Journal of Global Security Studies, 3(4), 2018, 402–416 doi: 10.1093/jogss/ogy022 Research Article

Rethinking Secrecy in Cyberspace: The Politics of Voluntary Attribution Downloaded from https://academic.oup.com/jogss/article-abstract/3/4/402/5092710 by guest on 15 January 2020 Michael Poznansky1 and Evan Perkoski2

1University of Pittsburgh and 2University of Connecticut

Abstract Cyberspace affords actors unprecedented opportunities to carry out operations under a cloak of anonymity. Why do perpetrators sometimes forgo these opportunities and willingly claim credit for attacks? To date, the literature has done little to explain this variation. This article explores the moti- vations behind voluntary credit-claiming for the two main actors in cyberspace: states and politically motivated nonstate actors. We argue that states are most likely to claim credit for their operations and to do so privately when the goal is to coerce an opponent. Nonstate actors tend to publicly claim credit for their attacks in order to showcase their capabilities, influence public opinion, and grow their ranks. We use case narratives to assess the plausibility of our argument and find strong support. This article places cyberspace operations in conversation with the larger literature on secrecy in interna- tional relations and advances a common framework for understanding how both states and nonstate actors operate in this evolving domain.

Keywords: cyber warfare, secrecy, coercion, nonstate actors

Introduction Connor 2015), and the Syrian Electronic Army left be- hind a brazen message when they compromised the US Secrecy is a defining feature of cyberspace. Cyber in- Army’s public website in June 2015 (Vinton 2015). truders can frequently disrupt networks, steal financial Why do some actors claim responsibility for cyber op- assets, and conduct espionage without ever revealing erations while others opt for anonymity? To answer this their identities. Recent scholarship goes a long way to- question, we explore the logic of credit-claiming for two ward explaining the consequences of rampant secrecy key sets of actors in cyberspace: states and politically mo- and deception in cyberspace, from the way it affects tivated nonstate actors (hereafter, nonstate actors).1 compellence and deterrence (Gartzke and Lindsay 2015; We argue that credit-claiming, including the man- Lindsay 2015; Borghard and Lonergan 2017; Nye 2017) ner in which culpability is communicated, depends on to its influence on the dynamics of conflict and escala- what the intruder wants to accomplish. For states, credit- tion (Gartzke 2013; Buchanan 2017). Yet, while cyber claiming is most appealing during operations that require intruders have ample opportunities to keep their spon- target compliance, otherwise known as cyber coercion. sorship a secret, not all choose to take advantage. To When states choose to make their identities known to the contrary, some willingly claim credit for their hand- coerce targets, they are more likely to do so privately iwork. For example, the group Anonymous frequently since public credit-claiming raises the odds of escalation. rebrands websites with personal logos after intrusions Anonymity is most attractive during operations where (Smith 2016). They are not alone; SOBH Cyber Jihad, based in Iran, claimed credit for hacking into the con- 1 We bracket nonstate actors without political trol system of a dam in New York (Gosk, Winter, and motivations.

Poznansky, Michael, and Evan Perkoski. (2018) Rethinking Secrecy in Cyberspace: The Politics of Voluntary Attribution. Journal of Global Security Studies, doi: 10.1093/jogss/ogy022 © The Author(s) (2018). Published by Oxford University Press on behalf of the International Studies Association. All rights reserved. For permissions, please e-mail: [email protected] MICHAEL POZNANSKY AND EVAN PERKOSKI 403 success can be achieved without target compliance— sis bargaining (Baum 2004; Yarhi-Milo 2013; Brown cyber espionage and sabotage offer two such examples. 2014; Carson and Yarhi-Milo 2017), the role that covert Nonstate actors operate according to a different logic. action plays in managing escalation (Carson 2016), Drawing on insights from studies of armed and unarmed and the relationship between democratic peace theory resistance, we argue that nonstate actors in cyberspace and covert regime change (Downes and Lilley 2010; regularly claim credit for their intrusions in visible ways Poznansky 2015). These studies are tied together by an to signal credibility, influence public opinion, and grow overarching focus on how actors use secrecy to pursue their ranks. Owing to their relative weakness and obscu- their political goals. Students of cyber warfare have done rity, nonstate actors must first prove their capability be- a commendable job analyzing the many challenges se- Downloaded from https://academic.oup.com/jogss/article-abstract/3/4/402/5092710 by guest on 15 January 2020 fore doing anything else. crecy poses for perpetrator and victim alike (Gartzke This argument requires a conceptual shift in how we 2013; Gartzke and Lindsay 2015; Lindsay 2015; Rid and think about secrecy in cyberspace. Existing research typ- Buchanan 2015; Buchanan 2017; Nye 2017) but have ically treats secrecy as monolithic, but there are impor- largely neglected the determinants of secrecy at the stage tant distinctions worth bearing in mind. Perhaps most where sponsors can (dis)claim ownership of an opera- relevant is the difference between clandestine and covert tion.2 We address this issue directly. operations (Kibbe 2007). The former refers to missions Second, this study is among the first of which we are where secrecy and deception are employed to preserve aware that considers the goals and constraints of the two the strategic advantages afforded by surprise (Axelrod most important actors operating in cyberspace—states 1979; Slantchev 2010). The latter involves the use of se- and nonstate actors. Existing research tends to focus on crecy to conceal the sponsor of an operation (Forsythe the former (Gartzke 2013; Buchanan 2017; Borghard 1992; Gibbs 1995; Downes and Lilley 2010; Poznansky and Lonergan 2017; Nye 2017). But nonstate actors con- 2015; Carson 2016). Importing this distinction to the cy- duct cyberattacks at high rates and often in very visi- ber domain helps clarify when secrecy is an operational ble ways. Moreover, their attack capabilities are grow- imperative and when it is a choice that actors make. In ing and in some cases they “tak[e] tools and tricks from brief, the advantages afforded to targets who learn of nation-states and unleash them on companies and orga- imminent or ongoing operations means that cyber in- nizations” (Stoller 2017). Ignoring nonstate actors or as- trusions will almost always be conducted clandestinely. suming that their strategic logic mirrors that of states is Once an operation is complete, however, intruders are insufficient. Our approach is thus to ask the same ques- free to choose whether to claim responsibility. Put differ- tions for both sets of actors, reducing barriers that inhibit ently, cyber operations are almost always clandestine but a more complete understanding of cyberattacks. not necessarily covert. The failure to recognize this dis- tinction partly contributes to the widespread assumption that anonymity is an immutable feature of cyberspace The Problem of Secrecy rather than something actors select into. The conventional view of a cyber operation is an in- Rigorously testing these claims would require access truder quietly penetrating a target’s network to collect in- to the internal deliberations of state and nonstate ac- formation or cause damage, whether virtual or physical, tors to understand how decisions about credit-claiming without betraying their identity.3 This narrative—which are made. At present, this is a nearly impossible task assumes secrecy from start to finish—colors how the liter- (Buchanan 2017, 12). We are perhaps decades away from ature describes the challenges cyber operations pose. The gaining access to the types of declassified documents nec- relative ease with which perpetrators can surreptitiously essary to evaluate the deliberations of states; the problem penetrate networks and the difficulty of anticipating is even more acute for nonstate actors. As a second-best and defending against attacks underlies the notion that option, we leverage a range of sources—secondary mate- cyberspace is offense-dominant (Slayton 2017). More- rials, news reports, official government statements, and over, intruders’ ability to mask their identities makes interviews—to assess the plausibility of our argument. it hard for victims to confidently attribute responsi- Our study is closer to an exercise in theory construction bility for cyberattacks (Rid and Buchanan 2015; Nye than theory testing (Mahoney 2015, 201). 2017, 49–52). According to Lindsay (2013), “[f]orensics This article makes several contributions. First, it joins takes months, whereas the anonymous attack can present together a burgeoning literature centered on the dynam- ics of secrecy in world politics and another focused on 2 For important exceptions, see Betz and Stevens (2011), cyber warfare. In the past, scholars have examined the Borghard and Lonergan (2017), and Libicki (2009). importance of secrecy and private diplomacy during cri- 3 See Buchanan (2017) for a summary. 404 Rethinking Secrecy in Cyberspace itself and perhaps complete in milliseconds” (377). Al- though attribution techniques are constantly advanc- ing and may be easier for high-scale, high-value at- tacks, assigning responsibility remains challenging and often requires using nontechnical clues like motive and opportunity (Lindsay 2015, 58). The pervasiveness of secrecy in this domain also poses challenges for cyber coercion (Valeriano and Maness 2014; 2015, 79; Nye 2017, 55–56). Coercion requires Downloaded from https://academic.oup.com/jogss/article-abstract/3/4/402/5092710 by guest on 15 January 2020 victims to know who is making demands and what they are being asked to do (Schelling 1966). Anonymity is an- Figure 1. Clandestine and covert operations tithetical to this enterprise. As Gartzke (2013) once put it, “How does one surrender to no one in particular?” (47). Some scholars point out that perpetrators can en- executed as to conceal the identity of or permit plausi- hance the credibility of coercive threats by making their ble denial by the sponsor.”6 While covert operations, like identities known, a point we develop more fully below. clandestine operations, rely on deception, the rationale is But it remains unclear where in the course of an attack different: “A covert operation differs from a clandestine such pronouncements must be made (i.e., before, during, operation in that emphasis is placed on concealment of or after) and how that fits with what we know about se- the identity of the sponsor rather than on concealment crecy requirements in cyberspace (Borghard and Loner- of the operation” (Gross 2009, 12). There are numerous gan 2017, 457–59; Libicki 2009, 50–51).4 reasons why actors might want to hide their role in an While all of these studies seem to address the same operation, including escalation concerns (Brown 2014; basic phenomenon—secrecy—there are meaningful dif- Carson 2016) and avoiding hostile reactions from do- ferences when it comes to what is being concealed dur- mestic and international observers (Forsythe 1992; Gibbs ing an operation and for what purpose. The next section 1995; Downes and Lilley 2010; Poznansky 2015; Carson explores these differences. and Yarhi-Milo 2017; Joseph and Poznansky 2017). A classic covert operation is the Bay of Pigs. Training fif- teen hundred exiles to storm the shores of Cuba to over- Disaggregating Secrecy throw Fidel Castro was a highly visible act; the sponsor, The US military and intelligence communities distinguish the United States, was supposed to remain hidden. between two types of secret operations. The first are clan- Figure 1 presents four different combinations of se- destine operations, or actions that are “sponsored or cret operations with illustrative examples.7 Cases in the conducted by governmental departments or agencies in northwest quadrant include cyber intrusions that are such a way as to assure secrecy or concealment.”5 Ac- planned and executed clandestinely and denied by the tors operate clandestinely when they wish to gain tac- sponsor. These are what observers typically have in mind tical advantages from the element of surprise (Axelrod when discussing the attribution problem in cyberspace. 1979; Slantchev 2010). As an example, consider Opera- The examples in the southwest quadrant are planned and tion Neptune Spear,the US Special Forces’ raid on Osama executed in secret but claimed by the sponsor afterward. bin Laden’s compound in Abbottabad, Pakistan. While The attribution problem fails to materialize in these cases the raid itself was shrouded in secrecy, President Obama’s (Betz and Stevens 2011, 95). Examples in the northeast remarks to the nation afterward suggest that the purpose quadrant are covert because the sponsor denied complic- of secrecy was tactical, not political. ity but are not clandestine since the activities themselves, The second type of secret operation is covert ac- typically performed by third parties, are not hidden. Ex- tion, defined as “[a]n operation that is so planned and amples in the southeast corner include large-scale wars.

