Abstract

With the world witnessing a full-scale offensive as a part of the Russia-Ukraine conflict it now seems inevitable that all future conflicts will have a cyber component. As nations worldwide prepare to develop their capabilities and chalk their national and foreign policies and strategies, it is crucial to understand the cyber domain’s geopolitical dynamics. While cyber attribution has long been a challenge for a state’s ability to enforce peace in cyberspace, recent years have witnessed new strategies for cyber attribution dilemmas. A pattern of collective attribution as a strategy to overcome accuracy challenges can soon become the norm for cyber attribution. This article highlights the evolving patterns in cyber attribution, the geopolitics in cyberspace, and the takeaways for India’s policies and cyber strategy.

Introduction

Cyberspace is now considered the fifth strategic domain besides air, water, space, and land. This domain is fundamental to socio-cultural, economic and security aspects of life. Economies today are increasingly reliant on digital technology, and nations are looking to evolve their traditional security frameworks by integrating them with cyber capabilities. Since the advent of social media platforms and virtual communication, cyber domain has become deeply rooted in societal interactions. With innovations like crypto-currencies emphasising anonymity and decentralisation, new necessities for safeguarding the integrity and accessibility of services and critical resources have emerged. However, this is complicated by the inherent nature of the internet, which was not designed with a focus on security as a significant concern.

The year 2022 proved to be record-breaking in terms of cyber security as the world witnessed the first ‘full-scale cyber war’ as part of the Russia-Ukraine conflict. In a traditional conflict, the attacker/perpetrator is identified, the crime is proven or disproven, and the verdict is announced, leading to disciplinary actions. But in cyberspace, it is usually the initial steps which pose the most trouble, i.e., identification of the attacker and proving that the attack was conducted by the accused. In the cyber domain, this initial process is termed ‘attribution’ or ‘cyber attribution’.

Today, accurate attribution of cyber attacks is one of the most debated complexities for progress in global governance and peace in cyberspace. Questions and dilemmas are associated with several aspects of attribution, ranging from legal to strategic. For many states, cyber attribution remains an elusive capability; for others, it has evolved into a mechanism for pursuing deterrence against adversaries.

Cyber-attribution has several complexities that transform the issue into a geopolitical tool and an avenue for diplomacy between nations. Cyber attribution is now a multi-layered process where strategic, operational, diplomatic, and domestic political considerations overlap. When openly done by nation-states, attribution is deemed ‘public attribution’. It is now increasingly seen as a way for governments to draw red lines regarding what constitutes acceptable behaviour in cyberspace.

This article looks into the intricacies and rationales behind cyber attribution, the benefits and challenges associated with pursuing cyber attribution as a policy objective, recent patterns and strategies adopted by nations and other critical actors in cyberspace, and evolving techniques and possible alternatives for achieving deterrence in cyberspace. Furthermore, the article looks at cyber attribution through the lens of geopolitical necessities and developments. Finally, it consolidates key takeaways for India as it plans to formulate a national cyber strategy.

Recent Developments

Public attribution in the cyber domain is now increasingly seen as a tool of deterrence. It is assumed that exposing malicious activities with credible and verifiable evidence will deter similar behaviour in future. ^[1] It is interesting to note that over the last decade more than two dozen states have been accused of conducting or supporting cyber activities which adversely impact government functioning, critical infrastructure, security, and societal well-being. Beyond these effects, these activities lead to fears of uncertainty and impending chaos as cyberspace becomes increasingly integral to every sphere of life. Therefore, the capability to identify the perpetrator and accurately attribute verifiable evidence before imposing any penalty or sanctions is fundamental to lawful governance.

In recent years cyber attribution has become a joint effort to increase effectiveness and credibility. In 2018, seven countries issued public statements linking the ‘NotPetya’ cyber-attack to the Russian government.^[2] In February 2020, the US, the UK, New Zealand, Lithuania, Latvia, Norway, Finland, Australia, and Denmark, condemned Russia for the cyber-attack against a Georgian web hosting service provider. ^[3] Along with this, the US indicted six Russian military intelligence service officers. In a similar feat in July 2021, the US government, in tandem with the EU, NATO, New Zealand, and Japan, officially attributed malicious cyber activities to China or China-sponsored actors.^[4] The US Department of Justice indicted four Chinese cyber actors accused of carrying out orders from the Chinese Ministry of State Security between 2011 and 2018.

In May 2022, the US and the EU attributed attacks against commercial satellite communications networks which impacted fixed broad-bands and customers across Europe from one hour before the start of the Russia-Ukraine war on February 24, 2022—to Russia-sponsored actors.^[5] But these attributions have not resulted in any substantial change in behaviour in cyberspace. This is where cyber attribution presents several issues.

