Making Cyber Attribution More Transparent
Following the example of Intrusion Truth, governments should substantiate their attribution statements that identify the perpetrators of malicious cyber operations with open-source intelligence, argues Eugenio Benincasa in this issue of the CSS Policy Perspectives series.
Key Points
- Many states hesitate to attribute malicious cyber operations targeting them due to technical limitations, and the risk of exposing classified sources and methods. Those that do attribute often withhold extensive evidence for the same secrecy-related reasons.
- Since 2017, Intrusion Truth has identified more than 30 Chinese intelligence cyber operatives by primarily using open-source intelligence. They also publish their findings on their blog.
- Intrusion Truth’s revelations have had tangible operational consequences, inflicting technical and socio-economic costs on Chinese threat actors and influencing policy discussions.
- Government agencies should integrate open-source intelligence into their public attribution processes and statements to overcome overarching challenges.
Governments are generally reluctant to attribute malicious cyber operations targeting them to a specific country, entity, or operator. This is often due to technical obstacles, such as limited forensic capabilities, and the risk of exposing classified sources and methods. When states do attribute, they fear publicly disclosing extensive evidence for the same secrecy-related reasons. As a result, public attributions (see glossary on page 2) of cyber incidents often lack transparency. Can this approach be regarded as responsible state conduct in cyberspace?
Back in April 2017, an anonymous online group named Intrusion Truth created an online blog. Since its creation, the blog has exposed the real identities of more than 30 Chinese state-sponsored cyber operatives across several Chinese Advanced Persistent Threat (APT, see glossary) groups. Intrusion Truth also succeeded in connecting these operatives to the Ministry of State Security (MSS) and its regional bureaus in Tianjin, Jinan, Hainan, and elsewhere.
In all its investigations, Intrusion Truth relies primarily on Open-Source Intelligence (OSINT, see glossary) and publishes a comprehensive account of its findings in a step-by-step manner on its blog. Its ability to leverage OSINT reliably and consistently for evidence-based, high-confidence public attribution purposes remains unique. It is unknown who is behind Intrusion Truth and how many people are involved. While it is possible that intelligence or law enforcement officers actively collaborate with or form a part of Intrusion Truth, no evidence has yet emerged to support such a claim.
Nevertheless, the activities of Intrusion Truth offer valuable lessons for government agencies. By optimizing the use and integration of OSINT in attribution processes and statements, government agencies can help address transparency issues in public attribution.