4 Betz and Stevens (2011, 95) mention that claiming may be necessary but do not explain why. 6 This is also taken from the Department of Defense’s Dic- 5 This is taken from the Department of Defense’s Dic- tionary of Military and Associated Terms. tionary of Military and Associated Terms, available at 7 The very existence of this two-by-two signifies that the http://www.dtic.mil/doctrine/dod/dictionary/. Although main variants of secrecy may be used in combination this definition is focused on government entities, the with one another or separately. Covert and clandestine same logic applies broadly. action are cousins, not synonyms. MICHAEL POZNANSKY AND EVAN PERKOSKI 405

they still will not want to announce the exact vector by which the intrusion will occur to avoid jeopardizing the operation. Actors have the most agency when it comes to secrecy

and deception after an attack occurs at time T1. Here, perpetrators must decide whether to proceed in a man- ner consistent with covert action (denying their role) or not (claiming it). Should a perpetrator choose to forgo plausible deniability, they must then decide how to com- Downloaded from https://academic.oup.com/jogss/article-abstract/3/4/402/5092710 by guest on 15 January 2020 municate complicity. The first option, private acknowl- edgment, refers to a scenario in which an actor quietly alerts the victim of their identity (Libicki 2009, 50–51; Nye 2017, 51). Perpetrators can do this by leaving clues in the course of the attack—for example, leveraging a vector they have been known to use before, reusing code from a previous intrusion, or otherwise leaving signatures in the source code of malware. Or they might communi- cate through discrete diplomatic channels with a foreign Figure 2. The logic of secrecy in cyberspace counterpart (Borghard and Lonergan 2017, 459). The second means of communicating complicity, pub- lic acknowledgment, refers to a situation where the per- These are neither covert (the sponsor was known) nor petrator openly pronounces their identity to a much clandestine (the wars were announced in advance). wider audience following an attack. They might make a public statement or alert the media of their culpabil- ity. Explaining why some actors intentionally dispense Secrecy in Cyberspace with anonymity—and, for those that do, whether they Students of cyber warfare rarely distinguish between will credit-claim publicly or privately—is the focus of the clandestine and covert forms of secrecy. As such, most next two sections. For now, it will suffice to point out that studies do not explicitly address where secrecy is a de the attribution problem ceases to exist in cases where the facto requirement rather than a choice in the course of a perpetrator willingly makes their identity known. cyberattack. Figure 2 portrays a stylized schematic of cy- Actors can, and often do, opt to act both clandestinely ber intrusions, capturing two of the key inflection points and covertly in the course of a single operation (Betz and where actors make decisions about secrecy. Stevens 2011, 88). Our rationale for distinguishing be-

At T0, perpetrators decide whether to announce to tween the two is to make clear that while clandestinity the target that an attack is imminent or whether they is a technical requirement of almost all cyber operations will conceal the operational details as in a clandes- the decision to act covertly is something perpetrators con- tine operation. In almost all cases, perpetrators will sciously select into. In other words, it is a political de- choose the latter. Doing otherwise is counterproductive cision. This process has been ill-theorized owing to the since publicizing even the most basic details of a pend- failure to recognize that there are two different types of ing operation affords the target an opportunity to en- secrecy in cyberspace.9 act countermeasures. Announcing that “[you] will at- In what follows, we use these distinctions to address tack this network with this effect unless [the target] our original puzzle regarding why some actors claim re- refrain[s] from X” would be “self-defeating” (Lindsay sponsibility for operations while others choose to remain 2015, 55). Acting clandestinely raises the likelihood of anonymous. The next section discusses the politics of success by denying victims the chance to take steps that credit-claiming for states. We then turn to nonstate ac- might blunt the efficacy of the attack such as patch- tors, a neglected but important player in the cyberspace ing a vulnerability or cutting access to servers. This is arena. perhaps most salient for zero day exploits that lever- age a vulnerability currently unknown to the victim.8 Even when the perpetrator is not relying on zero days, 9 Getting caught is still a real possibility, especially for 8 For a discussion, see Lin (2010, 65n7). larger operations (Lindsay 2015, 58). 406 Rethinking Secrecy in Cyberspace

