Published by The Quint: https://www.thequint.com/blogs/2017/04/24/achieving-military-grade-cyber-attribution.
I have been pondering over this for months now.
In the wars of the future, how would the armed forces of a nation decide that reasonable thresholds have been crossed and that an offensive or retaliatory action is merited? What if the incursions or transgressions of the adversary only happen within our sovereign information space, which is as sacrosanct as our real border? What if we underestimate the damage a saboteur or subversive could cause with a cyber operation, which, in turn, may require a physical or kinetic response? How and with what certainty would we eventually lock in on the targets with mathematical precision if the perpetrators hide behind layers of anonymity or deniability?
To put it simply – how much money and what resources would be needed to create a global, military-grade attribution capability?
Attribution is the meticulous and painstaking process that redraws the footprints of an adversary in the cyberspace, which – to borrow the terminology of Russian Chief of General Staff Valery Gerasimov – could also be called the intelligence-information space.
These questions do not belong to some aimless roundtable of strategic pundits or think tanks, but in the war room of our government. With the amount of coverage that cyber operations are getting in the geopolitical news cycles across the world, I think the Rubicon has already been crossed for us to start painting targets on the map.
A military without systematic and substantive attribution proficiency is like a blind man with a sniper rifle (no offence to my visually impaired friends).
Just see the lengths to which nation states go to guarantee it.
The Office of the Director of National Intelligence of the United States (US) declassified a highly-redacted report right after the 2016 presidential elections, squarely putting the blame of hacking on Russia. Nothing in the dossier hinted at the intelligence tradecraft of the world’s most elaborate eavesdropping apparatus used to reach such a grim conclusion. No one, not even the infuriated American polity, could convince the US Intelligence Community to reveal how the spies had managed to convince the incumbent president Obama to cause the biggest escalation against the Russians since the Cold War.
So much secrecy, when it is publicly known that the National Security Agency (NSA) has the most expansive counter-hacking program. Widely termed as offensive defence, it is the ingenious methodology by which one piggybacks on the very conduits of the hacking operation to exploit its attack staging infrastructure, acquiring a crucial opportunity to unmask the actors.
To quote from another essay of mine, Cyberspace as A Theatre of ‘Non-Linear War’:
DEFIANTWARRIOR devours signals from the electronic dragnets run by the Five Eyes (an intelligence alliance comprising Australia, Canada, New Zealand, the United Kingdom and the US), the mid-point exploitation frameworks of the General Communications Headquarters (the British counterpart of the NSA), and a worldwide active-passive collection platform worth half-a-billion dollars called TURBULENCE (or QUANTUMBOT)  . The seamless, 360-degree and back-and-forth transition from the hostile cyberspace to its own that DEFIANTWARRIOR allows serves as a case in point for the massive efforts and resources required to guarantee full-proof attribution.
Despite all this, there was a lot of reluctance to share even a part of the hacking evidence.
And then, an odd set of events transpired in Moscow. Right after the swearing-in of Trump, operatives from the Russian intelligence agency FSB arrested one of their own, the head of the cyber operations division. Sergey Mikhaylov wasn’t just detained, but unceremoniously dragged out of a meeting covered with a black mask. Days later, a senior researcher from the antivirus giant Kaspersky was picked up, too. The message was loud and clear – Kremlin was cracking down on a nexus of double agents.
I would not even begin to join the dots – as investigative journalist Brian Krebs has already drawn some breath-taking conclusions – but this was a secret so damning that the US was willing to keep it at any cost. The final shred of evidence, the veritable last nail in the coffin, against the hacks didn’t come from the US’s full-frontal attribution capability, but from the oldest known trick in the book –human intelligence.
In matters of risk assessment, it was the correct thing to do – you just can’t go on the biggest diplomatic offensive based on the inputs gained solely from technical intelligence, regardless of the billions you may have spent on it. Alarming is the fact that the Russians got a whiff of the identities of the double agents, ought to result in a serious internal probe in the US.
And that’s the strategic lesson to be learnt on attribution. It’s an indispensable component of a military doctrine, but ultimately just a means to an end. However, not building such capabilities in the first place is like clipping the wings of a bird before it can even fly.
The US is truly an exception with its enviable hegemony over the global communications infrastructure. Nimble nation states like ours may learn a lesson or two from Israel: their surveillance footprint increases every time an Israeli defence, intelligence, cybersecurity or communications vendor bags a contract in a conflicted part of the world. While dealing with them, one doesn’t even realise where the lofty ambitions of the vendor end and the tacit overtures of the government begin. It’s like a 50-year strategic roadmap for information dominance.
As Indian Armed Forces mull over the transition to integrated theatre commands, information-enabled initiatives would solely rest on the pivot of attribution. It is scary to even imagine that an offensive capability, kinetic or cyber, is expended without fully illuminating the adversary behind the curtain. In a tense subcontinent, a wily third-party may even machinate a perfect false-flag operation that brings the sparring neighbours to brinkmanship.