Cyber attribution isn't so important, even for nation states

Australia can pinpoint the individual humans responsible for a cyber attack, according to foreign minister Julie Bishop. You can assume that the other Five Eyes nations -- the US, UK, Canada, and New Zealand -- have access to that same capability.

"Depending on the seriousness and nature of an incident, Australia has the capability to attribute malicious cyber activity in a timely manner to several levels of granularity -- ranging from the broad category of adversary through to specific states and individuals," Bishop said at the launch of Australia's International Cyber Engagement Strategy last Wednesday.

"Australia has developed offensive cyber capabilities," Bishop said. "Having established a firm foundation of international law and norms, we must now ensure that there are consequences that flow for those who flout the rules."

With such assertive cyber diplomacy, being able to attribute malicious activity is important, of course.

"It's well and good to have a cyber offensive capability, but you need to know who hit you," said Peter Coroneos, founder of Coroneos Cyber Intelligence, at the strategy launch. But it may not be as important as we think.

For businesses and other non-government organisations, attribution can even be a distraction, as then Telstra chief information security officer Mike Burgess said in 2015. Time spent on attributing the source of a cyber attack is time not spent on fixing the problem.

According to Australia's Ambassador for Cyber Affairs Dr Tobias Feakin, precise attribution may not even be needed for a diplomatic or even a stronger response. The question of attribution often "stunts any response", he said, but maybe "certain paradigm shifts in attribution" could work within a "normative framework".

That framework would include the 11 international norms for behaviour in cyberspace set out by the United Nations Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (UN GGE) in their 2015 report [PDF].

"States should not knowingly allow their territory to be used for internationally wrongful acts using ICTs," the report said. "States must not use proxies to commit internationally wrongful acts using ICTs, and should seek to ensure that their territory is not used by non-State actors to commit such acts."

In others words, states need to have "their own backyard in order", as Feakin put it.

"If attacks are emanating from within your own borders, then you have a prerequisite to tidy those up. Now if you could begin looking at forms of attribution which weren't quite so specific as to an individual user, [or] an individual IP address, but you understand geographically where that might be, then you can begin to look at what ways that you could respond," Feakin said.

"It wouldn't necessarily always be, if you like, deterrence by punishment. There might be ways that you can assist if that country can't clean up their own mess, if you will."

Many of the problems could be sorted out through international cooperation, according to David Koh Tee Hian, chief executive of Singapore's Cyber Security Agency, and Defence Cyber Chief in the Ministry of Defence.

The first step, even before attributing attacks to specific individuals, is determining whether an attack originates from actors in a specific state, or from elsewhere but using that state's infrastructure.

"In my view, it's not particularly difficult. It's just making sure that [each] individual country has basic competency to, as you put it, clean up its own backyard," Koh said.

In the nine months since Feakin was appointed as an ambassador, Australia's diplomatic wins have included a cybercrime agreement with Thailand, and even a cybersecurity agreement with China that includes the UN GGE norms, as well as an agreement not to "conduct or support cyber-enabled theft of intellectual property, trade secrets, or confidential business information with the intent of obtaining competitive advantage".

But on a wider front, progress may slow as the UN GGE process stalls.

"On June 23, after years of slow yet meaningful progress in developing State consensus regarding the application of international law norms to cyberspace, the [UN GGE] collapsed," reported Just Security.

The problem? Three additions to the list of 11 norms: the right to respond to internationally wrongful acts, which is reportedly a veiled reference to countermeasures; the right to self-defence; and the applicability of international humanitarian law.

"Since no international lawyer can, in 2017, deny their applicability to cyber activities, the failure of the GGE can only be interpreted as the intentional politicisation in the cyber context of well-accepted international law norms," Just Security wrote.

There is diplomatic progress, but it's clear to this writer that it's far, far too slow to keep pace with the technological advances. The Cyber Cold War is moving much faster than the original.