States and the Politics of Voluntary target accede to a set of demands—either to do some- Attribution thing (change the status quo) or to refrain from doing something (preserve the status quo)—states are likely to Whether states are able to achieve their objectives with- shun anonymity and engage in voluntary attribution. The out target compliance helps explain the decision to deny success of coercive threats boils down to whether and or embrace sponsorship of a cyber intrusion.10 If suc- how the sender can showcase credibility and resolve to cess is possible without the target consciously acceding to a witting victim (Carson and Yarhi-Milo 2017). Remain- some demand, states will act covertly and hence anony- ing anonymous does little to advance these aims. As Liff mously. If the mission requires compliance of some kind, (2012) notes, “[u]nder most circumstances, any would- Downloaded from https://academic.oup.com/jogss/article-abstract/3/4/402/5092710 by guest on 15 January 2020 as is the case with coercion, states are more likely to be aggressor who does not identify itself forfeits the abil- make their identities known voluntarily; doing so may ity to coerce its adversary” (414). Anonymity makes it be critical to the success of the mission.11 In terms of hard for targets to evaluate the credibility of a threat and how they eventually reveal complicity, we argue that the sender’s resolve. Credit-claiming is thus critical if cy- states are most likely to use private channels and discrete ber coercion is to have any chance of succeeding. Betz communication. and Stevens (2011) hint at this: “[W]hen states use mili- tary cyber-power against other states for the purposes of When States Come Clean compelling them to do their will, they still have to de- When the success of state-sponsored cyber operations clare what it is (even after the event). There is no sneaky does not require target compliance, voluntary credit- way around this fact” (95). It is worth reiterating, how- claiming is unnecessary at best and counterproductive at ever, that this can only feasibly be done after the attack worst. In these cases, we expect governments to preserve has ended. As discussed earlier, providing details before- anonymity and avoid attribution if possible. Consider cy- hand could undermine the mission and render the coer- ber espionage.12 Like any intelligence gathering effort, cive threat impotent. voluntary attribution would be disadvantageous. Should Forgoing anonymity permits states to more effectively a perpetrator announce that they have penetrated an ad- make coercive threats by demonstrating credibility and versary’s network, they will jeopardize both their intru- resolve in at least two ways. First, a claimed attack can sion method and continued access without reaping any function as a costly signal by showing the threatening obvious benefit in return. Preserving anonymity is thus party’s willingness to expend valuable resources in the the preferred option for states interested in stealing se- hopes of gaining compliance from the target. According crets in cyberspace. to Borghard and Lonergan (2017), “[t]he greater the cost Another class of cyber operations, political action and to the initiating state of producing a given signal, ceteris sabotage, is also best served by perpetual anonymity. Ex- paribus, the more effective the signal is as an indication amples include operations to influence elections through of the initiating state’s resolve” (467). disinformation campaigns, vote manipulation, and the Second, claiming credit for cyberattacks can build destruction of physical equipment and critical infrastruc- prestige, which we define as a reputation for cyber ture. Because the success or failure of these operations power.13 Prestige and power, though related, are not the does not depend on the target consciously responding to same. The latter refers strictly to capabilities, which can specified incentives, the motivations for states to volun- never be fully observed in cyberspace owing to the pre- tarily claim credit should be correspondingly low. mium placed on keeping these tools shrouded in secrecy. The calculus changes when a cyber operation involves The former “refers primarily to the perceptions of other coercion, which requires victim compliance to be success- states with respect to a state’s capacity and willingness ful (Schelling 1966). When operations require that the to exercise its power” (Gilpin 1981, 31).14 States who cultivate a reputation for cyber power may be able to 10 This distinction is similar to the one Schelling (1966) draws between brute force and coercion. On how qual- 13 This is a play on Gilpin (1981, 31). itatively different types of cyber operations have been 14 Interestingly, even if actors do not willingly come clean, conflated, see Betz and Stevens (2011, 81). successful attribution can still bolster prestige. Con- 11 The need for target compliance is not the only factor un- sider the Stuxnet worm, allegedly manufactured by US derlying this decision. Whether the action itself violates and Israeli operatives and how it reflects on their cyber longstanding norms, would trigger escalation, and the potential. As one Symantec director noted, “[i]t seems like may factor in as well. pretty reasonable to think that there are things out there 12 These qualify as computer network exploitation, or CNE today that we haven’t seen that are much more ad- (Nye 2017, 47). vanced [than Stuxnet]” (Szoldra 2016). MICHAEL POZNANSKY AND EVAN PERKOSKI 407 persuade adversaries that their threats are credible even As a general matter, opportunities for retaliation are if they do not specifically outline the vector they intend higher when the actors involved are states. Unlike non- to exploit or the zero day they plan to deploy if demands state actors, states are stationary, immobile entities with go unmet. A history of successful cyberattacks can offset numerous targets available to hit. Concern about attacks the invisibility of a state’s arsenal. against a state’s critical infrastructure have been likened It is worth briefly outlining how the dynamics of cyber to a potential “cyber 9/11” (Maxey 2017).15 Moreover, prestige and coercion could operate in practice. When the perpetrators that publicly announce sponsorship of a cy- goal is to compel a target to alter their behavior,perpetra- berattack put the victim—in many cases, a fellow state— tors may take offensive action in cyberspace, claim credit in an unenviable position. Even if officials within the Downloaded from https://academic.oup.com/jogss/article-abstract/3/4/402/5092710 by guest on 15 January 2020 for it, and threaten future punishment should the target target government prefer not to respond, they may face fail to comply. When the goal is to deter some action, per- pressure from various domestic constituencies to retali- petrators may similarly be able to take offensive cyber ac- ate in kind against challenges to their state’s honor and tion, claim credit for it, and threaten future punishment prestige (Carson and Yarhi-Milo 2017, 135). should the target act in ways deemed undesirable by the Because the victims of publicly claimed, state- sender. A more plausible situation in the case of cyber de- sponsored cyberattacks typically have both the opportu- terrence might entail the victim of a recent attack retali- nity to retaliate as well as strong domestic-level pressures ating against the perpetrator, voluntarily claiming credit, to do so, nation-states interested in cyber coercion face and threatening future harm should there be any further powerful incentives to quietly claim their actions using attacks against them. In each of these scenarios, cyber co- private channels. While credit-claiming in private lacks ercion is possible to the extent that the target believes the the broader prestige benefits associated with publicity sender’s promises of future pain are credible and that the and limits the audience observing an operation’s (phys- threatener is resolved as a result of having claimed past ical) costly signals, it may nonetheless afford states an attacks. It is “the threat of . . . more damage,” or the “ex- opportunity to engage in coercive diplomacy at reduced pectation of more violence,” that may induce a target to risk. Recent scholarship shows that states often face pow- give in (Schelling 1966, 3; emphasis in original). erful incentives to collude with one another in acts of se- There is obviously no guarantee that claiming credit crecy. For example, Carson (2016) argues that states may for past attacks will generate the credibility necessary for opt not to publicize the covert military actions of their ri- coercion. If the target does not believe that the challenger vals even when they are targeted as a way of keeping con- has the ability or willingness to repeat similar or more flicts limited and contained. A similar logic should apply painful attacks, issuing deterrent or compellent threats to discrete attempts at coercion in cyberspace. after claiming an intrusion with the promise of “more One risk of private acknowledgment is that the vic- where that came from” won’t work. Nevertheless, we are tim will “out” the perpetrator by publicly announcing skeptical that observers never update their beliefs about the occurrence of an intrusion and offering proof that the an actor’s capabilities and resolve, and opt instead to attacker sought to privately attribute themselves. While treat every attack as an isolated event. While Russia is this is always a possibility, such concerns may not wholly unlikely to easily hack the Democratic National Com- disincentivize states from pursuing private acknowledg- mittee again, for example, few observers doubt their ca- ment. First, admitting that networks have been com- pacity to carry out similar attacks in the future. Whether promised can be embarrassing for victims, creating in- credible coercive threats will actually suffice to achieve centives for the aggrieved to maintain the fiction that concessions, while important in its own right, is a sep- they have not been attacked or, short of that, to deny arate matter and depends on a complex cost-benefit knowledge of who attacked them (Rid 2012, 28–29). calculation. This, in turn, can motivate perpetrators to quietly come clean with little fear of being exposed by the victim. Second, when victims have the capacity to out a state Escalation and the Means of Communication This section focuses on the right-hand side of Figure 2, 15 For further discussion, see Betz and Stevens (2011, 91– after an actor chooses to forgo plausible deniability (T1) 94). Some states are obviously less vulnerable than oth- and decides whether to claim responsibility publicly or ers. For instance, North Korea relies on little shared in- privately. We argue that the unique dynamics of politi- frastructure and presents few high-value cyber targets, cally motivated, state-on-state cyber activity make pub- making it possible for them to operate with a greater lic acknowledgment less attractive than private acknowl- chance of impunity, at least on the cyber side (Sanger, edgment. There are several reasons for this. Kirkpatrick, and Perlroth 2017). 408 Rethinking Secrecy in Cyberspace pursuing private diplomacy, the credibility of the sender’s only does this help showcase their capabilities, but the threats and the prospects for concessions actually in- media attention can help attract new members to the creases.16 This dynamic depends on several conditions, cause. Additionally, since it is often difficult to bring these in particular the costs of exposure outweighing the ben- groups to justice, organizations like Anonymous, Lulzsec, efits of duplicity (Yarhi-Milo 2013, 407). and others face reduced incentives to keep quiet about their operations.19 In sum, complicity is a critical com- ponent of nonstate actors’ strategic logic and they com- Nonstate Actors and the Politics of monly announce sponsorship of cyberattacks as a result.

