States’ drafting of explicit national attribution policies is anchored in the law of state responsibility in cyberspace. Such policies do not necessarily promote frequent (or any) attribution. Rather, they draw attention to the multifaceted aspects of attribution and the need for careful political consideration in making affirmative, deferring or negative attribution decisions. While actual content direction remains the prerogative of each state, it is possible to identify certain elements that might lay foundations for a national attribution policy framework.
There’s hardly any international cybersecurity discussion that doesn’t feature the problem of attribution. Two interlinked developments have made attribution a ‘hot potato’: the strengthened ambition by states to do something about harmful and malicious cyber/digital activities and the international attention given to the question of attribution as part of the UN’s processes, especially in the 2014–2015 Group of Governmental Experts (GGE) report. But this is where the agreement ends.
Although all states subscribed to the idea that in the case of ICT incidents, they ‘should consider all relevant information, including the larger context of the event, the challenges of attribution in the ICT environment and the nature and extent of the consequences’ (recommendation 13b in the 2015 UNGGE report), they also concluded that ‘the accusations of organizing and implementing wrongful acts brought against states should be substantiated’. That resulted in two divergent practices: for some this recommendation speaks of the importance of attribution; for others, it is a reminder of the challenges. The existence of commentaries, comparative and effectivity analysis and guiding reports highlights the diversity in ways forward. The complexity and the sensitive nature of attribution were restated in the 2021 UNGGE Report, which cautions against the risk of misunderstandings and escalation of tensions between states that attribution policies might lead to.
Recent examples of attribution include the 20 February 2020 coordinated and public attribution by the United Kingdom, the United States, New Zealand, Australia, Canada, Ukraine, Estonia, Poland, the Czech Republic, the Netherlands, Denmark, Lithuania, Norway, Latvia and Finland condemning Russia for the cyber-attack against a Georgian web hosting service provider. The US also indicted six Russian military intelligence service (GRU) officers in conjunction with the operation. On the other hand, the Finnish Security and Intelligence Service spoke only of the APT31, and not of the state of China, when revealing its findings on a cyber espionage case against the Finnish parliament.
Without entering any legal, scholarly or political debate on the correct interpretation or status of the law of state responsibility, there seems to be a general acceptance of the legal framework of state responsibility. But where are we? Where do states want to go with attribution?
Political parameters of attribution
During the 2019–2021 UN GGE process, interested countries outlined their parameters of attribution. While many Western states consider accurate attribution possible, and rather unproblematic from a legal perspective, Russia regarded it as demanding further study. In national positions, both frameworks—the international law-based state responsibility and the GGE-based responsible state behaviour—are mobilised. At the same time, it should be noted that the majority of the GGE participating countries as well as the Open-ended Working Group remained silent on attribution.
Germany, the United Kingdom and the United States, in particular, emphasise the difference between legal and non-legal—political and technical—forms of attribution. Legal attribution identifies states that are responsible for an internationally wrongful act, while political and technical attribution describe the identification of states or non-state actors that have carried out a cyberoperation that is not necessarily an internationally wrongful act. In this context, the Netherlands explained technical attribution as ‘factual and technical investigation into the possible perpetrators of a cyber operation and the degree of certainty with which their identity can be established’, and political attribution as ‘policy consideration whereby the decision is made to attribute (publicly or otherwise) a specific cyber operation to an actor without necessarily attaching legal consequences to the decision’.
Accordingly, many Western states underlined states’ sole discretion, national prerogative and own judgement in decision-making on attribution. Expressing its views during the 2019–2021 GGE process, the United States noted that:
‘The law of State responsibility does not set forth burdens or standards of proof for attribution. Such questions may be relevant for judicial or other types of proceedings, but they do not apply as an international legal matter to a State’s determination about attribution of internationally wrongful cyber acts for purposes of its response to such acts, including by taking unilateral, self-help measures permissible under international law, such as countermeasures. In that context, a State acts as its own judge of the facts and may make a unilateral determination with respect to attribution of a cyber operation to another State’.
In addition, some states offered general procedural guidance. Firstly, states stressed the need to assemble a broad range of technical, political, legal, law enforcement and intelligence sector participants and to gather information, e.g. through data forensics, open sources research, human intelligence and other sources, but also bearing in mind the context of an incident or operation. International exchanges of information and views were also noted. Secondly, states elaborated on whether and when attribution should be made publicly or privately. Here, the United Kingdom’s view is clear: ‘The UK will publicly attribute conduct in furtherance of its commitment to clarity and stability in cyberspace or where it is otherwise in its interests to do so.’
A contrasting note comes from Russia, which noted that countermeasures against a state responsible for an internationally wrongful act ‘shall not affect the obligation to refrain from the threat or use of force as embodied in the Charter of the United Nations; obligations for the protection of fundamental human rights; obligations of a humanitarian character prohibiting reprisals; other obligations under peremptory norms of general international law’.
At the same time, Russia is assuming that ‘for the present, the international community has reached consensus on the applicability of the universally accepted principles and norms of international law’. Moreover, referring to the Articles on Responsibility of States for Internationally Wrongful Acts (elaborated by the UN International Law Commission), Russia notes how ‘the international responsibility of a State is conditioned to the commission of an internationally wrongful act by this State’ and ‘the characterization of an act of a State as internationally wrongful is governed by international law’.
