This article was downloaded by: [Columbia University] On: 08 June 2015, At: 08:43 Publisher: Routledge Informa Ltd Registered in England and Wales Registered Number: 1072954 Registered office: Mortimer House, 37-41 Mortimer Street, London W1T 3JH, UK Journal of Strategic Studies Publication details, including instructions for authors and subscription information: http://www.tandfonline.com/loi/fjss20 Attributing Cyber Attacks Thomas Rida & Ben Buchanana a Department of War Studies, King’s College London, UK Published online: 23 Dec 2014. Click for updates To cite this article: Thomas Rid & Ben Buchanan (2015) Attributing Cyber Attacks, Journal of Strategic Studies, 38:1-2, 4-37, DOI: 10.1080/01402390.2014.977382 To link to this article: http://dx.doi.org/10.1080/01402390.2014.977382 PLEASE SCROLL DOWN FOR ARTICLE Taylor & Francis makes every effort to ensure the accuracy of all the information (the “Content”) contained in the publications on our platform. However, Taylor & Francis, our agents, and our licensors make no representations or warranties whatsoever as to the accuracy, completeness, or suitability for any purpose of the Content. Any opinions and views expressed in this publication are the opinions and views of the authors, and are not the views of or endorsed by Taylor & Francis. The accuracy of the Content should not be relied upon and should be independently verified with primary sources of information. Taylor and Francis shall not be liable for any losses, actions, claims, proceedings, demands, costs, expenses, damages, and other liabilities whatsoever or howsoever caused arising directly or indirectly in connection with, in relation to or arising out of the use of the Content. This article may be used for research, teaching, and private study purposes. Any substantial or systematic reproduction, redistribution, reselling, loan, sub- licensing, systematic supply, or distribution in any form to anyone is expressly forbidden. Terms & Conditions of access and use can be found at http:// www.tandfonline.com/page/terms-and-conditions Downloaded by [Columbia University] at 08:43 08 June 2015 The Journal of Strategic Studies, 2015 Vol. 38, Nos. 1–2, 4–37, http://dx.doi.org/10.1080/01402390.2014.977382 Attributing Cyber Attacks THOMAS RID AND BEN BUCHANAN Department of War Studies, King’s College London, UK ABSTRACT Who did it? Attribution is fundamental. Human lives and the security of the state may depend on ascribing agency to an agent. In the context of computer network intrusions, attribution is commonly seen as one of the most intractable technical problems, as either solvable or not solvable, and as depen- dent mainly on the available forensic evidence. But is it? Is this a productive understanding of attribution? — This article argues that attribution is what states make of it. To show how, we introduce the Q Model: designed to explain, guide, and improve the making of attribution. Matching an offender to an offence is an exercise in minimising uncertainty on three levels: tactically, attribution is an art as well as a science; operationally, attribution is a nuanced process not a black- and-white problem; and strategically, attribution is a function of what is at stake politically. Successful attribution requires a range of skills on all levels, careful management, time, leadership, stress-testing, prudent communication, and recog- nising limitations and challenges. KEY WORDS: Cyber Security, Attribution, Traceability, Information Security, Signals Intelligence Attribution is the art of answering a question as old as crime and punishment: who did it? Doing attribution well is at the core of vir- tually all forms of coercion and deterrence, international and domestic. Doing it poorly undermines a state’s credibility, its effectiveness, and ultimately its liberty and its security. Decisions of life and death depend on attribution. The use of chemi- Downloaded by [Columbia University] at 08:43 08 June 2015 cal weapons in Ghouta, a suburb of Damascus, in August 2013; the downing of Malaysia Airlines Flight 17 near Donetsk Oblast, Ukraine, in the summer of 2014; the abduction of three Israeli teenagers in Gush Etzion in June, which triggered the Gaza War of 2014 — all these events have in common that nobody immediately claimed credit, and that the identity of the perpetrators remained highly contested while consequential political decisions had to be made at the highest levels. The attribution problem has not raised its profile so dramatically only in recent years. The assassination of Archduke Franz Ferdinand of Austria on 28 June 1914 offered a similar conundrum: who was Gavrilo Princip, the assassin? And was he an agent of the Serbian state? © 2014 Taylor & Francis Attributing Cyber Attacks 5 Attribution