Attribution can often be more of an art than a science note the report's authors. There are “Few clues that can guarantee a high-confidence finding”.
Analysts look at a number of technical indicators including text strings, metadata can point to the culprit. After the 2016 heist of the Bangladesh Central Bank, investigators found malware which pointed to the North Korean aligned group known as Lazarus.
Still, “the availability of incriminating technical data is no guarantee,”. Nation states will often attempt to obfuscate the origin of their attacks by making it appear as though another actor were behind their operation, as was the case in the false flag attack on TV5Monde in 2015 when Russian actor, APT 28 attacked the French television station, claiming to be the Islamic State.
Other factors are needed. Attribution can be refined by simple geopolitical analyses, by asking who might benefit from hacking this or that organisation. Russia's interests in eastern Ukraine, for example, coincide with a series of concentrated attacks within the country, pointing to Russia as the culprit. Israel and the US were accused of being behind the Stuxnet worm, which wreaked havoc on Iranian nuclear centrifuges, as the issue of Iranian nuclear armament had been a key national concern of both countries.
Intelligence can also provide critical indicators in attribution but, especially when it comes to open source intelligent. High levels of human intelligent thought are available to few, save the nation states and firms with great enough capabilities to draw on it.
Evidentiary problems aside, attribution is a notoriously troublesome practice within cyber-security. Claims are hard to prove, and often savaged in public forums as insufficient and politically motivated.
If actors want to hold states accountable for cyber-attacks then credibility is key. The strongest factor here is the presence of clear evidence. But the source of that attribution matters too and that evidence can rarely be openly presented to the public in a way that would prove a claim to audience. The authors note “private-sector entities have their own independent financial incentives to produce high-profile attribution reports.” Furthermore, “In the rare occurrences that governments publicly make cyber attribution claims, their statements are often seen as purely political.
“The lack of consistent attribution methodology and standards makes it challenging to assess the merits of attribution claims,” write the authors. The fractured pursuits of an array of researchers and bodies who may come to the same conclusion though using different and incompatible frameworks confuse matters more. Nor is this landscape, split between competing firms and private and public sector, appear particularly “welcoming” for the victims of cyber-attacks: “This reticence may be compounded in the absence of an independent organisation that strives for consensus opinion across multiple firms and methodologies.”
Collaboration, and a more streamlined effort towards attribution must be adopted if attribution is to be considered legitimate. To this end, the report proposes an international consortium for attribution, which would work with victims, provide “a credible and transparent judgement of attribution” and help “standardise diffuse methodological approaches, naming conventions, and confidence metrics that would advance shared understanding in cyber-space and promote global cyber-security.”
Nigel Inkster, director of future conflict and cyber-security at the International Institute for Strategic Studies and former director of operations at MI6 is sceptical. He told SC Media UK, “It is an idea that's worth giving further thought to but I really do wonder how practical it's going to turn out to be.”
Such an organisation would not only risk being politicised but would also contend the nature of forensic computer investigation: “I think it's very unlikely that you're that often going to be in a situation where you're going to get proof to a ‘beyond reasonable doubt standard',” - the only organisations with that kind of capability will be intelligence agencies or those who are already inside an adversary's network and would thus are “not going to want to advertise that fact.”
That said, concluded Inkster, “We might be heading to some kind of tipping point in which unconstrained behaviour by states and non-state groups get worse and more difficult to control and therefore any mechanism that can be found to mitigate that risk is worth exploring.”