Voluntary Attribution Downloaded from https://academic.oup.com/jogss/article-abstract/3/4/402/5092710 by guest on 15 January 2020 The discussion so far has focused on the conditions un- The Appeal of Credit-Claiming der which states will claim credit for cyberattacks and Nonstate actors typically have coercive objectives. As why they are more likely to do so privately. This is im- Schelling wrote in 1973, “[p]olitical violence, like politi- portant for obvious reasons.17 However, nonstate actors cal nonviolence, usually has as its purpose making some- dominate the empirical record of credit-claiming in cy- body do something or not do something or stop doing berspace. In what follows, we explain why nonstate ac- something. The aim is to influence behavior.”20 In a broad tors commonly claim attacks and why they tend to do so sense, their goals are comparable to those of states seek- publicly. ing to alter the behavior of their adversaries. Drawing on insights from the study of armed and Above, we argue that a key component of coercion is unarmed resistance, we hold that nonstate actors in cy- credibility: can actors issuing coercive threats make good berspace share a host of similarities with other nonstate on their promises of more pain if the target resists? This organizations that seek to affect political change through is especially difficult for nonstate actorsHoffman ( and violent and nonviolent means (Nye 2010; Asal et al. McCormick 2004; Kydd and Walter 2006; Dannenbaum 2016). Regardless of their method of contention, non- 2011). They cannot put on military parades to show off state actors are agents of change operating in a structural their latest weaponry,21 do not have the means to fi- environment in which they are severely disadvantaged. nance modern military forces,22 and lack the resources— These groups wield significantly fewer resources than territorial, bureaucratic, and financial—of states. It is states—financial, material, and otherwise—and their ca- easy to dismiss the demands of nonstate actors as incon- pabilities are consequently more constrained and more sequential chatter. uncertain. In addition, what few capabilities nonstate ac- Given these deficits, the issue of how to boost cred- tors do possess are in large part a function of the number ibility features centrally in the strategic logic of politi- of participants they can organize. This is especially true cally motivated nonstate actors. As with states, one way for nonviolent groups whose strength is most directly cor- to demonstrate capabilities and resolve is to take ac- related with participation, though similar dynamics ap- tion perceived as a costly signal. According to Kydd ply to violent resistance as well (Asal and Rethemeyer and Walter (2006), “[b]ecause it is hard for weak ac- 2008; Chenoweth and Stephan 2011).Thesamebasic tors to make credible threats, terrorists are forced to dis- logic extends to nonstate actors operating in cyberspace. play publicly just how far they are willing to go to ob- One of the most common tools in a group’s cyber arsenal, tain their desired results”(50). Similarly, Abrahms (2013) the distributed denial of service (DDoS) attack, grows writes that “[t]errorism ...addscredibility to threats by stronger with every additional user.18 showing that nonstate challengers possess the power to Our primary claim is that nonstate actors are more hurt” (661). likely than states to brazenly claim cyberattacks. Not For nonstate cyber warriors, sending costly signals to bolster credibility may include defacing government 16 See also Carson and Yarhi-Milo (2017, 135). websites, launching distributed denial of service attacks, 17 On the importance of states for Internet politics, see Rovner and Moore (2017). 19 To the extent that they run the risk of capture, however, 18 To be sure, there are notable differences as well. We the credibility of their signals goes up. have yet to see cyber warriors espouse goals similar to 20 Quoted in Sharp and Finkelstein (1973, xx). their counterparts in more conventional domains (e.g., 21 Doing so might expose their position and invite un- goals like secession and religious dominance). Cyber wanted risk. warriors also rarely risk their lives, though it would be 22 One of the only known nonstate armed groups with any wrong to say their activities are risk-free. Indeed, they semblance of an air force or navy is the LTTE in Sri might trade bodily injury for prison time. Lanka, although even then it was primitive. MICHAEL POZNANSKY AND EVAN PERKOSKI 409 and so forth. In other words, they are likely to take ac- groups are often interested in sending a message not just tions that prove their ability to cause pain or at least to adversarial governments but to their populations as disrupt and inconvenience their targets. Although tem- well. The target of an attack may be symbolic, if not al- porarily compromising access to a website will not pack together random, while the physical (or digital) action the same symbolic punch as a terrorist attack, employing aims to scare, intimidate, punish, and coerce a broader increasingly sophisticated cyber operations and exploit- audience into compliance (Schmid 2004). As Crenshaw ing consequential vulnerabilities helps nonstate groups (1981) notes in a related context, “[t]he victims or objects elevate the costliness of their signals and more readily of terrorist attack have little intrinsic value to the terror- demonstrate credibility and resolve (Borghard and Lon- ist group but represent a larger human audience whose Downloaded from https://academic.oup.com/jogss/article-abstract/3/4/402/5092710 by guest on 15 January 2020 ergan 2017, 466–67). reaction the terrorists seek” (379). A history of successful attacks by a nonstate group Ultimately, terrorists target the public since they are can also help cultivate their prestige in much the same too weak to confront the state head-on. The same should way it does for states. As such, nonstate actors stand be true of nonstate actors in cyberspace since these to lose by not identifying their organization as respon- groups face comparable disadvantages. For such a strat- sible for an attack. Failing to communicate culpabil- egy to work, however, communication cannot be private; ity negates an operation’s objectives and precludes non- it must be visible, clearly attributed, and widely known state actors from reaping signaling and reputational to the government and public alike. benefits that are critical to successful coercion. With- A second reason nonstate actors in cyberspace prefer out knowing who to blame, states and their popula- public methods of claiming credit turns on their desire to tions cannot update their beliefs about an organiza- attract new recruits. Like their traditional counterparts, tion’s intentions and capabilities.23 It should therefore these actors are interested in survival and growth. Ac- come as no surprise that nonstate actors often rush to cording to Pape (2005), “terrorism has two purposes—to claim attacks, even claiming some that are not their gain supporters and to coerce opponents. Most terrorist own (Bloom 2005, 78–79).24 campaigns seek both goals to some extent, often aiming to change the target state’s policies while simultaneously mobilizing support and recruits for the terrorists’ cause” Maximizing Publicity (7). Nonstate actors in cyberspace also aim to attract The notion that nonstate actors are more likely to claim new members as a way to propagate their organization attacks to showcase their capabilities and resolve mir- (Abrahms 2008, 379) and augment their coercive abil- rors a similar motivation among states interested in cy- ity. It is well established that the power of civil resistance ber coercion. Where the two diverge is in the preferred flows from mobilization numbers, and the same goes for method of claiming. Several factors make nonstate ac- organizations in cyberspace. When it comes to their oper- tors more likely to choose public rather than private ating methods, these groups favor tactics that grow more acknowledgment. powerful with additional bots and active supporters. The One reason nonstate cyber warriors crave the lime- strength of DDoS operations, for instance, is linked to the light hinges on the audiences they seek to influence. These number of machines involved (Ghosemajumder 2016).25 23 It is worth noting, however, that these groups may The Low Orbit Internet Cannon (LOIC) and related vari- still exploit clandestinity in the lead up to a violent at- ants draw strength from those who download the appli- tack. The 9/11 attacks, which were clandestine but not cation and flood a server.With more members at their dis- covert, illustrate this point. posal, groups are able to launch increasingly formidable 24 Recent research suggests that, contrary to conven- cyber operations.26 tional wisdom, terrorists groups do sometimes face in- centives to forgo credit-claiming. Abrahms and Conrad (2017) argue that this is particularly likely when lower- 25 On the determinants of DDoS attacks, see Asal et al. level operatives conduct indiscriminate attacks that (2016). might generate tension with local populations. Since 26 It is true that many intrusion methods are largely un- local support is inconsequential to cyber operatives, connected to participation. Stuxnet comes to mind who are by and large unconnected to civilian popula- as an operation where a small team of sophisticated tions, we do not expect this dynamic to translate to cy- operatives was critical, rather than a large network of berspace. Rather, we expect nonstate actors to not only supporters. So far, however, politically motivated non- claim their attacks, but to do so loudly and publicly as state actors have tended to embrace less sophisticated well (see next section). operations. 410 Rethinking Secrecy in Cyberspace