unwinds incrementally. These international incidents illus- trate the potentially enormous stakes at play. But they are too exceptional and too confusing for a systematic discussion of attribution. Beginning with a more orderly and established illustration is more productive. In law enforcement, identifying a felon may begin with a report of a crime to an emergency phone operator. Next come investigators. The officers will secure the scene and interview witnesses. Forensic specialists will try to find and analyse specific artefacts, for instance matching a bullet found in the victim to a gun with fingerprints found at the crime scene. If all goes well, the evidence will be marshalled into a case presented to a jury, where the final question of attribution will be settled. Though often fraught with drama, it is a methodical, ordered, and institutionalised approach. This scenario is simplistic but instructive. It reveals at least three general and familiar features: attribution is almost always too large and too complex for any single person to handle; attribution is likely to require a division of labour, with specialities and sub-specialities throughout; and attribution proceeds incrementally on different levels, immediate technical collection of evidence, follow-up investigations and analysis, and then legal proceedings and making a case against competing evidence in front of a decision authority. The law enforcement scenario is extensively explored in scholarly literature and popular culture. Attributing cyber attacks is less simple and the ground less familiar. In cyber security, the attribution debate is evolving surprisingly slowly.1 Three common assumptions currently dominate the discussion on digital attribution. The first assumption is that attribution is one of the most intractable problems2 of an emerging field, created by the underlying technical architecture3 and geography4 of the Internet. 1For an early contribution, see, David A. Wheeler and Gregory N. Larsen, Techniques for Cyber Attack Attribution (Alexandria, VA: Institute for Defense Analysis 2003); Richard Clayton, Anonymity and Traceability in Cyberspace, vol. 653, Technical Report (Cambridge: Univ. of Cambridge Computer Laboratory 2005); Susan Brenner, ” ’ Downloaded by [Columbia University] at 08:43 08 June 2015 At Light Speed : Attribution and Response to Cybercrime/Terrorism/Warfare , The Journal of Criminal Law & Criminology. 97/2 (2007), 379–475. For an early case study, see, Clifford Stoll, The Cuckoo’s Egg (New York: Doubleday 1989). 2‘Perhaps the most difficult problem is that of attribution’, P.W. Singer and Allan Friedman, Cybersecurity and Cyberwar (New York/Oxford: OUP Press, 2014, p. 73. See also, David Betz and Tim Stevens, Cyberspace and the State, Adelphi Series (London: IISS/Routledge 2011), 75–6. 3See for instance, W. Earl Boebert, ‘A Survey of Challenges in Attribution’,inCommittee on Deterring Cyberattacks (ed.), Proceedings of a Workshop on Deterring Cyberattacks (Washington DC: National Academies Press 2011), 51–2. Also, Martin Libicki, Cyberdeterrence and Cyberwar (Santa Monica, CA: RAND Corporation 2009), 43. 4Jack Goldsmith and Tim Wu, Who Controls the Internet? Illusions of a Borderless World (Oxford: OUP 2006). 6 Thomas Rid and Ben Buchanan Only a technical redesign of the Internet, consequently, could fully fixthe problem.5 Similar positions prevail in the legal debate.6 The second assumption is a binary view on attribution: for any given case, the problem can either be solved,7 or not be solved.8 Either attribution leads to the culprit, or at some point it simply ends with a spoofed IP address, obfus- cated log files, or some other dead trail.9 The third common assumption is that the attributive evidence is readily comprehensible, that the main challenge is finding the evidence itself, not analysing, enriching, and pre- senting it.10 These views are common; they are intuitive; and they are not wrong — but they are limited and insufficient. The reality of attribution has evolved significantly in the past decade. Actual attribution of cyber events is already more nuanced, more common, and more political than the literature has acknowledged so far.11 5Mike McConnell, ‘How to Win the Cyberwar We’re Losing’, Washington Post,28 Feb. 2010. 6See, Matthew C. Waxman, ‘Cyber-Attacks and the Use of Force’, The Yale Journal of International Law 36 (2011),. 421–59, 447; Nicholas Tsagourias, ‘Cyber Attacks, Self- Defence and the Problem of Attribution’, Journal of Conflict & Security Law 17 (2013), 229–44. For a discusson on levels of attribution necessary for the use of force, see Marco Roscini, Cyber Operations and the Use of Force in International Law (Oxford: OUP 2014), 33–40. 7Former Secretary of Defense Leon Panetta famously said