Attribution, the practice of assigning responsibility for cyber activity to a specific actor or sponsor, is often characterised as an exercise of ‘informed’ guesswork. But it is perhaps better thought of as a challenging investigative process, the purpose of which is to reduce uncertainty. At the technical level, the proliferation of sophisticated encryption and anonymity techniques frustrate the process, while at the strategic level cyber actors will increasingly transmit disinformation, or conduct ‘false flag’ operations, as was the case in the TV5 monde attack.
This ambiguity can have profound implications for how countries will conduct foreign policy. For example, in the absence of defined norms of behaviour in cyberspace the established rules of engagement are less well-defined. Without firm attribution where does the ‘redline’ sit? Furthermore, if the public is expected to support government action, sufficient evidence will be required. Trust in intelligence agencies is however low, and releasing such information will undoubtedly reveal unique capabilities and access to an adversary. Options for responding to a cyber incident may therefore be principally defensive, at least in the short term.
But this does not mean cyber is confined to a zero-sum game. Even in the absence of firm attribution the threat of cyber operations can be used to exert influence; gauge an adversaries risk appetite; allow for psychological operations, all with a degree of plausible deniability. In short, it can be used as a form of ‘muscular diplomacy’, occupying the middle ground between military posturing and sabre-rattling rhetoric.
The recent deterioration of US-Russia relations, a facet of which has been escalating cyber breaches, neatly illustrates this point. US Vice President Joe Biden’s recent statement on the possibility of cyberattacks against Russia wasn’t clear on the nature of the US response. If the threat of a US ‘clandestine’ cyberwar on Russia was serious, then it would not have been announced. Yet, the deterrent impact of any operation would be limited if it were kept completely secret. Regardless of whether this is the last bastion from an administration soon to be replaced, the US will walk a difficult line in defining a response. Moreover, it demonstrates the utility of ‘muscular diplomacy’ to publicly voice discontent whilst sending a strong deterrent message to an adversary.
For those who don’t know, PGI is an integrated cyber-security solutions provider bringing together a unique capability in the vast field of information security, applicable across the commercial, governmental and institutional sectors. Talk to us about your requirements: firstname.lastname@example.org or +44 (0) 845 600 4403