Firstly, from the perspective of international governance, joint efforts, as seen in the above examples, do not solve challenges associated with determining responsibility in cyberspace. For instance, even though the cyber-attacks during the Russia-Georgia war in 2008 were attributed to Russia along with forensic evidence to substantiate the claims, Moscow countered the attribution efforts by stating that the attackers were patriots, not government-sponsored. ^[6][7] In this light, the government has no control over them and can’t be held responsible by international law for their conduct.

Secondly, attributions have yet to result in the peaceful settlement of cyber disputes or a reduction in malicious activities in cyberspace. For a long time, attribution has been based on the rationale of ‘naming and shaming’, which means that exposing a perpetrator is expected to make them change their behaviour.^[8]

Moreover, there remains a dilemma over whether to reveal the techniques, technologies, and capabilities used to arrive at a conclusion in the cyber domain. Revealing these aspects can lead to the attacker closing the vulnerabilities in its approach in future, thus neutralising further investigative benefits for the accusing party.

Cyber attribution has remained a one-way street where the actor accused of a cybercrime/attack/espionage denies the attribution, attempts to de-legitimise the effort and demands credible evidence.^[9] However, with rising stakes in cyberspace, the importance of cyber attribution and achieving deterrence through attribution, the concept of attribution is also evolving.

Benefits and Challenges

In the absence of proof for cyber attribution resulting in changed behaviour, it is hard to measure the effectiveness and benefits of attribution strategies. Accurate evaluation of success would need access to detailed intelligence on the threat actors’ reactions and changes in strategy post-attribution. This is generally not available in the short term or for open analysis. But beyond the deterrent effects that accurate public cyber attribution may or may not produce, the concept is now aimed toward many other objectives.

One such objective is to shape international views, norms, laws, and expectations in cyberspace.^[10] Through ‘naming and shaming’, attribution can help communicate and standardise the norms around conduct unacceptable in cyberspace.^[11] In addition, a collective attribution effort in retaliation to malicious activity and steps like indictments or sanctions can signal expected behaviour in cyberspace. Although this objective can be pursued through engagements on bilateral and private levels, since cyberspace has increasingly become a battleground in recent years, public attributions through collective efforts can effectively attract attention and provide credibility to attributions.

Further, cyber attributions are now also seen as a way to alert industries and organisations having stakes in peace in cyberspace for their functioning.^[12] This can result in non-governmental sectors infusing investments and efforts through robust cyber-security frameworks and policies^[13]. As a spill-over effect, governments can benefit from industrial cyber-security expertise. An excellent example of this has been the Taiwanese focus on grooming a robust cyber-security industry, which can, in turn, help the government safeguard national interests. ^[14]

Some experts highlight that according to social sciences, accusations can change an accused’s behaviour.^[15] While this may not work on nations and governments, steps like indictments can influence the personnel involved in malicious cyber activities, thus making a dent in the workforce and the recruitment abilities of governments and non-state actors.^[16] Similarly, sanctions on the indicted perpetrators can make them reluctant to contribute toward malicious cyber objectives for fear of restricted travel and financial opportunities later in life. ^[17] As a result, attribution will raise the costs of conducting further activities.

From the domestic perspective, governments can use public attribution as an accountability measure and a political objective to rally domestic support towards a broader issue. ^[18] Moreover, in an increasingly nationalistic environment worldwide^[19], cyber attribution can be deemed an effort to infuse greater transparency in governmental activities in cyberspace.

While the benefits of attribution are substantial and multi-fold, attribution is deemed one of the most complex issues in cyberspace due to the equally essential and numerically more significant number of challenges.

According to one categorisation, there are three broad levels that researchers look at during the process of attribution^[20]:-

1. The tactical level involves the technical aspects of the activity, like the URLs and the IP addresses.
2. The operational level involves identifying patterns in behaviour, like malware and scripting patterns.
3. The strategic level looks into the attacker's and their sponsors' objectives.
Attributions can also be of several types- political, legal, or technical. ^[21] Further, political attributions condemn the activity and aim to achieve objectives presented in the previous section; legal attribution seeks to evaluate the international repercussions and possible responses to the incident, both by national governments and under international law. Finally, technical attribution would then focus on substantiating the claim by providing proof, like techniques and tools used by the attacker. Unfortunately, difficulties for accurate attributions exist at each of these levels.

