On Monday, July 19, 2021, an unprecedented coalition of states publicly accused China and its Ministry of State Security of engaging in a pattern of malicious cyber activity. Immediately, China denied the accusation, which raises the question of the benefits of attributing such activity.
Cyber attributions are formal statements by governments for the purpose of specifically linking a malicious cyber event to a state or other actor. They publicly identify the perpetrator and usually condemn the behaviour as contrary to international law or norms. Cyber attributions are also relatively rare, having only recently become a diplomatic tool, used sporadically in the late 2000s but more frequently following the 2017 WannaCry ransomware attack attributed to North Korea.
The cyber attribution on July 19 is remarkable in that it represents the largest coalition of states to make a coordinated attribution, including all member states of the European Union and the North Atlantic Treaty Organization, Australia, New Zealand and Japan. The inclusion of the European Union and Japan is notable, as they have seldom engaged in formal cyber-attribution activities, and even more rarely against China.
And yet, even given the large number of states in this coordinated action, it is worth asking whether cyber attributions accomplish very much. After all, states often condemn one another for activities they do not like. But it’s not clear this actually changes behaviour. Is this any less true in cyberspace?
In some cases, such as the Five Eyes countries’ attribution of the 2020 SolarWinds attack to Russia in April 2021, diplomatic actions have been accompanied by sanctions against countries, enterprises or even individuals. Yet even on the rare occasions that states have attributed an attack to China, no sanctions have been put in place. Without a punitive element, is a cyber attribution simply a strongly worded letter rather than a forceful diplomatic action?
Although they won’t put an end to malicious cyber activities any time soon, cyber attributions impose costs and send important signals, even when not accompanied with sanctions or other punitive measures. Well-coordinated diplomatic statements by many states criticizing actions impose reputational costs to which many states — and China, in particular — are sensitive.
Importantly, when such attributions are accompanied by evidence and explanation based on skilled forensic investigation, they demonstrate a capability to discover who’s responsible for malicious behaviour, down to the level of units and individuals. This work isn’t easy, so making the information public signals to adversarial states that they will be discovered and publicly exposed.
The United States has gone further and laid charges against individuals believed to be behind complex hacking operations. Some of these people have been arrested and sent to the US when they enter into territories with extradition agreements. On July 19, the American attribution was met with a separate indictment of four Chinese nationals accused of working with the People’s Republic of China Ministry of State Security in targeting intellectual property, business information and infectious disease research.
States are also aware that cyber attributions contribute to the setting of international norms and laws. There are few ways to set clear international standards for behaviour in cyberspace. Establishing international agreements and treaties is the most obvious. But in the absence of formal arrangements, state practice and statements contribute to building norms and customary law in undergoverned spaces.
Of course, there are limits here too. Most states engage in some form of cyberespionage, and cyber attributions are therefore carefully worded to avoid calling out the activities that states themselves wish to continue. In this way, we can note that China was criticized for hacking in relation to the theft of intellectual property, personally identifiable information and impact on the economy, rather than for spying.
A final and perhaps counterintuitive benefit to cyber attributions is that they raise awareness of malicious cyber activities domestically. When states speak publicly of cyber incidents within their territory, they send a signal to private sector and non-profit actors that they are vulnerable and being targeted.
For example, the vulnerability of the health and research sectors to cyber intrusions became better known publicly in the wake of Canada, the United Kingdom and the United States attributing a campaign of intrusions by Russian state actors in July 2020. This can spur actors not traditionally in contact with national cybersecurity authorities to reach out for guidance and support.
Nevertheless, although cyber attributions have utility, they’re not without risk. States need to be careful in how they deploy them, either unilaterally or in a coalition. There’s a risk of the “boy who cried wolf”; although there’s no shortage of state-led or state-permitted cyberthreat activities, calling them out too frequently will dull the impact of attribution statements domestically and internationally. As a tool, cyber attributions are most effective when reserved for the most serious attacks.
Does a cyber attribution encourage more responsible behaviour, even for a short period? Does it encourage retaliation online or off? Does it accelerate efforts to find new and better techniques for infiltration? Or, does it have no impact at all? And, if there is an impact, which kinds of costs and punitive measures were effective?
While we don’t yet know the answers to these questions, it’s likely we will see more coordinated cyber attributions in the medium term, with Joseph Biden’s presidency. A US administration willing and able to work with international partners at a time of seemingly non-stop high-profile cyber incidents will likely turn to diplomatic efforts (alongside active and defensive cyber measures) to accomplish its goals.
These are actions that complement other international initiatives, such as the European Union’s creation of the Cyber Diplomacy Toolbox, which has begun to place sanctions on individuals engaged in malicious cyber activities. The upshot is that state and state-enabled actors will continue their hacking campaigns. But they should expect to be called out for it.