Risky Business: When Governments Do Not Attribute State-Sponsored Cyberattacks

Publication Type: 
Other Writing
Publication Date: 
October 4, 2016

In the presidential debate last week, Hillary Clinton cited Russia’s responsibility for the hack of the Democratic National Committee (DNC). Two weeks ago, Senator Dianne Feinstein (D) and Congressman Adam Schiff (D) of California released a statement explaining, “Based on briefings we have received, we have concluded that the Russian intelligence agencies are making a serious and concerted effort to influence the U.S. election.” Despite these statements and Crowdstrike’s accusations against Russia, the executive branch has not officially attributed the DNC intrusions to Russia.

In the absence of official attribution by the US executive branch, private cybersecurity companies are playing the role of accusers of foreign governments. The DNC compromise is not the only case like this. Take the 2015 Office of Personnel Management breach. The executive branch has not formally identified the perpetrators of that intrusion either, but Crowdstrike has accused Chinese government-affiliated hackers.

Casting private companies in the role of accusers has some benefits, but relying on private attributions to the exclusion of official attributions may create some underappreciated risks for the United States.

On the plus side, attributions by private companies have fostered transparency: The companies publicly announce their findings and release reports – often quite detailed ones – about their evidence. Other companies and researchers can then independently evaluate the evidence and confirm or dispute the attribution. That double-checking process confirmed Crowdstrike’s attribution of the DNC hack to Russia. Attribution by companies can also put foreign government-sponsored hackers on notice that their actions are traceable, potentially deterring or at least slowing further intrusions.

US government officials have praised private attributions and suggested they are useful to the government. Secretary of Defense Ash Carter said in a 2015 speech that attribution of cyberattacks has improved “because of private-sector security researchers like FireEye, Crowdstrike, HP—when they out a group of malicious cyber attackers, we take notice and share that information.” Moreover, private companies’ attributions ensure that foreign governments are accused of bad behavior, without the U.S. government having to do the accusing and bearing whatever diplomatic costs might follow.

Read the full piece at the Council on Foreign Relations