At the tactical level, possibilities for accurate attribution are complicated by technologies that increase anonymity. Spoofing, encryption, and decentralised communication technologies have long presented hardships for precise attribution. These issues are only growing with the increasing pace of innovation in technology domains, especially with a rising focus on privacy and security. The possibility of misattribution at this level is also a concern. As attackers might want to leave no stone unturned to hide their identities, issues like false flag attacks have become more frequent in the last few years. In 2018, allegedly, Russia-based hackers attempted to leave clues pointing to North Korean and Chinese groups to prevent investigators from reaching any clear conclusion.^[22] In 2019, the cyber-espionage group ‘Turla’ allegedly took over an Iranian hacking group’s infrastructure and used it to deliver malware, thus, creating difficulties for accurate attribution.^[23]

Beyond the tactical level, several things could be improved at the operational level. These difficulties range from needing more resources like infrastructure and workforce to conduct investigations for reaching the attribution stage to inabilities in procuring the required information in the absence of international partners. This means that attribution capabilities are restricted to the western partners collaborating to reach a verifiable conclusion. For most others, attribution without evidence lacks the credibility to achieve the effects of ‘naming and shaming’ or deterrence.

The most ambiguous challenge, however, exists at the strategic level. This challenge can be looked at from two broad perspectives. First, cyberspace governance remains unregulated to a large extent at the international level, and no universally agreed agreement or framework is in place. While some nations agree to follow a set of mutually agreed guidelines for conduct in cyberspace, there remains to be a lot of disagreement on what should be considered acceptable and unacceptable. For instance, cyber espionage (and espionage in general) is not, per se, regulated by international law. As a result, in the cyber domain, the same malware can be used to conduct cyber espionage and compromise critical national infrastructure (which is agreed by most nations as off-limits for cyber-attacks).^[24] This restriction to accurately predict an attacker’s objective (or an interested party) remains a big challenge for attribution and peaceful cyberspace.

Nations often need more time to reveal their attribution processes and capabilities.^[25] Also, while some countries might be able to follow up attributions with concrete steps like sanctions or indictments (as observed in various US attributions), most others might need help to do the same. This means their attributions will remain just grievances and not be taken seriously by the international community. At the same time, with a clear policy and capability to retaliate, the government will be perceived as strong in front of its citizenry.^[26]

Cyber attributions can also be categorised based on who is making the attribution. According to the Cyber Operations Tracker created by the Council on Foreign Relations (CFR), 85 per cent of cyber-attacks resulted in some form of attribution between 2016 and 2018, and the governments carried out only 15 per cent of these attributions. ^[27][28] However, non-governmental attributions should be taken more seriously. While some of the companies involved in threat intelligence and cyber-security domains may be capable of accurate and verifiable attribution, there remains to be a doubt that others with lesser resources might misattribute an incident, resulting in undesired and unpleasant reactions by the attributed parties.

Similarly, attributions by media and think tanks are generally deemed less credible due to their lower technical capabilities and over-reliance on third-party data. ^[29] As stakes for the governmental credibility and ability are much higher when attributing to a state or non-state actors, state attributions are deemed the most credible (alongside a few prominent non-governmental companies).

Current Strategies and Policies

As cyber attribution became increasingly important for nations to exert sovereignty over their cyberspace, several strategies and attribution policies emerged in recent years. While aimed toward a similar objective, these policies and their strategic rationales differ in substance. In some cases, governments have more explicitly stated criteria for categorising cyber-attacks and attributing them to the perpetrator. In others, intentional (or strategic) ambiguity is maintained to have some flexibility to respond on case to case basis.^[30] Beyond the deliberations to forge universal policies through multilateral mechanisms like the UN, it is primarily the western partners who have shown the most intent toward developing attribution strategies and policies. To understand the current trends in attribution in cyberspace, the next part looks at how the UN, the US and its partners, and China view cyber attribution.

United Nations

In the UN, cyberspace governance has been a critical agenda for the last two decades. Cyber attribution, too, has received much attention. In the 2014-15 report by the Group of Governmental Experts (GGE)—a twenty-five-member group on advancing responsible state behaviour in cyberspace in the context of international security—all states agreed that in the case of cyber incidents, all relevant information and the larger context of the event, along with the challenges of attribution in the Information and Communications Technology (ICT) environment should be considered.^{[31] [32]} The GGE also concluded that all accusations of organising and implementing wrongful acts brought against states should be substantiated. The divide between the US-led group and the Russia-China-led group on cyberspace governance norms^[33] also exists on the topic of attribution. While the West deems accurate attribution possible, Russia considers this area needs further study.^[34] Most of the other nations have usually stayed silent.^[35] However, even in the case of Western countries, differences in cyber strategies can be observed.

US

In 2015, James Clapper, then director of the US national intelligence, testified that most cyber actors could no longer assume that their activities would remain undetected or that they would be able to hide their identities.^[36] In March 2016, US attribution capabilities were showcased when a group of Iranian hackers were indicted in response to their Distributed-Denial-of-Service (DDoS) attacks.^[37] The same year, FBI director James Comey commented that the US seeks to change behaviour by calling out individuals and nations who use cyber-attacks to threaten American enterprises.^[38]

The US has sought collective attribution efforts to achieve multiple objectives in recent years. While collective attribution helps build support among partners and helps in strengthening further information sharing and diplomatic engagement, it also helps boost the attribution's effectiveness. In 2018, the White House National Cyber Strategy emphasised working with a broad coalition of ‘like-minded’ states to attain cyber deterrence.^[39] To this aim, Washington has frequently conducted ‘government-to-government’ attribution.^[40] The stated objective of these efforts has been to promote deterrence in cyberspace.