China gave its full support to the applicability of international law and norms of responsible state behaviour in the Open-ended Working Group elaborations. China also noted that ‘some states suggested that the invocation of the responsibility of States involves complex legal, technological and political issues, including, inter alia, the scope of wrongful acts, attribution to a State of particular acts, claimants’ obligation of proof’, and commented that ‘When attributing an ICT incident to a particular State, States should demonstrate genuine, reliable and adequate proof.’
National attribution policy: purpose, principles and practices
As with any policy document, national attribution policy has the general and instrumental purposes of providing political and administrative guidance, organising work and measures and informing domestic and foreign audiences of states’ considerations, intentions and capacities. In short, explicit attribution policy helps governments to make informed and thoughtful decisions. Therefore, a national attribution policy document can follow the general structure of other national policy documents and strategies without ‘reinventing the wheel’.
Politically and internationally, the interesting question around attribution is: for what purpose is attribution or non-attribution considered useful? Here, state justifications may differ. Indeed, when the directing or determining role of countries’ diverse resources and ambitions is accepted, justifications and directions of attribution policies need to differ too. Superpowers and normative cyber influencers are likely to have not only more resources and more developed cybersecurity and information security and attribution capabilities than smaller, developing countries, but also more far-reaching ambitions. It would be unfair to expect all smaller or developing countries to follow the attribution policies and practices of powerful industrial countries. Here, the parameters may oscillate between general or immediate foreign policy objectives and worldwide cyber-specific ones. Another value-driven theme to consider is the level of unilateralism v. cooperation, even globalism: the latter mainly applies to a UN-centric approach to attribution.
More instrumentally, factors that favour attribution may include:
- Sending clear messages and shaping expectations regarding unacceptable state behaviour and malicious cyber activities
- Deterring further malicious and intolerable state behaviour and cyber activities
- Complementing other measures that advance accountability and responsibility
- Alerting industry, operators and network defenders to an existing or potential threat
- Manifestation of solidarity and cohesion with victims and partners
- Public attribution can undermine the ability of the state to which the activities are attributed to recruit personnel to carry out malicious cyber activities.
Factors that disfavour attribution, particularly public attribution, may include:
- Uncertainty of substantiation and evidence
- Reluctance to reveal own awareness and forensic and intelligence capability
- Deteriorating relations that may hinder peaceful settlement of the dispute
- Escalation of the situation by closing private communications and hardening attitudes
- Tacit international acceptance of certain unfriendly cyber activities, especially political espionage
- Lack of resources to follow an attribution decision
- Overriding foreign, economic or military operational interests
- Preoccupation with other domestic or international crises
- Domestic strategic and political culture.
National attribution policy should outline principles, procedures and methodologies that are to be applied in the attribution process. In effect, attribution policy creates lines of action and communication that cut across administrative silos and epistemic–professional communities. Attribution is a team sport where technical and forensic expertise need to be combined with legal expertise and political decision-making. The actors whose roles and responsibilities need to be outlined include computer emergency response entities; national intelligence and security service(s); the police and prosecutors; armed forces; ministries for foreign affairs, interior, justice, defence and economy; and communications/ICT and dedicated critical information infrastructure and critical infrastructure operators. Accordingly, comprehensive technical, organisational and human capability development may result from the determined mandates.
As many nations have already developed national emergency mechanisms and procedures, it is advisable that cyber-digital crisis management and the process of attribution follow the existing frameworks. Some concrete adjustment in legislation and internal regulations may be needed. Clear roles and responsibilities, mandates and powers are essential, which for example establish and enable joint processes, communicate methodologies and results and share relevant information, and which are adequately resourced.
Qualitatively, an attribution policy needs to sketch the principles of knowing (‘how do we know?’) as well as certainty/uncertainty of knowledge and evidence. Specificity of attribution to be considered beforehand and on case-by-case merits varies from general support of another state’s attribution to naming the territory of origin or a specific non-state actor, to assigning explicit responsibility to a foreign government or its organ. Another issue to be elaborated is the style of the potential act of attributing: publicly naming, shaming or blaming or privately letting the target states understand. Public attribution may rally one’s troops but may only harden the stance of the attributed party. Moreover, what one considers shaming may turn to be ‘faming’ for the other party.
One should also consider the day after: what is to be done after an attribution. This may lead to a need for capability development or bounce back as a health warning: has the attributing government enough political capacity and resources to deal with the potential consequences of its action?
Attribution policy can offer transparency to a sensitive international affairs issue. Transparency of governmental affairs enhances accountability before both the public and the international community; the former is an essential factor of democratic order, the latter an important de-escalatory and predictability-enhancing factor in terms of peaceful and stable international order. Indeed, expressed purposes and principles of attribution can increase predictability of international relations: an important aspect of domestic, regional and global stability. Avoidance of misattribution, which properly organised and conducted attribution is likely to provide, helps to avert unintentional political escalation.
About the Author
Mika Kerttunen is Director of Studies, Cyber Policy Institute, and Adjunct Professor in military strategy at the Finnish National Defence University.