Abstract
Who did it? Attribution is fundamental. Human lives and the security of the state may depend on ascribing agency to an agent. In the context of computer network intrusions, attribution is commonly seen as one of the most intractable technical problems, as either solvable or not solvable, and as dependent mainly on the available forensic evidence. But is it? Is this a productive understanding of attribution? — This article argues that attribution is what states make of it. To show how, we introduce the Q Model: designed to explain, guide, and improve the making of attribution. Matching an offender to an offence is an exercise in minimising uncertainty on three levels: tactically, attribution is an art as well as a science; operationally, attribution is a nuanced process not a black-and-white problem; and strategically, attribution is a function of what is at stake politically. Successful attribution requires a range of skills on all levels, careful management, time, leadership, stress-testing, prudent communication, and recognising limitations and challenges.
Highlights
Attribution is the art of answering a question as old as crime and punishment: who did it? Doing attribution well is at the core of virtually all forms of coercion and deterrence, international and domestic
The use of chemical weapons in Ghouta, a suburb of Damascus, in August 2013; the downing of Malaysia Airlines Flight 17 near Donetsk Oblast, Ukraine, in the summer of 2014; the abduction of three Israeli teenagers in Gush Etzion in June, which triggered the Gaza War of 2014 — all these events have in common that nobody immediately claimed credit, and that the identity of the perpetrators remained highly contested while consequential political decisions had to be made at the highest levels
This study introduced a systematic model for attributing cyber attacks and articulated three core arguments: first, that attribution is an art: no purely technical routine, simple or complex, can formalise, calculate, quantify, or fully automate attribution
Summary
Some tactically relevant details may lose their significance on operational and strategic levels, just as details of geopolitical context are of limited concern to the forensic investigator This process extracts meaning from the detail: absent proper synthesis, a high density of technical forensic artefacts does not necessarily mean that operational or strategic questions can be answered with more certainty. Intelligence sources that went beyond the digital forensic artefacts of the actual intrusions enabled attributing the MOONLIGHT MAZE breaches to the Russian government with a reasonable level of certainty.. Preconceptions, prejudgments, prejudice, and psychological and political biases are likely to influence attribution This dynamic has an internal and an external aspect: internally, analysts and managers at all levels may be inclined to produce the expected findings and interpret evidence in a specific light. The bigger the internal perception bias, the bigger is the risk of costly mistakes
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