However, the US has also attributed cyber-attacks in various ways beyond formal statements and remarks by officials or leaders. These methods involve press leaks by anonymous government officials, sanctions by the Department of the Treasury, indictments by the Department of Justice, and endorsements of reports by non-governmental resources.^[41]

In March 2020, the Cyberspace Solarium Commission launched its report, which put forth a ‘layered cyber deterrence’ approach for cyber-security.^[42] This advocates for a three-fold approach to achieving cyber deterrence-
1. Shape behaviour by working with partners to influence how parties act in cyberspace. (Norm creation, international law, agreements, treaties, etc.)
2. Deny benefits by creating resiliency and securing critical networks in cyberspace. (Cyber Defences)
3. Impost costs by retaliating against malicious actors who use cyberspace to harm the US. (E.g., Cyber attribution, indictments, sanctions)
The commission has considered ‘deterrence’ as an enduring strategy for the US, which should focus on imposing costs on adversaries.^[43] On the other hand, the Department of Defence’s ‘persistent engagement’ strategy seeks to occupy adversaries and deny them the time and resources to carry out attacks to achieve this goal.^[44]

With the advancement in both governmental and private sector security capacities, it is said that detection and attribution are no longer a barrier for the US. Further, collective attribution might be the answer to the credibility issue. The only problem for the US might be measuring the changed behaviours due to attribution.

UK

As highlighted earlier, the UK has sought to align with the US in attributing cyber activities to Russia and China. The UK views public attribution to further its commitment to clarity and stability in cyberspace. For example, in October 2018, the UK and the US publicly attributed a cyber-attack on the Organisation for the Prohibition of Chemical Weapons (OPCW) to Russian intelligence agency Glavnoye Razvedyvatelnoye Upravlenie (GRU). ^[45] UK’s National Cyber Strategy 2022 highlights five pillars of its strategy, intended to be achieved by 2025.^[46] One of these pillars is Detecting, disrupting, and deterring adversaries from enhancing security in and through cyberspace. The strategy highlights the UK as a leading cyber power and that the UK has been instrumental in increasing international capability and resolves to confront malicious cyber activity. It also states that the UK has been consistent in its publicly stated positions and has built relationships cultivated through a long history of collaborative operational responses.

The UK has significantly invested in offensive cyber capabilities and sought to coordinate with allies for attribution to raise the cost of state-sponsored malicious activity in cyberspace. This strategy has been showcased in cases like the SolarWinds attack and the Microsoft Exchange breaches, where the UK took a leading stance with the US for public attribution.^[47] To further build upon this strategy, the UK has developed an autonomous cyber sanctions policy to respond to attacks in cyberspace. ^[48] But similar to the issue faced by the US, the UK national strategy also accepts that despite its approach and capabilities in cyber deterrence, the UK still needs to alter the risk calculus for attackers fundamentally.

France

France has considered attribution cautiously since it presented its cyber strategy in 2008. ^[49] Unlike Western partners, France refrained from public attributions to state actors and has only attributed attacks to hacker groups and threat actors. ^[50] While this stance is sometimes criticised by partners and observers who view this as France being unsupportive, France considers attribution reported bilaterally through diplomatic channels to be the most effective approach.^[51] Claire Landais, former General Secretary for Defence and National Security, partly elaborated on this rationale when she said that making a name public is also taking the risk of freezing positions and complicating the engagement of a dialogue.^[52] The French cyber commander in 2018 also opined that avoiding public attribution is seen in French strategy as a de-escalatory mechanism.^[53]

Attribution is considered one of the six missions for French cyber defence in its strategic view.^[54] But the French strategy to avoid public attribution to state actors does not mean an absence of capability. On the contrary, France has sought to develop its attribution capabilities and has established a Cyber Command and intelligence services to tackle issues in cyberspace.^[55] It has attributed cyber-attacks unofficially through mechanisms like non-public channels and press leaks since 2012.^[56] However, observers have highlighted that the French strategy has evolved recently. For the first time in 2019, the public attributed cyber-attacks to a state-linked threat actor. The speech by Florence Parly, the Minister of Armed Forces, was seen as a political attribution implicitly aimed at a state.^[57]

With several voices calling for public attribution to ensure French national interests, there has been an uptick in public statements since the end of 2020, which designate the perpetrators of cyber-attacks under various labels.^[58] France has also supported the increasingly visible collective attribution approach by its partners. However, it has recently joined collective public attribution efforts with minor changes in its official documents. These changes follow the French strategy to avoid direct public state attribution. Thus, while allies and partners attribute attacks to state or state-sponsored groups, Paris carefully attributes cyber-attacks to groups and threat actors.

