Striking the Right Balance: How to Publicly Attribute a Cyber Operation to Another State

Christina Rupp Opinions

In recent years, publicly attributing the authorship of malicious cyber operations to another state has become an increasingly popular policy response for many states. Given the political attention these official public political attributions receive, it is vital for states to reasonably explain and justify the reasoning behind particular public attributions. In striking a balance between disclosing and strategically withholding information, states should consider describing the operation’s significance and irresponsibility as well as substantiating their attribution, to provide for a comprehensive and compelling public attribution.

In December 2023, the United Kingdom publicly claimed that the Russian Federal Security Service (FSB) was politically responsible for a series of malicious cyber activities aimed at interfering in the country’s ‘politics and democratic processes’. In recent years, publicly attributing the authorship of malicious cyber operations to another state has become an increasingly popular policy response for many states, including Russia and China. While states can engage in different forms of attribution, attributions such as the UK’s recent example are the most significant type from a cyber diplomacy standpoint. This is because states communicate these official public political attributions (OPPAs) in public via official government channels instead of non-public private ways.

States are highly likely to continue considering public attributions as a viable policy response in the foreseeable future, especially in light of several developments. Advancements in methods and governmental attribution capabilities, for instance, are facilitating technical determinations of who was behind particular cyber operations, which are required for political efforts to publicise an attribution. Moreover, several states (for example, Australia, Belgium, Germany and Estonia) have begun institutionalising their respective decision-making procedures by establishing national attribution policies or processes. Others have expressed interest in acquiring the technical capabilities needed to engage in attribution in the first place.

Given the accusatory nature of public attributions and the fact that states typically attribute operations to their adversaries, it is imperative that attributing states not merely publicise their attributions but reasonably explain and justify why they made them public. They should do so not despite, but precisely because of the sensitivity surrounding attributions as a matter of national security.

Discretion vs. disclosure

Once a state decides to pursue public attribution, it possesses considerable leeway concerning the information and level of detail shared publicly. Providing a comprehensive explanation of the choices made in each case is an essential task. It is also a challenging one, as it requires the state to strike a balance between disclosure and strategic discretion. 

On the one hand, states may choose discretion in communicating their OPPAs. For example, they may need to protect intelligence sources or weigh other factors, such as the nature of the cyber operation, the ‘impact on victim’ or the attributing state’s relationship with the attributed state. Attributing states may also seek strategic ambiguity to avoid specifying red lines for state behaviour. They may do so to avoid pinpointing their response threshold, which could cause the attributed state to keep future operations just below that level.

On the other hand, disclosing information can also offer states distinct advantages. Despite the recent progress in methods and capabilities, an attribution remains a complex endeavour. An attributing state must first establish the connection between a cyber operation and its perpetrator. Therefore, detailing cyber operations in public offers states, first, the opportunity to reflect upon, acknowledge and make sense of this complexity. The more precisely an attributing state connects the dots itself, the more it diminishes this intricacy and influences external perception of its reasoning, which may impair alternative explanations from gaining a foothold.

Second, providing more detail also permits third parties – including other states, the broader cybersecurity community and journalists – to validate the attribution. If external stakeholders can corroborate the assessment and, on that basis, express that they find it convincing, attributing states can increase political and reputational costs for the attributed actor.

Third, disclosing information can be beneficial for states seeking a solid basis for potential future follow-up actions targeting the attributed actor. By way of example, when a state subsequently imposes sanctions or takes other measures available to it under international law, the existence of transparent information can strengthen their external legitimacy.

Fourth, publishing significant information on the attributed operation may also foster a sense of urgency among the international community, third parties such as private sector entities, and/or an attributing state’s citizens. States may leverage this heightened attention to facilitate political prioritisation, to allocate budgetary and human resources and to raise awareness of the identified threat.

For these reasons, deciding how much information to share within a public attribution is a balancing act. States should consider the following parameters when deliberating how to explain their attributions publicly:

1) Describing the Cyber Operation and its Significance

Depicting what happened constitutes the central object of any OPPA as it exposes activity that would otherwise, in most instances, be excluded from public knowledge. Such descriptions can lay the groundwork for arguments for that public attribution. 

Depending on the operation in question, it may prove promising for states to refer to

  • the operation’s target and/or victim, for example, whether a critical infrastructure sector or specific entity was compromised; 
  • where the targets are located and whether the attributed actor targeted domestic organisations;
  • when or for how long the operation took place and, if applicable, if it is still ongoing;
  • and what harm or damage, if any, the operation caused (endangering the lives of humans, for instance, or incurring economic costs).

Building upon this, states may choose to emphasise particular elements of the operation that they believe to be particularly concerning. This allows them to highlight what essential interests they deem implicated and worth protecting. It can also illustrate the objectives the attributing state presumes the attributed actor to be pursuing with the operation, and how that relates to the latter’s broader policy goals. Both aspects can underline, for external stakeholders, the perceived necessity and proportionality of resorting to an OPPA.

Among the elements giving insights into an operation’s significance and severity feature

  • the effect and impact caused, for example, whether the operation impacted entities providing services to the public, rendered systems inoperable or compromised data;
  • the threats and/or risks posed by the operation, for instance, on national security, public safety, democratic processes, the (global) economy or international stability and security;
  • and the assumed goals of the attributed actor, for example, whether the operation stood individually or was part of a broader multi-stage intrusion, whether there is a temporal political context of relevance or whether the targets were of reconnaissance, economic or other interest to the attributed actor.

