As the EU implements its first cyber sanctions regime against foreign adversaries, it must remain alert to the challenges of attribution.
The EU has now imposed its first cyber sanctions regime targeting Russian, North Korean and Chinese actors deemed responsible for cyber attacks against EU member states. In recent months, the US has also pursued similar sanctions and indictments against Russian, North Korean and Chinese actors. Indeed, the US has issued an advisory to companies which familiarises them with recognising malicious ransomware payments, attacks and accompanying sanctions, which falls under the country’s cyber sanctions programme. These so-called cyber sanctions offer a way for countries to respond to cyber activity online while endorsing a rules-based and secure cybersphere. However, challenges with applying traditional sanctions thinking to the cybersphere remain: one such area is attribution.
ATTRIBUTION: A BRIEF EXPLAINER
While sanctions generally do not depend on any determination of criminal guilt, attribution still matters, as it allows a sanctioning power to designate responsibility to a perpetrator and justify the sanctions to the public. The latest EU cyber sanctions officially finger the Russian military intelligence directorate (GRU) to the NotPetya cyber attack in 2017 and a 2015 attack on the German parliament, and North Korean and Chinese individuals and entities to the WannaCry (2017–18) and Cloud Hopper (2017–18) cyber attacks respectively.
Attributing a cyber attack is a three-stage process. First, the computers and networks utilised for the operation must be identified. Second, the operation must be linked to the individuals behind it. Finally, the state or states affected by the attack can choose to take action, usually in the form of sanctions, against the perpetrators. This process, however, comes with caveats: attribution in the cybersphere often lacks what would otherwise be deemed essential evidence, either because governments may not have access to such incontrovertible proof, or because they may be unwilling to provide it.
GETTING TECHNICAL ABOUT EVIDENCE
Currently, the EU is unclear about the amount of evidence and the threshold required for public attribution and proportionate responses. At what point does malicious behaviour constitute a cyber attack and, if so, how much evidence is required for the attack to be attributed and sanctions imposed? The EU may consider whether the intelligence provided by the intelligence bureaus of member states affected by attacks are of a specific threshold, following which cyber sanctions can be considered. However, this threshold has not yet been defined by the EU, which complicates the act of deciding the type of cyber intrusion which would constitute a response involving sanctions and the related specifics of evidence required to designate this.
A related obstacle is that these sanctions would require withstanding challenges by designated parties. This would predominantly occur through the ECJ, by clearly connecting the individuals, entities and/or the state to the attack. Arriving at this stage, however, would require clarifying the threshold of evidence needed for designation – an act the EU has not yet undertaken. Whether the public would have access to such attributing information used by the EU to decide whether to impose sanctions, and any subsequent decisions taken by the ECJ should the designation be appealed, remains to be determined.
Member states also risk exposing domestic and regional intelligence and cyber capabilities when establishing attribution. For adversaries, this information can prove beneficial in identifying the extent to which their activities are effective, in addition to locating vulnerabilities within member state systems which can be exploited for future attacks. This was the case with the WannaCry and NotPetya cyber attacks: the former occurred early in 2017, and in October of that year following international condemnation and the presentation of evidence by Western powers, NotPetya undertook a similar attack. The latter was more lethal in effectiveness and affected more Western government institutions. When publicly sharing material, states must therefore consider security information which can be compromised when in the public domain.
Further, given that IP addresses can be altered or hidden, the location of a perpetrator’s address constitutes neither adequate nor necessarily correct evidence of their true location. The same is true for other technical evidence, such as malware computer codes and activity patterns, which, by embracing false-flag procedures, can disguise the perpetrator. An example is the attempt by Russian hackers to disrupt the South Korean Winter Olympics in 2018 by using code of a North Korean origin. To ensure robust evidence-based attribution, sanctioning parties will be required to dedicate considerable time and resources to determine the actor and their location, including whether the perpetrator is a proxy acting on behalf of a state.
Relatedly, state and proxy links are often unclear and purposefully falsified, particularly in a virtual sphere which renders tracing challenging. When information is available, sufficient identification of a perpetrator’s financial sources and knowledge of their contacts will be difficult to verify, predominantly due to weak connecting links or fabricated information. The easily blurred and untraceable nature of cyberspace will therefore make identifying the complete networks of individuals difficult. Cyber sanctions may consequently not result in significant asset freezes or have much impact on the financial networks supporting illicit cyber actors.
There is also the chance that while these activities are undertaken by individuals, they are ultimately linked to a state. This is particularly true in the cybersphere where information can easily be falsified through the changing of an IP address, for example. The inability to adequately identify this information therefore comes with the chance that, while states may be involved, the sanctions imposed against individuals will do little to deter the behaviour of states. Cyber attacks may continue with proxies hiding their location or financing activities using accounts which have not been sanctioned, yet could be linked to a state actor. While the utility of sanctions lies in their capacity to coerce or constrain malign activities or effect a behavioural change, this can be challenging when information is falsified or unavailable, and state actors hide behind proxies.
CYBER SANCTIONS: AN EFFECTIVE RESPONSE?
Cyber sanctions aim to apply conventional facets of sanctions, such as attribution, evidence gathering and asset freezes, to a sphere where gathering such information and accurately designating the actors involved is hampered by easily falsified links and challenges in tracing.
The question is therefore whether the use of traditional sanctioning instruments, and sanctions themselves, can be of use in a sphere where weak and blurred connections limit who can be designated and intelligence sensitivities preclude publicising evidence.
While the difficulties of attribution remain, the imposition of EU cyber sanctions indicate the Union’s intolerance for the violation of member states’ sovereignty by foreign actors in an increasingly critical online world. Ultimately, it demonstrates the Union’s commitment to upholding a rules-based order which is guided by open, transparent and legal norms in the virtual sphere just as it has advocated for in the non-cyber domain.
Whether the cyber sanctions will prove effective in deterring future attacks, however, depends on the coordination of a wider and more encompassing stance towards the sanctioned parties.
By Sasha Erskine, October 2020, published on RUSI
The views expressed in this Commentary are the author’s, and do not represent those of RUSI or any other institution.
Image by European Parliament/CC-BY-2.0.