EU

For the EU, reliance on ally infrastructure and resources and diverging views of member states are critical issues in cyber-attribution strategy. According to a study by Stiftung Wissenschaft und Politik (SWP), the evidence provided by the security services of EU member states usually needs to be revised and completed.^[59] The EU responded with a time lag in most cases the study analysed. The coordination and unanimity required for follow-up act like sanctions required much longer than other counterpart processes.^[60] An example of such a mechanism is followed by the Five Eyes alliance, which seeks to attribute attacks with a much shorter timeline.^[61]

Further, the study highlighted that the EU’s cyber-attribute capability had diminished post-Brexit.^[61] This affects the attribution credibility of the EU. A difference in technical capabilities and threat assessment strategies at national levels is also a factor that contributes to the EU’s stance toward attribution in cyberspace. To this end, the EU has recently developed the ‘Cyber Diplomacy Toolbox’ to list and describe actions that the EU may undertake in response to cyber-attacks.^[63][64] These actions will depend on the victim member state’s level of confidence in attribution and the necessary level of coordination to implement the activity effectively. Unlike the US, the EU has established a set of predictable response options.

China and Russia

China and Russia have faced the most cyber attributions (along with North Korea)—both by state and non-state sources—over the last two decades. On cyber attribution, while Russia maintains that this field requires more study, it stresses that countermeasures against a state responsible for an internationally wrongful act shall not affect the obligation to refrain from the threat or use of force as embodied in the Charter of the UN, related to the obligations of a humanitarian character prohibiting reprisals, protection of fundamental rights, and obligations under peremptory norms of general international law. Moreover in China’s view, attributing states should demonstrate genuine, reliable, and adequate proof when making attributions.^[65]

In an article on the Chinese perspective on public cyber attribution (for Carnegie Endowment for International Peace), it is highlighted that till recently, China had not engaged in public cyber attributions, except when Beijing joined others to condemn Washington’s government surveillance scheme, in the aftermath of Snowden revelations.^[66] Like China, Russia, too, has refrained from public attributions to any adversary state-affiliated cyber actors.

Challenges to attribution accuracy emerging from technical aspects and resulting in misattribution are seen with concern by China. The absence of shareable evidence and hesitancy by the attributor in explaining the process to reach the attribution have been some of the issues pointed out by the attributed parties. Beijing has expressed displeasure that attributions lacking credibility have tarnished China’s international reputation. For example, the alleged evidence presented in favour of the US Department of Justice’s claim that China had stolen US data on COVID-19 vaccines was that Chinese hackers had been probing the computer networks of the US vaccine makers for possible drugs.^[67]

It can also be argued that China needs credibility endowed by collective attribution efforts and the discursive power that the US and the western powers have across the globe. However, in recent years, Beijing has sought to retaliate against Western attributions through counter-attributions. In July 2021, a Chinese Foreign Ministry spokesperson demanded that Washington drop charges against four Chinese nationals accused of working with the Ministry of State Security to try to steal US trade secrets and research.^[68] While accusing the US of ganging up with allies to make unwarranted accusations against China, the spokesperson alleged that the US Central Intelligence Agency has been carrying out cyber-attacks on China’s aerospace research facilities, oil industry, internet companies, and government agencies.^[69]

In March 2022, Chinese news agency Xinhua (citing the National Computer Network Emergency Response Technical Team/Coordination Centre of China or CNCERT/CC) said that China had experienced continuous cyber-attacks since February 2022 in which US internet addresses were used to seize control of Chinese computers to target Belarus and Russia.^[70] This can be seen as a further step toward China’s entry into the geopolitics of public cyber attribution.

Takeaways for India

The National Cyber Power Index 2020 by the US-based Belfer Centre highlighted that India lacks cyber defence capabilities and has relatively weak cyber-crime laws, despite significant levels of malicious cyber-attacks in its cyberspace. ^[71] It is observed that Chinese hacker groups have regularly targeted the Indian public sector in cyberspace since the border skirmishes between India and China in May 2020.^[72] In October of the same year, large parts of Mumbai were affected by blackouts, including medical and transport services.^[73] The US-based cyber-security firm ‘Recorded Future’ later attributed the attack to a China-linked group.

