Georgia Institute of Technology’s School of Public Policy teamed up with the Aspen Institute in Washington to organize an informative discussion of cyber attack deterrence and attribution. The panel included Milton Mueller, the director of the Internet Governance Project, and the current and former directors of the U.S. government’s Cyber Threat Intelligence Integration Center, Erin Joe and Tanya Ugoretz, respectively. The discussion was ably moderated by John Carlin, a former Assistant Attorney General with the U.S. Justice Department’s National Security Division, now a partner with the law firm Morrison Foerster in DC. The event was recorded by CSPAN and can be viewed in full here.

Attribution through indictments

Professor Mueller stated that for the past three years the Internet Governance Project has studied the processes by which cyber attribution is carried out internationally and which actors are involved. The US has used various channels to carry out cyber attribution and announce the alleged attackers, but one of the most important tool that has evolved is the issuance of indictments in which the cyber attackers are identified and evidence of their crime is systematically laid out. Ugoretz from the FBI Cyber Division mentioned that it is important to establish who is responsible for a cyber attack in order to hold them accountable and to uphold international norms. Similarly, Erin Joe stated that it is important to go past the threat actor in a cyber attack and determine if there is a nation state behind the attack. The reason for such an investigation is twofold: upholding the rule of law in the US and bringing security and freedom to the Internet globally. According to Ugoretz, indictments providing evidence and the use of law enforcement and the judicial process to investigate cyber attacks is one of the more complex processes that the US government uses for cyber attribution. But cyber attribution is only one tool to achieve cyber deterrence. There are a host of additional tools that can be used such as sanctions and diplomatic actions.

A Transnational Attribution Entity?

Carlin asked Mueller about his involvement in efforts to create a Transnational Attribution Working Group (TAWG). At the transnational level, Mueller said, there are no central governmental processes for cyber attribution or prosecution. Not all governments trust each other; they are usually unwilling to reveal their sources and methods for attribution and there is not much transparency. Some states do not have the capability to carry out attribution. Governments’ incentives regarding cyber attribution can be based upon foreign policy concerns, which could potentially lead to misattribution or no attribution at all. A neutral, transnational cyber attribution entity without government involvement is therefore paramount when governments’ incentives can affect the legitimacy of the cyber attribution. A network of neutral, independent academics is building up the capacity to peer review cyber attributions or in some cases collect the information and carry out the cyber attribution.

The session noted that governments do not have a monopoly on cyber attack intelligence; far from it. Internet infrastructure and services are run by private actors and many nongovernmental actors are involved with collecting cyber intelligence. For example,  Internet Service Providers have critical information about cyber attacks and valuable data that can be used for cyber attribution. A host of cyber threat intelligence firms collect information and carry out attribution. While penalty and sanctions might be solely within the remit of states, attribution can be carried out by nongovernmental actors.

Deterrence and penalty

The panel then moved on to discussing whether cyber attack attribution can stop foreign governments from carrying out cyber attacks? Citing evidence from research conducted by one of the students on the Cybersecurity Policy Masters program (which will be published in more detail here at a future date), Mueller said that the record of indictments in deterring cyber attacks varies a lot based on whether the attacker is a non-state actor or a state actor. The U.S. indictments actually have a pretty good record of deterring non-state actors, but seem to have little effect on state actors. Attribution is not a deterrent on its own. We need to look at a broader constellation of incentives, context, and foreign policy when we want to achieve deterrence. Carlin raised the issue of how sometimes the line between state actors and non-state actors blurs, complicating both attribution and deterrence. 

The topic of the panel attracted intense interest, with a standing room only crowd and more questions than the time slot could accommodate.