After his keynote, "Threats and Innovative Solutions Organizations can Implement," we asked Guy Walsh about the challenges of attribution. Since the organization whose strategic initiative he leads, US Cyber Command, is an operational, warfighting command that functions in the new, fifth domain of conflict, how does it approach attribution? After all, you not only need to be able to recognize the adversaries operations in cyberspace if you're to counter them, and to recognize where the adversary's high-value and high-payoff targets are, but you have to be able to recognize the adversaries themselves.
It can be tough, he observed. False flag operations and deniability are common. He thought there was promise in artificial intelligence and big data, and that these were the areas where work was needed, but that attribution wasn't to be done casually or rashly. The stakes are too high.
A convergence of art and science. But that's nothing new.
Thomas Rid (just arrived to take up his new position at the Johns Hopkins University's School of Advanced International Studies) spoke about the challenges involved in attributing cyber attacks.
His approach was informed by a long historical perspective. Attribution is an old problem, he said. He invited the symposiasts to consider one example, the 1914 assassination of Austrian Archduke Franz Ferdinand in Sarajevo. Was it the work of an independent terrorist, a cell, of Serbian intelligence services? The answer was far from immediately clear, but swift attribution of the killing to Serbia precipitated the First World War.
Attribution is further complicated today by difficulties posed by "active measures" (leaks, forgeries, and disinformation). These too aren't new, but they have been used extensively in current cyber conflict. Referring to the still fresh memory of East Germany's Cold War era Stasi deception operations, Rid pointed out that intelligence operations aren't just spying. Some of them, information operations, are intended to affect how an adversary thinks, and they are designed to make attribution difficult.
In last year's hack of the Democratic National Committee, the phishing email DNC chair John Podesta fell for was a convincing forgery. This and other incidents have changed the debate over attribution. Formerly seen as a technical question and a binary problem, if so conceived attribution can appear intractable. But this isn't a useful way of understanding the problem.
While technical evidence of course matters, Rid argued that attribution is as much art as science. It's a nuanced process, and operationally its conduct is a function of what's at stake. He talked the audience through a model of attribution that operates on multiple levels: strategic, tactical, and operational. It requires an understanding of regional context, of why, who, what, and how. In the process of evaluating evidence, understand that you're working against a human adversary who adapts to you. So consider language and personae, but realize that false flags are becoming prevalent. Note the pattern of life, and look for stealth.
Attribution not just a political matter, Rid said, but a concern of companies as well. Consider Equifax, and the interest in determining who breached the credit bureau and why. For companies, communicating attribution can be challenging. Rid said he was struck by how often one must repeat and simplify findings. And communicating the process itself is challenging. The higher the commercial profile, the more controversy surrounds it. Evidence is often discounted simply because the conclusions it supports are unwelcome.
Rid concluded that persuasion is an untechnical problem, but it's a vital one, not only in understanding information operations, but in communicating the results of attribution.