In a similar attribution, a report by the US-based ‘Insikt Group’ stated that China-linked hackers performed a series of cyber-attacks against high-profile Indian targets like the ‘Unique Identification Authority of India’ (UIDIA), the Times Group, and the Madhya Pradesh police department, among several others.^[74] In recent years, India has suffered an increasing number of cyber-attacks. The Indian Computer Emergency Response Team (CERT-In) reported around 600,000 cyber security incidents in the first half of 2021, and 25,870 Indian websites were hacked between 2018 and October 2021.^[75]

Many prominent voices in India have raised a need for India’s response to this situation. In September 2020, India’s National Cyber Security Coordinator (NCSC)—Lt. Gen. Rajesh Pant—highlighted the critical factors affecting India’s cyber-security posture while discussing the state of cyber resilience and cyber-security challenges the nation faces.^[76] He underlined that a lack of cyber-security attribution and help from the international legal system are hindrances to India’s cyber strategy. He remarked that the Mutual Legal Assistance Treaty (MLATs) for exchanging information needed to perform attribution had not worked efficiently for India. Beyond this, a workforce crunch remains a bottleneck for India to become capable in cyber-security.

Lt. General Deependra Singh Hooda—a prominent figure in India’s defence and cyber strategy—highlights that India needs to scratch its cyber deterrence strategy.^[77] He emphasises the need to improve India’s cyber attribution capabilities through a collective effort by Indian intelligence agencies and the development of advanced competencies in cyber forensics. He also brings attention to India’s increasing vulnerability in cyberspace due to a lack of comprehensive cyber-security strategies and policies. He opines that the Indian government should establish an organisation like the National Cyber Command to synergise the efforts of experts working under separate government ministries, departments, and organisations.

A report by the Bangalore-based Centre for Internet and Society (Cyberspace and External Affairs: A Memorandum for India) argues that India has often shied away from playing a global leadership role in cyber-security and has instead taken a fragmented approach through bilateral diplomatic opportunities.^[78] The memorandum suggests that India should play a ‘pro-active’ role in norms-formulation deliberations in the UN instead of following agendas driven by other nations. Through this, India can position itself uniquely and can become a leading voice that puts forth the interests and priorities of the Global South. To this aim, India needs to chart out a cyber-deterrence strategy which outlines India’s approach toward cyber adversaries and India’s system towards cyber defence alliances for collective attribution and partnerships for information sharing.

While India has the potential to carve out unique deterrence and attribution policies oriented toward India’s worldview, considering the various available strategies can be helpful. For years, India has balanced the eastern and western views on cyberspace governance, norms shaping, and international law. As a result, India is now uniquely placed to establish itself as a credible cyber-attributing state. As with many other key themes in global geopolitics, a strong perspective from New Delhi is much needed and looked upon.

Beyond the Solarium Commission’s ‘layered cyber deterrence’ approach, the French approach to avoid direct state attribution, the UK’s open commitment to offensive capabilities, and the EU’s cyber diplomacy toolbox approach, India can look into new emerging strategies put forward by academia, think tanks and private sector organisations. These approaches include the ‘stateless attribution’ proposed by the RAND corporation (which calls for a Consortium that would provide an independent investigation of major cyber incidents and exclude formal governmental representation)^[79], ‘peer-reviewed’ technical attribution proposed by Microsoft^[80], or the concept of ‘accusation’^[81] which provides a broader concept aimed to offer states a menu of strategic options beyond traditional methods like naming and shaming (political attribution). The accusation approach argues that ‘naming and shaming’ assumes that an accused will conform to a certain behavioural expectation. As highlighted above, this has remained a significant challenge for current attribution tactics.

For India it is now ten years since the last Indian Cyber Security Policy was released in 2013. A lot has changed since then, and the world is more entrenched in cyber than ever before. With the increasing militarisation and securitisation of cyberspace, India needs to take concrete steps towards establishing its cyber deterrence strategies and capabilities. And these capabilities will serve as a deterrent only when the adversaries would be aware of them. Hence, the need for a robust policy is inescapable.

Conclusion

It is clear that as cyberspace becomes increasingly crucial for all spheres of life, it will be essential for states to seek policies and strategies for maintaining peace in the cyber domain. The first step towards this objective has faced several challenges as accurate attribution remains a capability possessed by only a few. Credibility, accuracy, intent, and power are issues in front of most states looking to establish cyber deterrence capacities. While the interests and objectives of all these actors converge, the strategies differ according to global geopolitical dynamics. As India looks toward refining its cyber security strategy, it would be beneficial to consider the existing attribution policies and strategies to achieve cyber deterrence.

