Response to cyber attacks

What is the issue?

Publicly attributing the cyber attacks to a state or non-state actor is vital for building a credible cyber deterrence strategy.

What are the recent incidents?

• The US Department of Justice filed a criminal complaint in September indicting North Korean hacker Park Jin Hyok for playing a role in at least three massive cyber operations against the US.
• This included the Sony data breach of 2014, the Bangladesh bank heist of 2016 and the WannaCry ransomware attack in 2017.
• This indictment was followed by another complaint on Russia’s military agency for persistent and sophisticated computer intrusions in U.S.
• Evidence adduced in support included forensic cyber evidence like similarities in lines of code or analysis of malware and other factual details regarding the relationship between the employers of the indicted individuals and the state in question.
• The above criminal complaints will not necessarily lead to the prosecution of the indicted individuals across borders.
• However, indicting individuals responsible for cyber attacks is in itself an attractive option for states looking to develop a credible cyber deterrence strategy.

What is the importance of attributing cyber attacks?

• There are technical uncertainties in attributing attacks to a specific actor.
• It has long fettered states from adopting defensive or offensive measures in response to an attack and garnering support from multilateral fora.
• Cyber attacks are multi-stage, multi-step and multi-jurisdictional, which complicates the attribution process and removes the attacker from the infected networks.
• Experts have argued that technical challenges to attribution should not detract from international efforts to adopt a robust, integrated and multi-disciplinary approach to attribution.
• It should be seen as a political process operating in symbiosis with technical efforts.
• A victim state must communicate its findings and supporting evidence to the attacking state in a bid to apply political pressure.
• Clear publication of the attribution process becomes crucial as it furthers public credibility in investigating authorities.
• It enables information exchange among security researchers and fosters deterrence by the adversary and potential adversaries.
• Also, a criminal indictment is more legitimate as it needs to comply with the rigorous legal and evidentiary standards required by the country’s legal system.
• Further, an indictment allows for the attack to be conceptualised as a violation of the rule of law in addition to being a geopolitical threat vector.

What are the lessons for India?

• India is yet to publicly attribute a cyber attack to any state or non-state actor.
• This is despite an overwhelming percentage of attacks on Indian websites perpetrated by foreign states or non-state actors, with 35% of attacks emanating from China, as per a report by CERT-IN.
• Along with the National Critical Information Protection Centre (NCIIPC), CERT-IN forms part of an ecosystem of nodal agencies designed to guarantee national cyber security.
• There are three key lessons that policy makers involved in this ecosystem can take away from the WannaCry attribution process and the Park indictment.
• First, there is a need for multi-stakeholder collaboration through sharing of research, joint investigations and combined vulnerability identification among the various actors employed by the government, law enforcement authorities and private cyber security firms.
• Second, the standards of attribution need to demonstrate compliance both with the evidentiary requirements of Indian criminal law and the requirements in the International Law on State Responsibility.
• The latter requires an attribution to demonstrate that a state had ‘effective control’ over the non-state actor.
• Finally, the attribution must be communicated to the adversary in a manner that does not risk military escalation.
• Improving attribution capabilities is as equally important as building capacity to improving resilience and detecting cyber attacks.
• Thus India will need to marry its improved capacity with strategic geopolitical posturing.
• Lengthy indictments may not deter all potential adversaries but may be a tool in fostering a culture of accountability in cyberspace.

Source: Business Line