Attribution in cyber security has long been one of the greatest obstacles to taming a cyberspace that former President Obama previously labelled as ‘sort of the wild, wild West.’ Yet as much as attribution must be based on evidence, it is also very much a political position and judgement call. The emerging American practice of indicting individual hackers is therefore an intriguing development that may carry wider consequences than so far realised.
The American action in December 2018 in revealing an indictment of two Chinese hackers - allegedly members of APT-10 and closely aligned with the Chinese Ministry of State Security - while only the latest round in a series of actions dating back to 2014 raises interesting questions about the evolving direction of attribution in cyber to the individual level. In the first instance, one must question whether this represents the most attractive, i.e., politically acceptable, form of attribution for the time being?
Attribution is not only an evidential problem, it is also very much a matter of political judgement. It is political in trying to determine whether attribution is: i) disruptive to a state’s current political agenda with the nation in question, ii) harmful in exposing methods of attribution, thereby potentially harming more important future cases, and iii) of strategic benefit; that is, what is there to gain by establishing blame in this particular case? By treating indictments such as these purely as criminal acts, there is the possibility of disrupting a broader political calculus that may ultimately be far more important.
Secondly, if a threshold of attribution is established as a norm, one now aimed at individuals in the service of the state, then surely Western countries can expect tit-for-tat reprisals before too long. In particular, should those working in the cyber security industry with a prior intelligence service background now fear historic indictments for activities they carried out while in government service?
This is a fear that is not unfounded, with former intelligence employees expressing concern that they may be targeted for arrest on foreign travels for client engagements or conferences. David Aitel is outspoken on this as a former chief scientist at the NSA who is now in private industry, who said simply ‘Life is short. I don’t want to spend it in a Chinese jail.’
With a greater proportion of Western intelligence employees much more likely to leave government service for the private sector than countries like Russia and China, and indeed publicly sell on their background as a key career attribute, one could very well argue that Western countries may well be far more vulnerable to a tit-for-tat response to indictments such as these.
By labelling oneself a former employee of the NSA, or GCHQ, or any other number of Western intelligence services, individuals may find themselves the target for potential future reprisals. Such retaliation would likely be based not on firm evidence, but simply a mandate of political reciprocity akin to the Soviet actions to deport diplomats during the Cold War years, a way of showing such measures would not go unanswered. On this Aitel further believes that ‘We do not have the answer for what happens when they do that…’
Should such reciprocation take place, challenges indeed present themselves in the development of cyber norms to be considered. First, what would the answer be to Aitel’s belief that there is currently no plan for how to handle the potential arrest of former intelligence service employees? An argument could be made that a convenient sub-threshold norm of attribution is evolving that avoids blaming a country per se and focuses instead on individuals.
If the answer were the development of such a sub-threshold norm of attributing to individuals (in the service of the nation) over the nation itself, certainly in the West there could be significant career consequences not yet realised. Simply put, would the attractiveness of joining services like the NSA be compromised if applicants believed they may find themselves criminally indicted by foreign nations in the future? This could create a deterrent to employment that adversely impacts the talent pool and skillset of the service in question.
Secondly, could a sub-threshold norm like this endure for long before encountering a challenge in International Law? With IL essentially permitting espionage as a legitimate state activity, the strategic longevity of indicting individuals must be strongly questioned as a long-term measure. The short-term tactic of issuing criminal indictments based on domestic law for activities that surely fall under the remit of IL is problematic at best, serving more to highlight the continued inability to build a consensus internationally for codes of accepted behaviour in cyberspace.
Ultimately, any notion of short-term gain from indictments must be sternly questioned, particularly in the wider prospect of norm development. The bigger game at play lies with re-engaging international diplomatic efforts to find grounds of consensus, tactics such as these indictments could undermine more fruitful long-term efforts at conditioning the most desired behavioural norms in cyberspace, particularly if a counter does come.