Plausibility Probes When asked in March 2017 about whether Russia was behind the efforts to discredit Hillary Clinton, Putin re- A lack of readily-accessible decision-making documents sponded with “Read my lips: No” (Lister, Ilyushka, and complicates rigorous empirical tests of our argument. If Gigova 2017). When it comes to cyber espionage, there we are right that state-sponsored cyber operations in- is no benefit to be had from credit-claiming. volving espionage and sabotage are prime candidates for Stuxnet provides a useful illustration of why decision- secrecy before, during, and after execution, it might be makers sometimes cling to anonymity and, more interest- decades or longer before relevant materials are declassi- ingly, the conditions under which they might be willing fied.27 While coercive cyber operations are more likely to voluntarily claim credit.30 Stuxnet, formally known as Downloaded from https://academic.oup.com/jogss/article-abstract/3/4/402/5092710 by guest on 15 January 2020 to involve credit-claiming, the advantages of claiming at- “Olympic Games,” was an operation allegedly carried tacks privately also impede observation. In fact, outsiders out by the United States and Israel to disrupt and de- might be unable to discern differences between victims grade Iran’s nuclear program by destroying centrifuges at who are truly ignorant of their attacker’s identity and Natanz enrichment plant (Farwell and Rohozinski 2011). those that feign ignorance while privately communicat- The aim was to make the Iranians believe their cen- ing with their attackers. trifuges were failing for reasons other than foreign inter- As a second-best strategy, we examine publicly avail- ference. Sanger (2012) writes the following: “When the able sources including news reports and a range of sec- centrifuges first began crashing in 2008 at the Natanz ondary materials to provide a preliminary test of our enrichment center, the crown jewel of the Iranian nu- argument. We also conduct two interviews: one with a clear program, the engineers inside the plant had no clue former Defense Department official involved in cyber they were under attack. That was exactly what the de- policy and one with a former member of Anonymous. signers of the world’s most sophisticated cyberweapon These helped corroborate what we found in the public had planned.” He continues that “[t]he idea, hatched in record. Washington and Jerusalem, was to make the first break- downs seem like random accidents and small ones at States that” (188). We were unable to find a single case of a state claiming Sanger’s interviews with government officials confirm credit for a cyber espionage operation, either openly or that the operation was supposed to leave no trace of US privately. Rather, the cases that have inadvertently come fingerprints: “The most elegant cyber weapons are a lot to light underscore the vigor with which states seek to like the most elegant bank frauds. . . . They work best avoid being named. China’s hack into the Office of Per- when the victim doesn’t even know he’s been robbed” sonnel and Management’s database wherein the records (190–91). It is clear from this account that the United of millions of federal US employees were stolen is illus- States kept both the operation and their sponsorship in- trative (Nakashima 2015). In the aftermath of the intru- tentionally hidden, as our argument predicts. The suc- sion, Chinese officials denied complicity, placing blame cess or failure of the operation did not depend on Iran on criminal hackers. They even went so far as to claim changing their behavior, but simply hinged on the quiet that they had arrested individuals who were connected destruction of centrifuges. with the hack (Chalfant 2017).28 Another example is Interestingly, though, some US operatives contem- Russia’s alleged interference in the 2016 US election. The plated quietly alerting the Iranians that the United States “theft of research and emails from the Democratic Na- was responsible for the attack. Their apparent rationale tional Committee” for the purposes of embarrassing the conforms to our theoretical expectation. Ostensibly, the Democratic Party and Hillary Clinton—the heart of Rus- goal would have been to send a message to Tehran that sia’s disinformation campaign—was, like China’s OPM the United States had the ability to keep targeting their hack, denied by the Russian government (Sanger 2016).29 systems, presumably as a way of achieving concessions on 27 This is especially true when it comes to documents per- the nuclear program. According to Sanger (2012), “[a]t taining to intelligence activities, which may stay clas- both the Pentagon and inside the intelligence agencies sified for longer owing to concerns about sources and some of the creators of the bug believed that it might be methods. 28 See also Yan (2015). While it is technically possible that information to relevant entities who could use it to dis- Chinese officials privately communicated complicity to credit Hillary Clinton. Even if so, this type of action would the United States, this is unlikely since it serves no real qualify as a classic covert operation, and thus we would strategic purpose. still expect Russian denials. 29 One might reasonably categorize this episode as polit- 30 For a full-length treatment of the dynamics underlying ical action wherein the Russians disseminated stolen the operation, see Lindsay (2013) and Rid (2012). MICHAEL POZNANSKY AND EVAN PERKOSKI 411 even more valuable if the source of the attacks became specifically through intentional credit-claiming. Turskey known, because the Iranians would get the message that declared the following: Washington could pierce its systems repeatedly.” One of- In the intelligence community you never want to be ficial directly involved in decision-making noted, “[w]e caught, you want [to] be low and slow, you never had to be ready to work in an environment where the really want to be attributed. . . . But there’s another Iranians knew exactly who was doing this to them, to space over here, where maybe you definitely want to make the point that we could come back and do it again” be louder, where attribution is important to you and (203). In short, some policymakers believed they could

you actually want the adversary to know.(Bing 2016, Downloaded from https://academic.oup.com/jogss/article-abstract/3/4/402/5092710 by guest on 15 January 2020 more easily alter the Iranian regime’s behavior by em- emphasis added) bracing responsibility and proving that they could bring more pain to bear should they continue down the path of These remarks are noteworthy for several reasons.33 nuclearization.31 Chief among them is the prospect of the world’s lone su- More recent examples suggest that states are think- perpower developing an arsenal of cyber weapons with a ing hard about voluntarily claiming credit for their cyber return address. The fact that loud, attributable weapons operations in the service of coercion. In late September are being discussed at all is at odds with the typical por- 2017, it came to light that the Trump administration au- trayal of cyberspace as a domain defined by secrecy and thorized US Cyber Command to carry out a range of lim- anonymity. Yet, it is easier to understand why Turskey is ited cyberattacks against North Korea’s Reconnaissance contemplating this shift once we come to terms with the General Bureau intended to interfere with Internet access mechanics of cyber coercion. Leveraging cyber assets for (DeYoung, Nakashima, and Rauhala 2017). Most impor- coercive purposes, rather than espionage or sabotage— tantly, the cyber operation involved alerting the North which fits more readily within the purview of the military Koreans that the United States was behind the attacks as opposed to the intelligence community—requires cred- to convey a more muscular US posture and perhaps to ible self-attribution. Developing tools that erase doubt persuade Kim Jong Un to moderate his foreign policy.32 about who conducted a particular intrusion contributes Panda (2017) argues that the United States had “take[n] to this goal (Lin 2016). the cyber equivalent of a shot across North Korea’s bow, Michael Sulmeyer, the former director for Plans and presumably signaling that it has the requisite access to Operations for Cyber Policy in the Office of the Secre- North Korean networks to deliver considerably more sig- tary of Defense, affirmed this sentiment in an interview nificant damage in wartime.” Since North Korea isnot for this article. Echoing the idea that cyber weapons can wanting for enemies, it seemed to serve US objectives to and should be embraced for more traditional purposes, let their complicity be known, thereby reducing ambigu- he highlights the following: ity about what behavioral changes were expected from It is important for the United States to invest in ca- the Kim regime. pabilities that not only help it improve its espionage Further evidence for our theory comes from recent activities against adversaries, but also that help it pre- statements by Shawn Turskey, the executive director of vail in the event of hostilities with adversaries. When US Cyber Command. His comments from 2016 indi- operating in the realm of the second objective, it can cate that the United States government is contemplating be beneficial for the United States to take responsi- ways to leverage cyber capabilities for coercive purposes, bility for its actions publicly—not to advance tacti- cal, technical objectives but to intimidate and signal 31 One interesting avenue for future research is to explore that the actions being experienced are being delivered how the desire to claim credit for certain operations, courtesy of the USA, and that the adversary should especially sabotage, may be driven in part by which expect more to follow unless it complies.34 agency is responsible for conducting the attack. We might expect, for example, the military to more readily Taking responsibility, as Sulmeyer suggests, provides embrace complicity and the intelligence community to America’s adversaries the chance to understand the ex- do the opposite. tent of their cyber power. Similar to Turskey, Sulmeyer 32 The White House and Cyber Command declined to com- anticipates that more voluntary credit-claiming may be ment, but a senior administration official told the Wash- on the horizon: ington Post that “[w]hat I can tell you is that North Korea has itself been guilty of cyberattacks, and we are going to take appropriate measures to defend our networks 33 For a discussion of these comments, see Lin (2016). and systems” (DeYoung et al. 2017). 34 Interview with authors, October 26, 2017. 412 Rethinking Secrecy in Cyberspace

