Kaspersky researchers
have partnered with policy scholars at London School of Economics (LSE) to
explore the role of cyber attribution and find ways technical attribution -
conducting a technical investigation to identify who is behind a cyber-incident
- can be made more transparent and understood by the wider public. In a paper
submitted to the UN Open-ended Working Group (OEWG), the experts explained how
technical attribution takes place, why its transparency is the key to further
cyber stability and propose ways in which it can be made more accessible for a
wider multi-stakeholder community.
When reports of a cyberattack appear in the headlines,
questions arise around who launched the attack and why. However, the reasons
for an attack are often left for speculation, by the world and by the victims
themselves. Understanding the source and reason for these attacks enables
organizations to build appropriate defenses, patch gaps and increase their
cyber resilience. Policymakers and industry leaders are often eager to obtain
this knowledge. It is here that the technical aspects of an attack play a
significant role.
The paper reveals that cyber
attribution is a complex process where technical, legal and political
discussions intertwine to produce as complete a narrative of an attack as
possible. One element is technical attribution, the process used by
cybersecurity researchers, including Kaspersky experts, to analyze cyber incidents from a technical
standpoint. The end result of this process is intelligence about the
identity of the attackers - not the specific personalities within a group, but
the technical details that distinguish a particular threat actor.
The authors argue that though
cyber attribution, whether public or private, remains a sovereign prerogative
of states, it may have far-reaching consequences for other stakeholders too.
While legal and political parts of attribution rarely reach the wider public,
technical attribution does, and this stage can be made more transparent and
accessible, to help the wider community improve their defenses, as well as
contributing to greater credibility of the analysis through additional reviews
by other stakeholders.
The authors propose paths towards enhancing transparency in
the technical attribution process, focusing on norm implementation (i.e., norm
13(b) of the UN GGE report concerning cyber attribution), more clarification
and building consensus across the international community. Greater cooperation
between vendors, the technical community, and states can improve the technical
attribution process. If researchers have more information from various
transparent and accessible sources from different states, they will be better
equipped to prevent and defend against these attacks.
These strategies form a key aspect of the technical
attribution process: they transcend individual incidents and aim to build
knowledge that can be useful within a larger context. No single entity can be
successful at attribution alone. Yet the authors stipulate the existence of
transparent and accessible technical attribution among the international
community is currently frozen, as nation states lack the political will to tie
themselves to formal legal obligations in cyberspace.
"Technical
attribution is not magic, but it is a
difficult process that is impossible without sharing knowledge and experience," said Anastasiya
Kazakova, senior public affairs manager at Kaspersky. "Greater dialogue between security researchers, diplomats,
and academia is a must to avoid their 'worlds' existing in silos. If technical
attribution remains closed and conducted only within limited circles, victims
and the rest of the world will be left in the dark. And, as we know, darkness
wreaks havoc, it creates escalation and instability. We must unite our efforts
and knowledge - it's the only way to build a safer world."
"The general public, as well as policymakers, are used to
receiving attribution information from the cybersecurity field, either from
media articles or vendor blogposts," said Ivan Kwiatkowski, senior security
researcher at Kaspersky's Global Research and Analysis Team (GReAT). "It is
difficult for them to assess this information without obtaining a greater
knowledge of the general attribution process and its intrinsic ambiguities and
tradeoffs. With this paper, we hope to provide a clearer understanding of how
we approach this delicate question and view it as the first stepping-stone
towards fostering discussion in the wider community - and eventually establish
common practices in the industry."
"There is a need for greater communication, transparency,
and accessibility to information on cyber activity among states, while
maintaining protection over sensitive data for the sake of national and
individual security," said Julia Ryng, project and research associate at LSE
IDEAS. "The challenge here is great. However, this is not the first time the
international community has faced issues that require capacity building and
cooperation among public and private actors. This piece unpacks the complexity
of technical attribution and points to existing cross-border and cross-industry
mechanisms that we can learn from."
"Cyberspace is a relatively new domain of international
relations and it is through this paper that we hope to shed some light on the
topic of technical attribution in cybersecurity," said Kenddrick Chan, deputy
head of the Digital International Relations project at LSE IDEAS. "We hope that
it will spur further discussions between industry professionals and
policymakers and eventually having in place institutional mechanisms that will
bring about a safer and more secure cyberspace."
Read the full copy of the
submission on Securelist.