Crossroads Blog | CYBER SECURITY LAW AND POLICY

Attribution, Cyber, Cybersecurity, IT security, regulation

A New Attribution Problem: Cyber Attack or Malfunction?

“The thinking was that the Iranians would blame bad parts, or bad engineering, or just incompetence.” – Architect of Stuxnet Cyber Attack.

According to an article by JustSecurity, confusion about whether an incident is an accident or a cyber attack may be a common problem going forward.  The article opens with a reference to a Bloomberg news report which publicly revealed that hackers caused a 2008 explosion on the Baku-Tbilisi-Ceyhan (BTC) oil pipeline in Turkey.  According to the article, the issue is that it took six years for analysts to identify this incident as a cyber attack rather than a simple malfunction.  While attributing who is responsible for an attack continues to be a significant concern in cybersecurity, the JustSecurity article focuses on the equally troubling issue of attributing what caused an incident: a cyber attack or a simple malfunction?

The Importance of Determining the “What” Attribution Question:

Cybersecurity has become a top concern worldwide.  Both international and state leaders have placed great efforts into forming rules of law and cyber norms to provide a strong enforcement arm in the worldwide cybersecurity battle.  However, before these laws can be applied to the attacker and victim states, a cyber attack must be identified (and then of course attributed to an attacker).  The difficulty attributing whether a cyber attack or malfunction occurred creates an additional barrier between states and international responsibility for their actions, according to the articleJustSecurity sets out three additional consequences of this problem:

(1)   The increased fear that a cyber attacks has occurred whenever anything malfunctions in the future.

(2)   The ambiguity may allow states to get away with aggressive actions that they could not undertake through conventional means without provoking a response.

(3)   States may be more likely to undertake aggressive actions in the first place if they “. . . perceive that cyber actions will be recognized only after a delay or not at all and that (in part because of the delayed recognition) the consequences for the attacking state are minimal.”

How Attackers Take Advantage of the “What” Attribution Problem:

Sometimes the attacker makes the answer clear, like when the Shamoon virus was accompanied by an image of a burning American flag or when the Sony attack displayed a neon red skull on computers with the hacker group’s name.  However, other times the attackers take advantage of the difficulty in attributing whether problems are from cyber attacks or simple malfunctions.  A prime example is the Stuxnet worm.  According to a 2012 New York Times article discussing the Stuxnet worm’s design:

The first attacks were small . . . “The thinking was that the Iranians would blame bad parts, or bad engineering, or just incompetence,” one of the architects of the early attack said. The Iranians were confused partly because no two attacks were exactly alike. Moreover, the code would lurk inside the plant for weeks, recording normal operations; when it attacked, it sent signals to the Natanz control room indicating that everything downstairs was operating normally.

According to the JustSecurity article, the BTC oil pipeline explosion provides an additional example of the “what” attribution problem at play.  The article again cited to the Bloomberg report , which suggests that there was similar confusion about the cause of the BTC oil pipeline explosion:

. . . the Turkish government “blamed a malfunction,” and BP, the majority owner of the pipeline, noted in its annual report that the pipeline was shutdown because of a fire.

Potential Solutions

According to JustSecurity, the focus on mitigation will be a technical one rather than a legal one.  Simply put, there needs to be faster recognition of cyber attacks as cyber attacks and malfunctions as malfunctions.  The article places this responsibility on the numerous private cybersecurity firms with substantial forensic capabilities and government investigators.

 

Leave a Reply