To be sure, this signal could be missed or dismissed— they intended to target (British Broadcasting Company and a mere tap on the digital shoulder clearly would 2016). In one of their biggest and best-known campaigns, not suffice for such a signal to be internalized. But Operation Tunisia, the group first put out a press release why go through all the effort to hide every action ev- via YouTube36 before a launching series of DDoS attacks ery time in this context? That’s an unnecessary ad- that took down numerous government-linked websites. ditional burden in a war fight. If there are a suite of This was part of a broader operation intended to assist capabilities that can help our forces be more agile dur- protesters and weaken the government of Ben Ali. Most ing hostilities, I would hope they are on the table for relevant for our purposes, the group issued a clear coer- our commanders and leaders in the future.35 cive threat: “This is a warning to the Tunisian govern- Downloaded from https://academic.oup.com/jogss/article-abstract/3/4/402/5092710 by guest on 15 January 2020 ment: attacks at the freedom of speech and information of its citizens will not be tolerated. . . . Free the net, and Nonstate Actors the attacks will cease, keep on that attitude and this will The empirical pattern of cyberattacks by nonstate actors just be the beginning”37 In another high-profile incident, differs from what we observed for states. These actors Anonymous targeted the Church of Scientology. As be- frequently claim credit for their cyberattacks in very pub- fore, the attack began with a YouTube press release38 and lic ways. Much like terrorist attacks, these operations al- proceeded with a series of DDoS attacks, doxing, and most always entail a political message intended to alter more press releases and media statements. In line with public opinion, change government policies, and the like. our expectations, the IT company hired by the Church of A cyberattack carried out by the Syrian Electronic Army Scientology implored them to simply ignore the attacks: against the US Army’s website showcases these dynamics. “Don’t issue warnings or threats to the attackers via the After posting a political message on the website stating media; this will only keep the issue alive, raise tempers, “Your commanders admit they are training the people and greatly increase the possibility of another assault. they have sent you to die fighting,” the hackers posted Most DDoS attackers seek publicity, so don’t hand it to messages on Twitter claiming responsibility for the in- them on a silver platter.”39 Their solution was to deprive trusion (Vinton 2015). Quietly alerting the US Army that Anonymous of what it wanted most, namely attention. the Syrian Electronic Army was behind the attacks would This strategy of pursuing highly visible, self-attributed have undermined the strategic motivations underling the missions served at least three functions. First, Anony- entire operation, namely bolstering their reputation as mous used these operations to ensure that they were a group that deserves respect and sending a clear mes- taken seriously and that their coercive threats were not sage with the intention of affecting public opinion and ignored. Establishing their capabilities, resolve, and cred- altering policy. The attack was not cost-free either; sev- ibility by conducting attacks with clear attribution con- eral hackers from the Syrian Electronic Army were iden- tributed to this effort. This was explicit in their internal tified and eventually placed on the FBI’s most-wanted list conversations during the operation against the Church of (Temperton 2016). Scientology. As one member put it, “I think it’s time for For a more complete picture of the decision-making [us] to do something big. People need to understand not process for nonstate actors in cyberspace, we briefly to f*** with [Anonymous].”40 These and other attacks examine one of the most well-known organizations: proved somewhat successful. Outside observers came Anonymous. Its evolution from an organization that con- to understand that they should not dismiss the group’s ducted cyber operations simply for the “lulz” to one that threats. Eventually, “[t]he attack on HBGary had excited engaged in political activism is beyond the scope of this news reporters so much that any hint of an Anonymous article (Olson 2012; Coleman 2014). Anonymous’ be- threat suddenly had a veneer of credibility” (Olson 2012, havior following this shift, though, sheds light on the 177). group’s political strategy and how publicity and atten- Second, Anonymous recognized that part of their tion serve their goals. strategy revolved around the public. During Opera- A cursory overview of Anonymous’ exploits over the tion Payback in 2010, which aimed to promote Inter- years shows that the group commonly claims credit pub- net privacy by targeting antipiracy groups, members of licly for its operations. In late March 2016, Anonymous targeted roughly twenty Angolan government websites in 36 See https://www.youtube.com/watch?v=BFLaBRk9wY0. response to the arrest of several activists. Prior to carry- 37 Quoted in Coleman (2014, 149). ing out the attack, they posted details about the websites 38 See https://www.youtube.com/watch?v=JCbKv9yiLiQ. 39 Quoted in Olson (2012, 89). 35 Interview with authors, October 26, 2017. 40 Quoted in Olson (2012,2). MICHAEL POZNANSKY AND EVAN PERKOSKI 413

Anonymous ardently debated this component of their things we did were really attention-grabbing. It served strategy. Support eventually developed for one member a purpose. It’s very similar to branding and how com- who claimed that “. . . these attacks are less about hurt- panies slip in their products into film, or events in gen- ing the business than drawing attention and forcing the eral, even if each engagement or hack had different mediatocoverthestory....Thepointformeisthatthis motivations.43 is the technological way of mass protesting that’s actu- In her research on Anonymous, Coleman (2014) ex- ally effective.”41 Getting their message out to the public pands on this point: “[W]ithout the appearance of a crit- to garner attention became a core objective.

ical mass, the operation would have likely lacked moral Downloaded from https://academic.oup.com/jogss/article-abstract/3/4/402/5092710 by guest on 15 January 2020 Anonymous’ operations often did more than just in- gravitas and authority. In this case, strength in num- fluence the public indirectly via messaging; sometimes the bers conveyed a potent message” (138). Expanding their public was the direct target of attacks. Anonymous, like membership didn’t just provide Anonymous legitimacy; most terrorist groups, eventually had to reconcile with it provided additional capability as well. While many of the fact that targeting innocent civilians might be use- Anonymous’ DDoS campaigns relied on botnets to create ful for achieving their aims. This issue came to a head their desired effect, individual users sustained those at- during Operation BART (Bay Area Rapid Transit), when tacks that used the freeware LOIC, a staple of the group’s members leaked information on individual passengers, earlier activity. This required the group to invest time in including credit card numbers and other details from the assisting new members with the software. Olson (2012) company’s website. When asked about the incident by points out that the group felt it was worth it to take the a reporter, a senior member replied, “[h]ow else do you time “getting the [new members] on board to create an get the world to respond and secure your information? army” (65). How else do you get these companies and these big gov- Ultimately, it was in Anonymous’ interest to take ernments to keep your information, the information you credit for their cyber operations through highly visible, give them voluntarily, safe? I think we got our message public means of communication. Doing so rewarded their across, and I’ll bet you one thing: I’ll bet you they fix efforts significantly and was instrumental to their strate- that.”42 Anonymous’ symbolic, essentially random tar- gic logic. Whether the target was the Tunisian govern- geting was part of a broader campaign to influence public ment or the Church of Scientology, the attention they re- opinion and achieve political change. Their cyberattacks ceived bolstered their particular brand of coercion. This were acts of coercion that bore a striking resemblance to strategy resembles the brands of coercion of online actors the strategic logic of militant organizations. using “weapons of the geek” and of groups using violent Finally, Anonymous’ cyber behavior was often geared and nonviolent tactics of resistance (Coleman 2014, 107). toward generating new members and deepening support among their base. In an interview conducted for this article, we asked Hector Monsegur, a former leader of Cybercrime and Cyber Blackmail Anonymous known as Sabu, why the group was so eager to publically claim their operations. As he put it, Before concluding, it is worth flagging two types of cy- ber operations perpetrated by state and nonstate actors At the time of its height (not so much now) Anony- alike that are unlikely candidates for voluntary attribu- mous had gained huge successes in publicizing its tion. The first are operations involving theft of financial protests, hacks, and engagements. They were master- or intellectual assets. These are among the most com- ful in the distribution of content, and the media truly mon kind of cyberattack and are ill-served by credit- ate it up for several reasons: claiming. Malicious actors that leverage cyber assets for It was neatly packaged and ready for distribution, criminal purposes, such as stealing money from banking the hackers were willing to give interviews, and of institutions, have little incentive to self-attribute. Doing course the mystery element. The whole thing about so would provide little benefit and expose them to poten- the mask and shadowy figures really “sells” the con- tial prosecution. While nonstate actors most commonly cept. As Anonymous grew in action, it also grew in conduct these kinds of attacks, states may as well. For numbers and support . . . example, North Korea was identified as the responsible party in a cyber heist against Bangladesh’s central bank. The truth of the matter is that Anonymous needed Unsurprisingly, Pyongyang has denied any involvement the media to grow, and this explains why many of the in the theft of roughly US$81 million (Finkle 2017). 41 Quoted in Coleman (2014, 132). 42 Quoted in Coleman (2014, 307). 43 Interview with authors, October 30, 2017. 414 Rethinking Secrecy in Cyberspace

