The Attribution Dilemma: It’s Everybody’s Business
Dr. Sarah Lohmann is Non-Resident Fellow with the American Institute for Contemporary German Studies at Johns Hopkins University. Dr. Lohmann is an Acting Assistant Professor in the Henry M. Jackson School for International Studies and a Visiting Professor at the U.S. Army War College. Her current teaching and research focus is on cyber and energy security and NATO policy, and she is currently a co-lead for a NATO project on “Energy Security in an Era of Hybrid Warfare”. She joins the Jackson School from UW’s Communications Leadership faculty, where she teaches on emerging technology, big data and disinformation. Previously, she served as the Senior Cyber Fellow with the American Institute for Contemporary German Studies at Johns Hopkins University, where she managed projects which aimed to increase agreement between Germany and the United States on improving cybersecurity and creating cybernorms.
Starting in 2010, Dr. Lohmann served as a university instructor at the Universität der Bundeswehr in Munich, where she taught cybersecurity policy, international human rights, and political science. She achieved her doctorate in political science there in 2013, when she became a senior researcher working for the political science department.
Prior to her tenure at the Universität der Bundeswehr, Dr. Lohmann was a press spokeswoman for the U.S. