In this case, sending a signal through the media calling on Russia to restrain itself was substituted for a proper attribution.
Attribution of cyberattacks is a rare maneuver, based less on technical certainty than on the political will to get a message across. In other words, the question is more about when attribution is possible than whether it is possible.
However, the problem of attribution remains the mark of power in cyberspace. Only supported by a cluster of clues, since the perpetrators can hide their digital traces behind hackers or computers installed in a third country, the ability to attribute an attack varies greatly from one state to another.
Cyber attribution is a complex matter that involves a layer of technical and strategic investigation. The more elaborate the attack, the more difficult it is to attribute, making the chances of achieving perfect attribution very low. The chances are even lower in the case of attacks generated by hostile states but executed by non-state actors. Cyber attribution is therefore not a binary exercise in proving guilt or non-guilt with absolute certainty. Making cyber attribution public is therefore a pragmatic judgmental prerogative of the state, which will be based on technical and strategic information, as well as analysis of the political stakes.
Sources:
- B. Buchanan, The Cybersecurity Dilemma. Hacking, Trust, and Fear between Nations, Londres, Hurst, 2016.
- B. Valeriano et R. Maness, Cyber War Versus Cyber Realities: Cyber Conflict in the International System
- L. Kello, The Virtual Weapon and International Order
- J. Nocetti, Géopolitique de la cyber-conflictualité, Politique étrangère, 2018/2