A second unlikely candidate for voluntary attribution sions at the same points in the life cycle of a cyberattack, is what we might call “cyber blackmail,” or operations yet the characteristics of each can cause their strategies in which the perpetrator leverages stolen assets, embar- to diverge, particularly when it comes to the optics of rassing secrets, and the like to achieve compliance from credit-claiming. Future research should continue to inves- the victim without having to reveal their true identity.44 tigate how the characteristics and operational and strate- These operations are particularly interesting in that suc- gic goals of cyber actors influence the look and feel of cess requires target compliance—which we argue should their cyber actions. lead to credit-claiming—but the perpetrator can remain Second, existing research often treats cyber operations behind a mask. By selectively releasing compromised in- as distinct from more traditional elements of state power. Downloaded from https://academic.oup.com/jogss/article-abstract/3/4/402/5092710 by guest on 15 January 2020 formation and assets to the victim publicly or privately Although there are differences, the framework developed (Lindsay 2015, 57), the perpetrator may be able to force here suggests that states may be able to leverage cyber as- compliance while remaining anonymous or hiding be- sets to achieve many of the same goals most frequently hind front groups. pursued with conventional forces. Scholars have pushed This dynamic approximates what might have hap- back against this idea for a variety of reasons, one be- pened during the Sony hack, in which the “Guardians ing the attributional difficulties of cyber operations. But of Peace” (#GOP) issued an explicit compellent threat states need not conceal their complicity in perpetuity. By against Sony in an attempt to prevent the company from relaxing this assumption, we can more easily see how releasing The Interview, a comedy satirizing North Ko- these operations fit into a state’s coercive toolkit. One rea’s leader Kim Jong Un. In the event that Sony failed to area ripe for future research is the efficacy of coercion in comply with #GOP’s demands, the group threatened to cyberspace, both on its own and in comparison to more release propriety information and potentially embarrass- conventional methods. ing e-mail correspondences between high-level employ- Finally, while inferring intentions from behavior is ees. Although North Korea was widely suspected of spon- problematic, actors’ decisions to privately or publicly ac- soring the attack, the regime denied any involvement. knowledge sponsorship of an attack may provide cru- Nonetheless, the attack partially succeeded in coercing cial information about motives and identity. Clinging to Sony without the government having to explicitly take covert forms of secrecy after the completion of an attack credit.45 We believe that the attack was partially success- might highlight a set of plausible underlying motivations ful as a result of Sony’s understanding that certain as- for the initial intrusion, including espionage, cybercrime, sets (personal e-mails, financial records) had indeed been and the like. Conversely, if the actor does come clean, compromised and would be released should they fail to it might be appropriate to infer that credibility, prestige, comply. or coercion was the true goal. In the information-starved domain that is cyberspace, these clues may be all there is when designing policies and crafting responses. Conclusion This article draws on existing theory to develop an ex- planation for why states and politically motivated non- Acknowledgements state actors might voluntarily claim credit for their at- This is one of several collaborative projects by the tacks. We argue that the goals of an operation as well authors, and the ordering of names follows a princi- as the characteristics of the perpetrator drive both the ple of rotation. We are grateful to Joseph Brown, Ben decision to claim credit as well as the manner in which Buchanan, Ryan Evans, Robert Jervis, Joseph LaPalom- bara, Herb Lin, Jon Lindsay, Joseph Nye, Joshua Rovner, culpability is communicated. This research has several and Michael Sulmeyer for helpful comments, suggestions, important implications. First, we show how states and and insights. An earlier version of the argument presented nonstate actors share a common set of choices with re- here appeared in War on the Rocks. gards to secrecy in cyberspace. Both face the same deci-

44 A related tactic that might incentivize target compliance References without voluntary attribution involves the use of ran- Abrahms, Max. 2008. “What Terrorists Really Want: Terrorist somware. A recent example of this was the WannaCry Motives and Counterterrorism Strategy.” International Secu- attack in May 2017 (Perlroth and Sanger 2017). rity 32 (4): 78–105. 45 We refer to this as a partial success since Sony ulti- ——. 2013. “The Credibility Paradox: Violence as a Double- mately released The Interview after initially delaying in Edged Sword in International Politics.” International Studies immediate aftermath of the hack. Quarterly 57 (4): 660–71. MICHAEL POZNANSKY AND EVAN PERKOSKI 415

Abrahms, Max, and Justin Conrad. 2017. “The Strategic Logic DeYoung, Karen, Ellen Nakashima, and Emily Rauhala. 2017. of Credit Claiming: A New Theory for Anonymous Terrorist “Trump Signed Presidential Directive Ordering Actions to Attacks.” Security Studies 26 (2): 279–304. Pressure North Korea.” Washington Post, September 30. Asal, Victor, Jacob Mauslein, Amanda Murdie, Joseph Young, https://www.washingtonpost.com/world/national-security/ Ken Cousins, and Chris Bronk. 2016. “Repression, Education, trump-signed-presidential-directive-ordering-actions-to- and Politically Motivated Cyberattacks.” Journal of Global pressure-north-korea/2017/09/30/97c6722a-a620-11e7- Security Studies 1 (3): 235–47. b14f-f41773cd5a14_story.html. Asal, Victor, and R. Karl Rethemeyer. 2008. “The Nature of the Downes, Alexander B., and Mary L. Lilley 2010. “Overt Peace, Beast: Organizational Structures and the Lethality of Terrorist Covert War?: Covert Intervention and the Democratic Peace.” Downloaded from https://academic.oup.com/jogss/article-abstract/3/4/402/5092710 by guest on 15 January 2020 Attacks.” Journal of Politics 70 (2): 437–49. Security Studies 19 (2): 266–306. Axelrod, Robert. 1979. “The Rational Timing of Surprise.” Farwell, James P., and Rafal Rohozinski. 2011. “Stuxnet and the World Politics 31 (2): 228–46. Future of Cyber Warfare.” Survival: Global Politics and Strat- Baum, Matthew. 2004. “Going Private: Public Opinion, Presi- egy 53 (1): 23–40. dential Rhetoric, and the Domestic Politics of Audience Costs Finkle, Jim. 2017. “Cyber Security Firm: More Evidence in U.S. Foreign Policy Crises.” Journal of Conflict Resolution North Korea Linked to Bangladesh Heist.” Reuters, April 3. 48 (5): 603–31. https://www.reuters.com/article/us-cyber-heist-bangladesh- Betz, David J., and Tim Stevens. 2011. Cyberspace and the State: northkorea/cyber-security-firm-more-evidence-north-korea- Toward a Strategy for Cyber Power. New York: Routledge. linked-to-bangladesh-heist-idUSKBN1752I4. Bing, Chris. 2016. “U.S. Cyber Command Director: We Want Forsythe, David P. 1992. “Democracy, War, and Covert Action.” ʻLoud,’ Offensive Cyber Tools.” FedScoop August 30. Journal of Peace Research 29 (4): 385–95. Bloom, Mia. 2005. Dying to Kill: The Allure of Sui- Gartzke, Erik. 2013. “The Myth of Cyberwar: Bringing War in cide Terror. New York: Columbia University Press. Cyberspace Back Down to Earth.” International Security 38 https://www.fedscoop.com/us-cyber-command-offensive- (2): 41–73. cybersecurity-nsa-august-2016/. Gartzke, Erik, and Jon R. Lindsay 2015. “Weaving Tangled Borghard, Erica D., and Shawn W. Lonergan 2017. “The Logic Webs: Offense, Defense, and Deception in Cyberspace.” Se- of Coercion in Cyberspace.” Security Studies 26 (3): 452–81. curity Studies 24(2): 316–48. British Broadcasting Company. 2016. “‘Anonymous’ Hack- Ghosemajumder, Shuman. 2016. “Here’s Why Massive Web- ers Cyber-Attack Angolan Government.” BBC News, site Outages Will Continue Happening.” Recode, Octo- March 30. https://www.bbc.com/news/world-africa- ber 24. https://www.recode.net/2016/10/24/13393922/ddos- 35927474. attack-denial-service-cybercriminals-hackers. Brown, Jonathan N. 2014. “The Sound of Silence: Power, Se- Gibbs, David N. 1995. “Secrecy and International Relations.” crecy, and International Audiences in US Military Basing Ne- Journal of Peace Research 32 (2): 213–28. gotiations.” Conflict Management and Peace Science 31 (4): Gilpin, Robert. 1981. War and Change in World Politics. Prince- 406–31. ton, NJ: Princeton University Press. Buchanan, Ben. 2017. The Cybersecurity Dilemma: Hacking, Gosk, Stephanie, Tom Winter, and Tracy Connor. 2015. “Ira- Trust, and Fear Between Nations. Oxford and New York: Ox- nian Hackers Claim Responsibility for Cyberattack on New ford University Press. York Dam.” NBC, December 23. https://www.nbcnews.com/ Carson, Austin. 2016. “Facing Off and Saving Face: Covert In- news/us-news/iranian-hackers-claim-cyber-attack-new-york- tervention and Escalation Management in the Korean War.” dam-n484611. International Organization 70 (1): 103–31. Gross, Richard C. 2009. “Different Worlds: Unacknowledged Carson, Austin, and Keren Yarhi-Milo. 2017. “Covert Commu- Special Operations and Covert Action.” Technical report, nication: The Intelligibility and Credibility of Signaling in Se- Strategy Research Project, US Army War College. cret.” Security Studies 26 (1): 124–56. Hoffman, Bruce, and Gordon H. McCormick 2004. “Terrorism, Chalfant, Morgan. 2017. “FBI Arrests Chinese National Signaling, and Suicide Attack.” Studies in Conflict and Terror- Linked to OPM Hack Malware.” The Hill, August 24. ism 27 (4): 243–81. http://thehill.com/policy/cybersecurity/347897-fbi-arrests- Joseph, Michael F., and Michael Poznansky. 2018. “Media Tech- chinese-national-linked-to-opm-hack-malware-report. nology, Covert Action, and the Politics of Exposure.” Journal Chenoweth, Erica, and Maria J. Stephan 2011. Why Civil Resis- of Peace Research 53(3): 320–335. tance Works The Strategic Logic of Nonviolent Conflict.New Kibbe, Jennifer D. 2007. “Covert Action and the Pentagon.” In- York: Columbia University Press. telligence and National Security 22 (1): 57–74. Coleman, Gabriella. 2014. Hacker, Hoaxer, Whistleblower, Spy: Kydd, Andrew H., and Barbara F. Walter. 2006. “The Strategies The Many Faces of Anonymous. London: Verso. of Terrorism.” International Security 31 (1): 49–80. Crenshaw, Martha. 1981. “The Causes of Terrorism.” Compar- Libicki, Martin C. 2009. Cyberdeterrence and Cyberwar. Santa ative Politics 13 (4): 379–99. Monica, CA: RAND Corporation. Dannenbaum, Tom. 2011. “Bombs, Ballots, and Coercion: The Liff, Adam P. 2012. “Cyberwar: A New Absolute Weapon? Madrid Bombings, Electoral Politics, and Terrorist Strategy.” The Proliferation of Cyberwarfare Capabilities and Interstate Security Studies 20 (3): 303–49. War.” Journal of Strategic Studies 35 (3): 401–28. 416 Rethinking Secrecy in Cyberspace