2) Substantiating the Attribution

Evidence and technical analysis are essential for any attribution process and impact a state’s decision to go public. When attributing states conclude that the benefits of substantiating their claims of accountability outweigh risks such as intelligence loss, they can opt to

  • refer to governmental or foreign sources of evidence, such as intelligence information, law enforcement investigations or consultations among like-minded countries;
  • refer to publicly available sources of information, for instance, commercial reporting on specific threat actors;
  • provide technical information, for example, the exploitation of a specific vulnerability, tactics, techniques and procedures (TTPs) of the attributed actor, or indicators of compromise (IOCs);
  • and/or include a level of confidence or likelihood outlining the certainty with which they assess that the attributed actor has conducted the operation.

Providing evidence can help states gather and increase external support, as it permits other stakeholders to verify the assessment independently. In turn, this may enhance the credibility of the attributing state’s assessment. Hence, highlighting that their political attribution builds upon a high level of technical evidence and/or including words of estimative probability allows states to show that they undertake their political attributions with great care. 

Toward the attributed actor, substantiating the attribution can signal a high technical capacity in terms of detection and analysis. It can also make it harder for the attributed state to deny the operation plausibly. Since many attributed states have frequently criticised the ‘unsubstantiated’ nature or ‘politically motivated fabrication’ of attributions directed towards them, substantiating the attribution can also strengthen the international positioning of attributing states.

3) Outlining the Operation’s Irresponsibility

Public attributions highlight activities that attributing states do not tolerate. Therefore, they can also advance collective expectations and set benchmarks for what states regard as appropriate state behaviour in the use of information and communication technologies (ICTs).

In this respect, attributing states may even go a step further than outlining the operation’s significance (parameter 1) by

  • indirectly, or, preferably, explicitly referencing the UN framework of responsible state behaviour or other international/bilateral commitments by the attributed actor;
  • and/or highlighting that, and ideally why, the operation attributed does not comply with a specific UN cyber norm or, if applicable, violates a provision of international law

By indicating contraventions, an attributing state can strengthen its efforts to establish accountability in specific cases. There is also added value on a systemic level. Given the abstract formulation of many commitments, such references provide insight into national (or collective) understandings of existing norms and rules. This facilitates their practical interpretation and advances their operationalisation, which is particularly important as some states argue that accountability for activities in cyberspace only exists once the international community agrees on a dedicated international treaty.

Communication channels matter

A study co-authored by the author of this blog post analysed 164 OPPA practices by Australia, Germany, Japan and the United States. The study concluded that these states vary more or less significantly in how they conduct and explain their OPPAs. In practice, the explanations provided within an OPPA will predominantly depend upon the nature and scope of the cyber operations, national interests and policy objectives pursued, and the target audience sought by the attributing state. To a large extent, these considerations will be reflected in the attributing state’s choice of channel to communicate its attribution. 

Not all channels are equally suited for the inclusion of specific parameters. For example, outlining the irresponsibility of the operation will almost exclusively be reserved for attributions communicated via political channels (such as a press release by a country’s Ministry of Foreign Affairs). Meanwhile, resorting to a technical channel (for instance, an advisory or alert by the national cybersecurity agency providing mitigatory advice) requires states to provide higher degrees of factual explanation substantiating their attribution. Especially for particularly significant cyber operations, states may thus also leverage each channel’s peculiarities by combining various channels in the framework of a domestically coordinated OPPA – a practice particularly observable in recent US OPPAs.

A normative way forward?

More states are acknowledging that they have established attribution processes or have shared details about their respective policies in policy documents, such as national cybersecurity strategies (for example, Switzerland), papers on the national implementation of the 2015 UN cyber norms (for instance, United Kingdom), or guidelines on ‘cyber attribution’ from an intelligence perspective (United States). Nonetheless, publicly available information regarding their exact content remains sparse. Consequently, individual OPPAs are often the only publicly available insight into a specific country’s policy posture on attribution. Given the political attention that an OPPA receives, it is all the more vital to carefully balance which information to disclose and how. The three parameters presented in this blog post can complement each other to provide a compelling, clear and precise framing of a public attribution. They also offer starting points for a broader strategic reflection on the intended use of this policy instrument.

States may also deliberately act upon these parameters to shape collective expectations of how states should (and should not) communicate their OPPAs. Such shared understandings can contribute to global cyberspace stability and conflict prevention by creating tangible prospects of what practicing OPPAs responsibly entails. At present, the 2015 UN cyber norms leave ample room for practical interpretation of how states should publicly communicate their political attributions. With more public attributions likely on the horizon, from an expanding number of states, states can be expected to – consciously or incidentally – shape notions of appropriateness in this respect. 

In this context, EU Member States should actively consider what part they can or want to play in their elaboration – either implicitly through their public attribution practices or explicitly by spreading preferences with and among other states. Currently, many states are either setting up or systematising (public) attribution policies. Coupled with the possibility of collective public attribution at the EU level, there is both political momentum and potential for EU Member States to set an example by operationalising such shared understandings amongst themselves and other like-minded countries.

Thumbnail image: credits to @markusspiske on Unsplash

Image

About the Author

Christina Rupp

Christina Rupp is an expert in the cybersecurity policy and resilience team of the Berlin-based tech policy think tank Stiftung Neue Verantwortung (SNV). Her work focuses on issues of cyber diplomacy and EU cybersecurity policy.

Share this Article