Critiquing the U.S. characterization, attribution and retaliation laws and policies for cyberattacks

Abstract

This paper critiques the U.S. characterization, attribution, and retaliation laws and policies for cyberattacks. Characterization, attribution, and retaliation are part of the most important aspects of responding to cyberattacks. The U.S. does not have a clearly defined characterization process, other than the Government Accountability Office (GAO), Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Homeland Security (DHS)’s Threat Table which characterizes the different motivations for carrying out cyberattacks by cyber threat actors. This Threat Table has hardly changed since 2005, yet, cyber threat actors continually develop their tactics, techniques, and procedures (TTPs) and conceal their real motivations for carrying out cyberattacks. Like characterization, the U.S. does not have a known attribution procedure, nor is a single agency tasked with the function of attribution. Different agencies – the Department of Justice (DoJ), the Federal Bureau of Investigation (FBI), the National Cyber Investigative Joint Task Force (NCIJTF), and the Office of the Director of National Intelligence (ODNI) – and even private sectors companies, participate in the attribution process. This invites potential contradiction and interference with the attribution process. Though, unlike characterization and attribution, the U.S. retaliation policies are contained in different documents, none has the preciseness required to be effective. This paper thus, makes recommendations for each of these aspects of cyberattack response.