Lin, Herb. 2010. “Offensive Cyber Operations and the Use of Sanger, David E. 2012. Confront and Conceal: Obama’s Se- Force.” Journal of National Security Law and Policy 4 (63): cret Wars and Surprising Use of American Power.NewYork: 63–86. Broadway Paperbacks. ——. 2016. “Developing ʻLoud’ Cyber Weapons.” Lawfare, ——. 2016. “U.S. Wrestles with How to Fight Back September 1. https://www.lawfareblog.com/developing-loud- Against Cyberattacks.” New York Times, July 30. cyber-weapons. https://www.nytimes.com/2016/07/31/us/politics/us-wrestles- Lindsay, Jon R.. 2013. “Stuxnet and the Limits of Cyber War- with-how-to-fight-back-against-cyberattacks.html. fare.” Security Studies 22 (3): 365–404. Sanger, David E., David D. Kirkpatrick, and Nicole Perl- ——. 2015. “Tipping the Scales: The Attribution Problem and roth. 2017. “The World Once Laughed At North Korean Downloaded from https://academic.oup.com/jogss/article-abstract/3/4/402/5092710 by guest on 15 January 2020 the Feasibility of Deterrence Against Cyberattack.” Journal of Cyberpower. No More.” New York Times October 15. Cybersecurity 1 (1): 53–67. https://www.nytimes.com/2017/10/15/world/asia/north- Lister, Tim, Mary Ilyushka, and Radina Gigova. 2017. “Putin korea-hacking-cyber-sony.html. Slams US Election Meddling Claim As ʻLies.’” CNN, Schelling, Thomas C. 1966. Arms and Influence. New Haven, March 30. https://www.cnn.com/2017/03/30/politics/putin- CT: Yale University Press. russia-us-election-denial/index.html. Schmid, Alex P. 2004. “Frameworks for Conceptualizing Terror- Mahoney, James. 2015. “Process Tracing As Historical Explana- ism.” Terrorism and Political Violence 16 (2): 197–221. tion.” Security Studies 24 (2): 200–18. Sharp, Gene, and Marina Finkelstein. 1973. Dynamics of Non- Maxey, Levi. 2017. “Homeland Security Council Urges Ac- violent Action. 3rd ed. Boston, MA: P. Sargent Publisher. tion Before Cyber 9/11 Strikes.” Cipher Brief, August 27. Slantchev, Branislav L. 2010. “Feigning Weakness.” Interna- https://www.thecipherbrief.com/homeland-security-council- tional Organization 64 (3): 357–88. urges-action-cyber-911-strikes. Slayton, Rebecca. 2017. “What Is the Cyber Offense-Defense Nakashima, Ellen. 2015. “Hacks of OPM Databases Com- Balance? Conceptions, Causes, and Assessment.” Interna- promised 22.1 Million People, Federal Authorities Say.” tional Security 41 (3): 72–109. Washington Post,July9.https://www.washingtonpost.com/ Smith, Candace. 2016. “Anonymous Claims to Hack Donald news/federal-eye/wp/2015/07/09/hack-of-security-clearance- Trump.” ABC News, March 17. https://abcnews.go.com/US/ system-affected-21-5-million-people-federal-authorities-say/. anonymous-claims-hack-donald-trump/story?id=37730049. Nye, Joseph S. 2010. Cyber Power. Cambridge, MA: Belfer Cen- Stoller, Daniel R. 2017. “Cybercriminals Taking the Reins ter for Science and International Affairs, Harvard Kennedy from Nation-State Adversaries.” Bloomberg Law: Privacy School. and Data Security Blog December 8. https://www.bna.com/ ——. 2017. “Deterrence and Dissuasion in Cyberspace.” Inter- cybercriminals-taking-reins-b73014472953/. national Security 41 (3): 44–71. Szoldra, Paul. 2016. “A New Film Gives a Frightening Look at Olson, Parmy. 2012. We Are Anonymous: Inside the Hacker How the US Used Cyberwarfare to Destroy Nukes.” Busi- World of LulzSec, Anonymous, and the Global Cyber Insur- ness Insider,July7.https://www.businessinsider.com/zero- gency. New York: Back Bay Books. days-stuxnet-cyber-weapon-2016-7. Panda, Ankit. 2017. “How to Make Sense of Offensive US Cyber Temperton, James. 2016. “FBI Adds Syrian Electronic Operations Against North Korean Military Intelligence.” Army Hackers to Most Wanted List.” Wired, March 23. Diplomat, October 2. https://thediplomat.com/2017/10/how- https://www.wired.co.uk/article/syrian-electronic-army-fbi- to-make-sense-of-offensive-us-cyber-operations-against- most-wanted. north-korean-military-intelligence/. Valeriano, Brandon, and Ryan C. Maness 2014. “The Dynam- Pape, Robert A. 2005. Dying to Win: The Strategic Logic of Sui- ics of Cyber Conflict Between Rival Antagonists, 2001–11.” cide Terrorism. New York: Random House Trade Paperbacks. Journal of Peace Research 51 (3): 347–60. Perlroth, Nicole, and David E. Sanger 2017. “Hacks Raise Fear ——. 2015. Cyber War Versus Cyber Realities: Cyber Conflict Over N.S.A.’s Hold on Cyberweapons.” New York Times, in the International System. Oxford and New York: Oxford June 28. https://www.nytimes.com/2017/06/28/technology/ University Press. ransomware-nsa-hacking-tools.html. Vinton, Kate. 2015. “Syrian Electronic Army Claims Respon- Poznansky, Michael. 2015. “Stasis Or Decay? Reconciling sibility For Hacking U.S. Army Website.” Forbes, June 8. Covert War and the Democratic Peace.” International Stud- https://www.forbes.com/sites/katevinton/2015/06/08/syrian- ies Quarterly 59 (4): 815–26. electronic-army-claims-responsibility-for-hacking-army- Rid, Thomas. 2012. “Cyber War Will Not Take Place.” Journal website/. of Strategic Studies 35 (1): 5–32. Yan, Sophia. 2015. “China Blames Criminals for U.S. Gov- Rid, Thomas, and Ben Buchanan. 2015. “Attributing Cyberat- ernment Hack.” CNN, December 2. https://money.cnn.com/ tacks.” Journal of Strategic Studies 38 (1–2): 4–37. 2015/12/02/technology/china-hack-denial/index.html. Rovner, Joshua, and Tyler Moore. 2017. “Does the Internet Yarhi-Milo, Keren. 2013. “Tying Hands Behind Closed Doors: Need a Hegemon?” Journal of Global Security Studies 2(3): The Logic and Practice of Secret Reassurance.” Security Stud- 184–203. ies 22: 405–35.