Cyber sanctions can send a powerful message – why aren’t they being used more widely?
The European Union lacks coherence when it comes to responding to cyber-attacks because of problems surrounding attribution, a new report warns.
In ‘Attribution: A Major Challenge for EU Cyber Sanctions’, Annegret Bendiek and Matthias Schulze of the German Institute for International and Security Affairs analyze the policy responses to the WannaCry, NotPetya, Cloud Hopper, OPCW, and Bundestag cybersecurity incidents and conclude that the process of attribution tends to be fragmented and slow.
“Right now, every member state does its own attribution and political and legal assessment of cyber-incidents,” Schulze tells The Daily Swig. “Since capabilities vary, it is possible that member states assess the same incident quite differently and this leads to a fragmented response.
“Cyber-sanctions are a soft power tool, and if they want to work, they need strong, unanimous support by EU member states to send a clear message to adversaries.”
Diagnosing the problem
In establishing attribution, the EU relies too much on intelligence from NATO partners, the report suggests, and the weighting of the criteria for establishing what constitutes a crime is unclear.
Meanwhile, the technical realities and the legal facts for classifying and prosecuting cyber-attacks don’t always match up.
“Right now, there is a list of criteria that cyber-incidents should meet, but the prioritization of these principles is unclear,” says Schulze.
“What weighs heavier: attack on democratic institutions, loss of life – ransomware against hospitals – or large-scale disruptions like NotPetya with billions in damages?”
The authors conclude that the EU should tighten legal criteria and harmonize standards of evidence for attribution.
Approach with caution
Bob McArdle, director of forward threat research at Trend Micro, a cybersecurity company, says it’s important to be cautious when attempting to establish attribution – and sometimes better not to try at all.
“Attribution is difficult, time-consuming, prone to misleading conclusions due to lack of all data, and most of all can have high impact if done incorrectly,” he tells The Daily Swig.
“It is relatively trivial for a skilled group to plant false flags, such as TTP of another group, strings of text in a certain language or use of another group’s preferred tooling, with the specific goal of actually pushing the security industry to misdiagnose its source.
McArdle adds: “In an era where a cyber-attack can immediately lead to major political fallout, we believe that is simply irresponsible.”
And where attribution is desirable and possible, says Jason Steer, principal security strategist at Recorded Future, it will inevitably take time.
“Attribution is very difficult to do with a high degree of confidence, which results in large amounts of time being needed,” he tells The Daily Swig.
“Whether it’s in the context of private org attribution or EU/global, it takes too long and may often be impossible or not a good use of resource. The ability and restrictions of sharing sensitive intel makes this harder again.”
‘Smaller, tactical adjustments’
In order to improve coordination, the report proposes the introduction of qualified majority voting as a prerequisite for the adoption of cyber sanctions.
But, warns Schulze, “this is politically contested and hard to achieve. So it’s likely that they’ll aim for smaller, tactical adjustments such as sharpening the legal requirements or speeding up the information exchange process for attribution by making organizational changes.”
In fact, the EU has only once used sanctions – in 2020, following an attempted cyber-attack against the Organisation for the Prohibition of Chemical Weapons, and in relation to the WannaCry, NotPetya, and Operation Cloud Hopper groups.
This, says Jamie Collier, senior threat intelligence advisor at Mandiant, was a step in the right direction. However, he says, attribution and sanctions don’t always work.
“We’ve previously seen some Chinese APT groups go quiet for a sustained period after being publicly called out, but there is evidence that they have become less sensitive to this over time, and are now more likely to resume operations shortly after public attribution,” he tells The Daily Swig.
“While attribution might not always deter established cyber espionage groups already carrying out activity, it may make emerging state actors from other nations think – those that are more sensitive to international pressure might therefore be more hesitant to cross red lines established by the EU.”