When a cybersecurity threat becomes public, either through the discovery of a data leak or – if an organization is lucky – early detection, the first question asked is “why.” Often, the second is “who.”
The problem is that asking who instigated an infiltration and why they did it are incredibly complex questions. Beyond corporate espionage, firms have to consider many other factors, such as if it was a malicious attack by an unaffiliated hacker group, an inside job by a disgruntled or misled employee, or the work of a foreign government. In every instance, the targeted group is looking for someone to blame, but attributing an attack to a specific individual or group is incredibly difficult, if not impossible.
Attribution raises two major questions within cybersecurity. First: How can the source of the viruses be confirmed? Second: What are the facts that led to the attribution? In the recent past, many major corporate security breaches have been blamed on government actions. The attack on Sony Pictures Entertainment was reported to be perpetrated by North Korea, while China has also been attributed for a significant number of cyberattacks on the U.S. and U.S.-based companies. Most recently, Israel was blamed for malware discovered in the systems of the hotels hosting the Iran nuclear negotiations. But where’s the proof, and who’s assigning the blame?
In many cases, the finger is being pointed not by the security professionals investigating the threats, but the media. Sensationalism sells, and the headline “Government-backed malware targets company” garners more attention than “Business discovers massive malware infection on systems.” Making associations and connecting dots is an important part of investigation in cybersecurity, but it is also critical to make sure you have all the facts (which is nearly impossible) before assigning blame, rather than jumping to conclusions to sell a story.
Too often in instances where the media is the one assigning attribution, the links to the blamed organizations are tenuous at best. Their finger pointing is based on past associations with related malware or efforts, or correlated through evidence that would be easy to replicate by an unassociated party. China, for example, is historically open about its hacking efforts, taking little effort to cover its tracks. This may seem like it makes it easy to identify Chinese-sponsored attacks, but it also allows other hackers to easily copy their tactics to pass the blame.
Additionally, many groups willingly sell their malware on the Darknet, putting hundreds, if not thousands, of copies of the same tool out in the world, making it hard to identify the true source of the attack.
Regardless of whether a nation-state is involved or the hackers behind malware act on their own, the truth is that cybersecurity will continue to have a major impact on our lives on a personal and professional level. Discovering “who” is important, but it’s even more important that we take a calculated approach to investigating threats to better protect ourselves in the future, and systematically reduce the risks that these threats present.
