Contested public attributions of cyber incidents and the role of academia

ABSTRACT

Public attributions of cyber incidents by governments and private industry have become prevalent in recent years. This article argues that they display a skewed version of cyber conflict for several operational and structural reasons, including political, commercial, and legal constraints. In addition, public attribution of cyber incidents takes place in a heavily contested information environment, creating fractured narratives of a shared past. The article uses three cyber incidents (Sony Pictures, DNC, and NotPetya) to show how actors cope with this contested information environment and proposes a changed role of academia to address some of the problems that emerge. To become competent in contesting public attribution discourses, universities would have to work more across physical, disciplinary, and academic boundaries. The main implications for democracies are to be more transparent about how attribution is performed, enable other civilian actors to study cyber conflict, and thereby broaden the discourse on cybersecurity politics.

KEYWORDS:

• Cybersecurity
• attribution
• threat intelligence
• legitimacy
• information warfare
• democracy

Acknowledgments

The article builds on a conference paper presented at the CSS Cyber Conference in September 2018, as well as on my previous work and ongoing research project on the Politics of Public Attribution. I thank all the conference participants, and in particular Myriam Dunn Cavelty, Jasper Frei, and Miguel Alberto Gomez, for their valuable feedback. Thanks also to Jasper Frei for his help with referencing and formatting of the paper.

Disclosure statement

No potential conflict of interest was reported by the author.

Notes on contributor

Florian J. Egloff is a Senior Researcher in Cybersecurity with the Center for Security Studies at the ETH Zürich, Switzerland. His research focuses on the politics of cybersecurity, particularly with regard to intelligence policy, and the role of non- and semi-state actors in cybersecurity. Florian’s current projects focus on the politics of public attribution and the use of cyber intrusions for political purposes. Prior to working at ETH Zürich, Florian wrote his DPhil (Ph.D.) in Cyber Security at the University of Oxford on Cybersecurity and Non-State Actors: a Historical Analogy to Mercantile Companies, Privateers, and Pirates. Florian is also a Research Associate at the Centre for Technology and Global Affairs at the Department of Politics and International Relations and teaches at the Centre for Doctoral Training in Cyber Security (both at the University of Oxford).

ORCID

Florian J. Egloff https://orcid.org/0000-0002-0290-667X

Notes

1 A more precise definition would split the attribution process into sense-making and meaning-making processes (Egloff, 2018, p.148, 165). Shortly defined, the sense-making process in attribution refers to the ongoing knowledge-generation process that establishes what happened, whereas the meaning-making process refers to deliberate actions that influence how others interpret a particular cyber intrusion. Public attribution is a specific kind of meaning-making process, which can then be split analytically into the two phases introduced in this article.

2 For research on the former phase, see Center for Security Studies (n.d.).

3 Part of these empirical examples draw on material first introduced in Egloff, 2018.

4 A claim that is also supported by research on value similarity and trust, see Visschers and Siegrist (2008).

5 At working level, the FBI had the DNC intrusions on the radar since 2015, but there is no public evidence of it briefing the White House before 2016.

6 New Zealand did not independently assess it, but joined the Five Eyes in the condemnation, whilst Canada attributed NotPetya to actors in Russia.

7 For the U.S. legal view of attribution, see Egan (2017).

8 Thanks to Dr. Matteo Bonfanti for pointing this out.