Opinion: The government must name and shame hackers
In the presidential debate last week, Hillary Clinton聽聽Russia鈥檚 responsibility for the hack of the Democratic National Committee (DNC). Two weeks ago, Senator Dianne Feinstein (D) and Congressman Adam Schiff (D) of California released a聽聽explaining, 鈥淏ased on briefings we have received, we have concluded that the Russian intelligence agencies are making a serious and concerted effort to influence the U.S. election.鈥 Despite these statements and Crowdstrike鈥檚聽聽against Russia, the executive branch has not officially attributed the DNC intrusions to Russia.
In the absence of official attribution by the US executive branch, private cybersecurity companies are playing the role of accusers of foreign governments. The DNC compromise is not the only case like this. Take the 2015 Office of Personnel Management breach. The executive branch has not formally identified the perpetrators of that intrusion either, but Crowdstrike聽聽Chinese government-affiliated hackers.
Casting private companies in the role of accusers has some benefits, but relying on private attributions to the exclusion of official attributions may create some underappreciated risks for the United States.
On the plus side, attributions by private companies have fostered transparency: The companies publicly announce their findings and release reports 鈥 often quite聽聽鈥 about their evidence. Other companies and researchers can then independently evaluate the evidence and confirm or dispute the attribution. That double-checking process聽聽Crowdstrike鈥檚 attribution of the DNC hack to Russia. Attribution by companies can also put foreign government-sponsored hackers on notice that their actions are traceable, potentially deterring or at least slowing聽.
US government officials have praised private attributions and suggested they are useful to the government. Secretary of Defense Ash Carter聽聽in a 2015 speech that attribution of cyberattacks has improved 鈥渂ecause of private-sector security researchers like FireEye, Crowdstrike, HP鈥攚hen they out a group of malicious cyber attackers, we take notice and share that information.鈥 Moreover, private companies鈥 attributions ensure that foreign governments are accused of bad behavior, without the U.S. government having to do the accusing and bearing whatever diplomatic costs might follow.
But aside from these apparent benefits, reliance on private attributions聽to the exclusion of governmental accusations聽could be problematic for the US government going forward.
First, the speed and detail of private companies鈥 attributions can make the government seem slow and overly cautious. This perception is heightened when government sources anonymously confirm to journalists that the government believes a foreign state is behind an attack 鈥 as聽聽have with respect to the DNC hack聽鈥撀燽ut the government continues to refrain from an official accusation. The absence of an official attribution may tend to foster ongoing questioning about the source of intrusions.
Another risk is that private companies are shaping expectations about the evidence needed for attributions. Think of this as a 鈥溾 whereby the portrayal of high-tech forensic investigation on television shows like聽CSI聽causes jurors in actual criminal trials to have unreasonable expectations about the amount and nature of evidence that should be presented. The cybersecurity equivalent is that private companies鈥 transparency about the evidence supporting their attributions of attacks to foreign governments may shape expectations about the evidence that the government should put forth when it makes similar accusations.
The 鈥湴涑П跆鸫诖诒鸪Τ兮 may have been at play in response to the FBI鈥檚 attribution of the Sony Pictures hack to North Korea. The FBI initially聽聽a high-level description of the evidence supporting its attribution, but was聽聽with skepticism from the security community. To address continued questioning, FBI Director James Comey聽聽a somewhat more detailed description of the FBI鈥檚 evidence a few weeks later. The prevalence of detailed private attributions may be setting expectations for attributions that the government cannot match without compromising sources and methods that it needs to preserve, and absent detailed evidence, its attributions may seem less credible to security researchers.
The evidentiary standards matter not just as between the private sector and the government domestically, but also between countries. There is not yet settled state practice about the nature or amount of evidence that a state should put forth in accusing another state of a cyberattack. The UN Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security 鈥 a group that includes the United States, Russia, and China, among other countries 鈥 touched on the evidentiary issue in passing in a聽. The report notes that 鈥渁ccusations of organizing and implementing wrongful acts brought against States should be substantiated鈥 (para. 28(f)). Substantiated how or with what type of evidence, the report doesn鈥檛 say.
The United States has an opportunity to shape evidentiary norms about attribution, but to do so, it will need to make official accusations. To be sure, the stakes are high for official attributions. They have to be right, and accusations raise expectations that the government will take other responsive actions, like imposing sanctions (as in the聽) or filing criminal charges (as the United States has done with respect to hackers linked to聽听补苍诲听).
But the stakes are also high if the US government sits out public attributions. If the United States does not officially attribute state-sponsored cyberattacks and cedes the field to private companies or other states, it risks losing control of both the narrative about particular cyberattacks and the evolving evidentiary norms. Instead, the norms may be influenced by the practices of private companies, whose reports may create a baseline that governments will have difficulty matching, or they may be set by the practice of other countries that are more forthcoming about official accusations.
Especially in instances where cyberattacks involve important values, like freedom of expression or electoral integrity, the United States should find a way to make substantiated, public attributions. Silence carries its own risks.
聽is an Assistant Professor at UCLA School of Law, an affiliate scholar at the Center for Internet and Society at Stanford Law School, and a term member of the Council on Foreign Relations.聽This piece was originally published on , a blog by the Council on Foreign Relations.