Endnotes

^[1]Martha Finnemore and Duncan B. Hollis, “Beyond Naming and Shaming: Accusations and International Law in Cybersecurity” March 6, 2019, https://doi.org/10.2139/ssrn.3347958.
^[2]Erica Lonergan, “What Makes This Attribution of Chinese Hacking Different” Carnegie Endowment for International Peace, July 22, 2021, https://carnegieendowment.org/2021/07/22/what-makes-this-attribution-of-chinese-hacking-different-pub-85023.
^[3]David Sanger and Marc Santora, “U.S. and Allies Blame Russia for Cyberattack on Republic of Georgia” TheNew York Times, February 21, 2020, https://www.nytimes.com/2020/02/20/world/europe/georgia-cyberattack-russia.html.
^[4]“The United States, Joined by Allies and Partners, Attributes Malicious Cyber Activity and Irresponsible State Behavior to the People’s Republic of China” The White House, July 19, 2021, https://www.whitehouse.gov/briefing-room/statements-releases/2021/07/19/the-united-states-joined-by-allies-and-partners-attributes-malicious-cyber-activity-and-irresponsible-state-behavior-to-the-peoples-republic-of-china/.
^[5]Arielle Waldman, “US, EU Attribute Viasat Hack to Russia” Tech Target, May 10, 2022, https://www.techtarget.com/searchsecurity/news/252518023/US-EU-attribute-Viasat-hack-to-Russia.
^[6]Clara Assumpção, “The Problem of Cyber Attribution Between State,” E-International Relations, May 6, 2020, https://www.e-ir.info/2020/05/06/the-problem-of-cyber-attribution-between-states/.
^[7]Clara Flook, “Russia And The Cyber Threat” Critical Threats, May 13, 2009, https://www.criticalthreats.org/analysis/russia-and-the-cyber-threat.
^[8]Finnemore and Hollis, n. 2
^[9]Lu Chuanying, “A Chinese Perspective on Public Cyber Attribution - Managing U.S.-China Tensions Over Public Cyber Attribution” Carnegie Endowment for International Peace, March 28, 2022, https://carnegieendowment.org/2022/03/28/chinese-perspective-on-public-cyber-attribution-pub-86699.
^[10]Jon Bateman, “The Purposes of U.S. Government Public Cyber Attribution - Managing U.S.-China Tensions Over Public Cyber Attribution” Carnegie Endowment for International Peace, March 29, 2022, https://carnegieendowment.org/2022/03/28/purposes-of-u.s.-government-public-cyber-attribution-pub-86696.
^[11]Mika Kertunnen, “Charting of National Attribution Policies,” Directions Blog, January 19, 2022, https://directionsblog.eu/charting-of-national-attribution-policies/.
^[12]Ibid
^[13]Bateman, n. 11
^[14]Tania Millan et al., “Perspectives on Taiwan: Insights from the 2018 Taiwan-U.S. Policy Program” (Center for Strategic & International Studies, March 2019), https://rowman.com/ISBN/9781442281097/Perspectives-on-Taiwan-Insights-from-the-2018-Taiwan-U.S.-Policy-Program.
^[5]Finnemore and Hollis, n. 2
^[16]Kertunnen, n. 12
^[17]Bateman, n. 11
^[18]Bateman, n. 11
^[19]“Authoritarianism and Nationalism Are on the Rise around the World: Blinken” Business Standard News, March 4, 2021, https://www.business-standard.com/article/international/authoritarianism-and-nationalism-are-on-the-rise-around-the-world-blinken-121030400036_1.html.
^[20]Lindsey Welch, “A Complex Threat Landscape Muddles Attribution” Decipher, January 14, 2022, https://duo.com/decipher/how-an-evolving-threat-landscape-muddles-attribution.
^[21]“Attribution: A Major Challenge for EU Cyber Sanctions”, Stiftung Wissenschaft und Politik, December 16, 2021, https://www.swp-berlin.org/en/publication/attribution-a-major-challenge-for-eu-cyber-sanctions#hd-d41750e1054.
^[22]Patrick O’Neill, “Chinese Hackers Disguised Themselves as Iran to Target Israel” MIT Technology Review, August 10, 2021, https://www.technologyreview.com/2021/08/10/1031622/chinese-hackers-false-flag-iran-israel-fireeye/.
^[23]Welch, n. 21
^[24]“Attribution: A Major Challenge for EU Cyber Sanctions”, n. 22
^[25]Anushka Kaushik, “Public Attribution and Its Scope and Efficacy as a Policy Tool in Cyberspace” Observer Research Foundation, October 21, 2019, https://www.orfonline.org/expert-speak/public-attribution-and-its-scope-and-efficacy-as-a-policy-tool-in-cyberspace-56826/.
^[26]Bateman, n. 11
^[27]Josh Holder, “Tracking Coronavirus Vaccinations Around the World,” The New York Times, June 1, 2021, sec. World, https://www.nytimes.com/interactive/2021/world/covid-vaccinations-tracker.html.
^[28]Kaushik, n. 26
