“Naming and shaming” refers to the practice of publicly singling out a Government for having behaved in a bad – but it’s not practical in cyberspace.
In January 2018, the White House Cybersecurity Coordinator stated that the U.S. government planned to strengthen its cyber deterrence policy over the course of this year. Cyber deterrence has been a popular discussion at the highest levels of government, but little so far has been done to develop an actual strategy to achieve this objective. Among the tools that have been used to deter hostile activities in cyberspace including sanction imposition (e.g. cyber sanctions), diplomatic activities ( e.g., no no-hack agreements), retaliatory actions (e.g., knocking off North Korea off the Internet), few have demonstrated success so far. Per the Coordinator, “naming and shaming” appears to be another approach that the government can and should utilize to curb hostile cyber operations.
“Naming and shaming” refers to the practice of publicly singling out a person, company, government, etc., for having behaved in a bad or illegal way. It is hoped that by causing public embarrassment, the offending entity will alter its behavior and ideally, no longer conduct itself in the same manner. While practical in the physical world where actions can be observed and recorded, similar approaches are more challenging in a borderless digital domain. Actors in cyberspace enjoy an environment in which they can find technical and operational means to obfuscate activity using proxies, anonymizing techniques, and encrypted technologies, to mask their identities, and afford them a level of plausible deniability. Such realities make “naming and shaming” a questionable tactic at best.
Furthermore, “naming and shaming” requires the victimized government to have been able to attribute the hostile activity to another government or an agent of that government. I, as well as many others, have long maintained that attribution in cyberspace is difficult, and while not impossible as some have intimated, it does call into question the veracity of technical data used to bolster attribution efforts. Such data is heavily relied upon to determine the identities or at least countries of responsibility. Over the past decade or so, many computer security companies have published reports detailing the tactics, techniques, and procedures (TTP) of the actors to help attribute the activity to a specific group or nation state government.
However, there has been little acknowledgement to the fact that once these published reports of suspected nation state cyber activity are made public, that state or other actors may use the very indicators of compromise shared in the reports for their own purposes. Once made public, any actor can use the published malware, TTPs, and target preference of one suspected state actor group to help mask its own operations. Many of these broad cyber campaigns target a series of verticals, allowing the authors of these reports to focus on those targets that best bolster their attribution narratives, As pointed out by one security researcher, little consideration may be given to evidence outside this line of thinking resulting in confirmation bias.
Therefore, “naming and shaming” without showing the total evidence of culpability risks being nothing more than a finger-pointing accusation. In the case of the Sony hack, the Federal Bureau of Investigation attempted to provide some of its evidence of North Korean guilt that was met with significant skepticism from security specialists. The U.S. government may very well have had more information of the classified variety that solidified these assertions but keeping that close hold did nothing to sway people who wanted to see more proof. The government has expressed confidence by barring information technology firms – notably Huawei and Kaspersky Lab – gaining a foothold in government and private networks, without providing the substantive proof that backs its fears and suspicions.
Regardless, the question remains – will naming and shaming be a successful tactic? The success of that remains up to debate. For example, North Korea was the first nation state government called out by the United States for attacking Sony in 2014. Since that time, North Korea has been suspected in the following cyber attacks: 2015-2016 SWIFT banking hacks, the 2017 WannaCry ransomware attacks, and the 2017-2018 cryptocurrency attacks. A recent report from one computer security company suggests that North Korea cyber activity has increased since the Sony attack. Similarly, the U.S. government has condemned Russia for its cyber assault against the U.S. 2016 presidential election, as well as a June 2017 cyber attack against Ukraine. Despite such allegations, if Russia was behind such attacks, Moscow does not appear to be deterred in how it operates in cyberspace.
Supporters of this tactic will assert that once China was publicly accused of its cyber espionage, Beijing readily agreed to enter a no-hack pact with the United States to not commit cyberespionage for commercial advantage. While volume may have subsided, some believe that the activity continued albeit at a reduced level. Decrease in volume does not equate to successful cyber deterrence, as it could force enterprising nation states to be more selective about what is targeted and how it goes about targeting. A nation state can easily improve operational security, leveraging foreign language keyboards, malware written in another language, and launching attacks from even a third-party country, making technical attribution a futile effort.
Moreover, what of suspected U.S. attacks against foreign nations? Governments such as North Korea, Iran, Russia have all publicly accused the United States of cyber attacks against organizations within their countries, without providing its evidence. If these accusations are true, will this “naming and shaming” stop the U.S. from engaging in activities that protects and supports its national security objectives?
What this demonstrates is that absent definitive proof, governments will continue to deny involvement in any hostile cyber activities attributed to it by state agents or state-sponsored actors. This calls into question if nation states truly want to develop a deterrence strategy in cyberspace. The status quo facilitates states to operate as they have and currently do. But what’s more, it allows defending governments to monitor these operations as well. Any change in current norms will force actors to adjust TTPs, implementing new tools and tactics that so far have not been recorded or observed. Furthermore, establishing and communicating any cyber deterrent strategy may put the initiating government at a disadvantage as it could inform adversaries to conduct operations that fall just below thresholds that may incur diplomatic, economic, cyber, or kinetic retaliation.
Ultimately, “naming and shaming” is not a legitimate deterrence strategy, and will not deter nation states’ hostile cyber activity. However, it does serve well as a means of signaling to the offender that they have been caught and are being monitored. Both conducting the activity and detecting it demonstrates competence without necessarily having to reveal the full extent of capability. And this within itself may be the best deterrent to any country seeking to increase or amplify its cyber attacks against another country.
This is a guest post by Emilio Iasiello
The post Is Naming and Shaming a Legitimate Strategy in Cyberspace? appeared first on cyberdb.co.
