Why attribution is a means to an end

The U.S. strategy of penalizing norm-busting behavior in cyberspace centers around attribution of individuals and the nations sponsoring attacks. This approach raises concerns that foreign governments will retaliate by outing U.S. intelligence and cyber operators and generates skepticism that the culprits will ever see the inside of a U.S. courtroom.

Officials often talk about attribution as the necessary first step on the road to deterring malicious foreign cyber activity.

"Investigations and intelligence … are a step toward identifying who is responsible and holding them accountable. That could be through indictments, but it also informs a whole host of whole-of-government actions: sanctions, diplomatic actions, maybe military or other operational activity," said Tonya Ugoretz, deputy assistant director of the FBI's Cyber Division, at a May 29 Aspen Institute event.

"I think you see international partners, like-minded countries coalescing around this approach, and we can't have those norms or means of deterrence if we don't have that underlying attribution," Ugoretz said.

The U.S. has imposed penalties over the past three years in response to cyberattacks, including indictments against Russian trolls and hackers for 2016 election interference, Treasury sanctions on companies for facilitating the 2017 NotPetya ransomware, indictments and sanctions against two Iranians for the 2018 SamSam campaign and charges against a North Korean programmer for the 2017 WannaCry attacks and Bank of Bangladesh heist.

More recently, the Trump administration indicted Chinese hackers and imposed restrictions on companies that the U.S. says are stealing intellectual property from American companies. In nearly all cases, U.S. officials have taken pains to demonstrate how they know these groups are responsible, sometimes going well beyond the level of detail needed to meet necessary legal thresholds.

Threat intelligence firms have become increasingly active in cyber attribution, with groups like FireEye, Crowdstrike and Cisco Talos sometimes putting out research that U.S. agencies use to justify taking action on emerging threats. While these companies all employ former intelligence officials, none have the resources or capabilities of the U.S. intelligence community or the Department of Justice. Often, the two sectors feed off each other's findings to discover new actors or unconnected dots in the threat landscape.

At an American Bar Association conference earlier this month, Associate Deputy Attorney General Sujit Raman said the U.S. does not view the current Wild West atmosphere in cyberspace as "legitimate statecraft" but rather as "crimes without justification in international relations."

Raman said that without attribution, "there will be no consequences, and thus no deterrence," adding that "attribution through the criminal justice system escalates the stakes for state-sponsored activity in a way that a press release or a public statement alone will not."