^[29]Chuanying,n. 10
^[30]Alix Desforgres and Aude Gery, “France Doesn’t Do Public Attribution of Cyberattacks. But It Gets Close.,” Lawfare, September 3, 2021, https://www.lawfareblog.com/france-doesnt-do-public-attribution-cyberattacks-it-gets-close.
^[31]Kertunnen, n. 12
^[32]“A/70/174”, United Nations General Assembly, July 22, 2015, https://documents-dds-ny.un.org/doc/UNDOC/GEN/N15/228/35/PDF/N1522835.pdf?OpenElement.
^[33]Lauren Zabierek et al., “US-Russian Contention in Cyberspace: Are Rules of the Road Necessary or Possible?” Russia Matters, June 10, 2021, https://www.russiamatters.org/analysis/us-russian-contention-cyberspace-are-rules-road-necessary-or-possible.
^[34]Kertunnen, n. 12
^[35]Ibid.
^[36]Bateman, n.11
^[37]Ibid.
^[38]Ibid.
^[39]Kaushik, n. 26
^[40]Bateman, n. 11
^[41]Ibid.
^[42]“Cybersecurity: Deterrence Policy”, Congressional Research Service, January 18, 2022,https://crsreports.congress.gov/product/pdf/R/R47011.
^[43]Ibid.
^[44]Ibid.
^[45]Kaushik, n. 26
^[46]“National Cyber Strategy 2022”,HM Government, https://www.gov.uk/government/publications/national-cyber-strategy-2022/national-cyber-security-strategy-2022.
^[47]Ibid.
^[48]Ibid.
^[49]Desforgres and Gery, n. 31
^[50]Ibid.
^[51]Ibid.
^[52]Ibid.
^[53]Desforgres and Gery, n. 31
^[54]Ibid.
^[55]Ibid.
^[56]Ibid.
^[57]Ibid.
^[58]Ibid.
^[59]“Attribution: A Major Challenge for EU Cyber Sanctions”, n. 22
^[60]Ibid.
^[61]Ibid.
^[62]Ibid.
^[63]“Attribution: A Major Challenge for EU Cyber Sanctions”, n. 22
^[64]“European Union Equipping Itself against Cyber Attacks with the Help of Cyber Diplomacy Toolbox” CCDCOE, https://ccdcoe.org/incyder-articles/european-union-equipping-itself-against-cyber-attacks-with-the-help-of-cyber-diplomacy-toolbox/.
^[65]Kertunnen, n. 12
^[66]Chuanying, n. 10
^[67]Ibid.
^[68]Joe McDonald, “China Rejects Hacking Charges, Accuses US of Cyberspying",AP News, July 20, 2021, https://apnews.com/article/technology-business-china-hacking-6cd7d59f1b6aa4a0539d987e5340b705.
^[69]Kishikha Mahajan and Sameer Patil, “Expanding Chinese Cyber-Espionage Threat against India,” Observer Research Foundation, April 18, 2022, https://www.orfonline.org/expert-speak/expanding-chinese-cyber-espionage-threat-against-india/.
^[70]“China Says US Addresses Used Its Computers to Attack Russia, Ukraine”,South China Morning Post, March 11, 2022, https://www.scmp.com/news/china/diplomacy/article/3170112/china-says-us-internet-addresses-used-its-computers-launch.
^[71]Julia Voo et al., “National Cyber Power Index 2020”,Belfer Center for Science and International Affairs, September 2020, https://www.belfercenter.org/publication/national-cyber-power-index-2020.
^[72]Saikiran Kannan, “China Continues to Pose Cyber Security Threats to India” India Today, September 23, 2021, https://www.indiatoday.in/india/story/china-continues-to-pose-cyber-security-threats-to-india-1856224-2021-09-23.
^[73]Mahajan and Patil, n. 71
^[74]Kannan, n. 74
^[75]Ibid.
^[76]Paramita Ghosh, “From Russia with Love: How the Bolshevik Revolution Impacted India’s Leaders” Hindustan Times, November 18, 2017, https://www.hindustantimes.com/india-news/from-russia-with-love-how-the-bolshevik-revolution-impacted-india-s-leaders/story-bTGWOuQFS1PkvXmmV4LadN.html.
^[77]Deependra Hooda, “Towards a Cyber Deterrence Strategy for India” Delhi Policy Group, July 15, 2021, https://www.delhipolicygroup.org/publication/policy-briefs/towards-a-cyber-deterrence-strategy-for-india.html.
^[78]Arindrajit Basu and Elonnai Hickok, “Cyberspace and External Affairs: A Memorandum for India”, The Center for Internet and Society, November 30, 2018, https://cis-india.org/internet-governance/files/cyberspace-and-external-affairs.
^[79]Kaushik, n. 26
^[80]“An Attribution Organization to Strengthen Trust Online”,Microsoft, 2016, https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RW67QI..
^[81]Finnemore and Hollis, n. 2

(The paper is the author’s individual scholastic articulation. The author certifies that the article/paper is original in content, unpublished and it has not been submitted for publication/web upload elsewhere, and that the facts and figures quoted are duly referenced, as needed, and are believed to be correct). (The paper does not necessarily represent the organisational stance... More >>