Just 48 hours after banks and government websites crashed in Ukraine under the weight of a concerted cyberattack on February 15 and 16, the United States pointed the finger at Russian spies.
Anne Neuberger, the White House’s deputy national security adviser for cyber and emerging technology said that the US has “technical information that links the Russian Main Intelligence Directorate (GRU)” with the DDos attack that had overloaded and brought down the Ukrainian websites.
“GRU infrastructure was seen transmitting high volumes of communication to Ukraine based IP addresses and domains,” she told journalists on February 18. It’s believed that the cyberattack was meant to sow panic in Ukraine as over 150,000 Russian troops massed at the border.
To support MIT Technology Review’s journalism, please consider becoming a subscriber.
The speed at which both US and UK officials were able to apportion blame is an enormous change from recent history, and it shows how attribution has become a crucial tool of cyberconflict for the United States. In recent years, the US has used cyber attribution as a geopolitical tool more often than any other country in the world, often with allies in the United Kingdom–especially when the target is Russia as was the case last week.
“I will note that the speed with which we made that attribution is very unusual,” Neuberger said. “We’ve done so because of a need to call out the behavior quickly as part of holding nations accountable when they conduct disruptive or destabilizing cyber-activity.”
This new policy has its roots in what happened in the wake of the 2016 US election. Gavin Wilde, formerly a senior National Security Council official focused on Russia, helped author the landmark Intelligence Community Assessment that detailed Moscow’s hacking and disinformation campaigns aimed at influencing the election. It took an enormous effort prompted by President Obama himself, backed up by the Director of National Intelligence James Clapper, just to kickstart the process to get all of the relevant US intelligence agencies in the same room and share information across a wide range of classification levels.
But the assessment and attribution of their cyber campaign wasn’t made public until 2017, months after the US election itself had come and gone.
“There was a feeling of helplessness [among US intelligence] when clearly the American public was the target audience for the Russians,” Wilde tells MIT Technology Review.
Even though it came late, the assessment was an impressive accomplishment compared to anything that had come before.
“But there was still a sense of failure that we weren’t able to defuse these activities before the narratives were well-seeded by the Russians and amplified by people in positions of prominence,” Wilde says.
The long road
Hacking was an important facet of global politics for decades before public attribution was ever seriously considered. It took a landmark cybersecurity report from a private sector firm to make waves, land on the front page of the New York Times, and change the way the entire world thought about unmasking hackers.
The 2013 report on Chinese hackers known as APT1 by the American cybersecurity firm Mandiant was the first to ever publicly point the finger at a nation-state. It took a full decade of hacking by the group, beginning in 2002, for the accusation to go public.
When the APT1 report was published, the document was immensely detailed, down to the level of singling out the Chinese People’s Liberation Army cyber espionage group known as Unit 61398. A year later, the US Department of Justice effectively backed up the report when it indicted five officers from the unit on charges of hacking and stealing intellectual property from American companies.
“The APT1 report fundamentally changed the benefit-risk calculus of the attackers,” says Timo Steffens, a German cyber-espionage investigator and author of the book Attribution of Advanced Persistent Threats.
“Prior to that report, cyber-operations were regarded as almost risk-free tools,” he says. The report not only came up with hypotheses, but it clearly and transparently documented the analysis methods and data sources. It was clear that this was not a one-off lucky finding, but that the tradecraft can be applied to other operations and attacks as well.”
The consequences of the headline-grabbing news were far-reaching. A wave of similar attributions followed and the United States accused China of systematic massive theft, leading to cybersecurity being a centerpiece of Chinese president Xi Jinping’s visit to the United States in 2015.
“Before the APT1 report, attribution was the elephant in the room that no one dared to mention,” says Steffens. “In my opinion it was not only a technical breakthrough, but also a bold achievement of the authors and their managers to go the final step and make the results public.”
It’s that final step that has been lacking, as intelligence officers are now well-versed in the technical side. To be able to attribute a cyberattack, intelligence analysts look at a range of data including the malware the hackers used, the infrastructure or computers they orchestrated to conduct the attack, intelligence and intercepted communications, and the question of cui bono — who stands to gain? — a geopolitical analysis of strategic motivation behind the attacks.
The more data, the easier attribution becomes as patterns emerge. Even the world’s best hackers make mistakes, leave behind clues, and reuse old tools that help make the case. There’s an ongoing arms race between analysts coming up with new ways to unmask hackers and the hackers aiming to cover their tracks.
But the speed of the attribution of the Russian attack showed that previous delays in naming names were not simply due to a lack of data or evidence. It was politics.
“It boils down to a matter of political will,” says Wilde, who worked at the White House until 2019. “For that you need decisive leadership at every level. My interactions with [Anne Nueberger] lead me to believe she’s the type that can move mountains and cut through red tape when needed to augur an outcome. That’s the person she is.”
Wilde argues that the potential Russian invasion of Ukraine and the risk to hundreds of thousands of lives is pushing the White House to act more quickly.
“The administration seems to have gathered that the best defense is a good pre-emptive offense to get ahead of these narratives, pre-bunking them, and inoculating the international audience whether it be the cyber intrusions or false flags and fake pretexts,” says Wilde.
Public attribution can have a very real impact on an adversary’s cyber-strategy. It can signal that they’re watched and understood, or can impose costs when operations are uncovered and tools must be burned to start anew. It can also trigger political action such as sanctions that go after the bank accounts of those responsible.
Just as important, Gavin argues, it’s a signal to the public that the government is closely tracking malicious cyber activity and working to fix it in a way that you can often go and read in public indictments or intelligence reports.
“It creates a credibility gap, particularly with the Russians and Chinese,” he says. “They can obfuscate all they want but the US government is putting it all out there, for public consumption, a forensic accounting of their time and efforts.”