International Cyber Incidents: On the Question of Public Attribution
Context:
India has not yet publicly attributed cyber incidents to specific private actors or nation-states. To enhance national security, a coherent, well-supported decision-making process for public attribution is crucial.
The Case for Public Attribution:
- Attribution, or identifying the source of cyberattacks, is challenging due to deceptive techniques.
Cyber Threats to India:
India, with its growing digital infrastructure, faces significant cyber threats. In 2023, the country experienced over 2,100 cyberattacks per week, targeting critical sectors like finance, power, and healthcare. Despite this, India has been cautious in publicly attributing these attacks.
Introduction to Cyber ‘Unpeace’:
- Cyber conflicts, or “cyber unpeace,” blur the lines between war and peace, with both state and non-state actors using cyberattacks to achieve economic and geopolitical goals.
- These attacks offer asymmetric advantages, allowing even those without conventional military power to cause harm. Policymakers must address the threats and opportunities posed by cyber conflicts.
- However, public attribution can strengthen national security, deter future attacks, and improve information sharing. But it also carries risks, such as misattribution or escalating conflicts.
International Perspectives:
- Varied Approach: Countries like France, Germany, and the Netherlands approach public attribution differently, with
- France and Finland treat it as a political decision, while the Netherlands sees it as essential for cyber defence. The US emphasises its role in deterrence, while China resists public attribution, claiming it is politically motivated.
- International Legal Standards: International law holds states responsible for cyber actions that breach obligations, but it does not define clear standards for evidence in public attribution, leaving it to individual countries.
Private Sector Attribution: Private organisations, such as Mandiant and Crowdstrike, play a key role in cyber attribution, identifying specific state actors behind attacks. These firms have contributed to decentralised cyber attribution by publicly linking attacks to nations like China and Russia.
- Global Forums and Best Practices: Global forums like the UN-GGE advocate for cooperation in cyber attribution and encourage states to consider all relevant information before making decisions.
Decision-Making Framework for Public Attribution:
- A structured approach is necessary when deciding whether to publicly attribute a cyberattack.
- Key goals include deterrence, causing friction for the attacker, building resilience, promoting norms, and improving international cooperation.
Options for Public Attribution:
- Criminal Indictment: When evidence links the attack to a private actor and meets legal standards, criminal agencies can make the attribution.
- International Legal Attribution: For state actors, international law standards should guide the attribution, carried out by government officials.
- Political Attribution: If legal evidence is lacking but the attack aligns with geopolitical interests, political officials can attribute the attack.
- Third-Party Attribution: When evidence is insufficient or risks are high, India may rely on third-party assessments.
Conclusion:
- Publicly attributing a cyberattack is a complex process, but a clear framework can help India respond effectively and protect its national interests. Public attribution can enhance security by deterring attacks and promoting accountability.
- As the cyber threat landscape evolves, India may need to adapt its approach and cooperate with international partners to strengthen its cybersecurity posture.
- Institutional Framework: India’s cybersecurity agencies, such as CERT-In, NCIIPC, and the Ministry of External Affairs, must collaborate on attribution decisions, considering evidence, confidence and geopolitical impacts.
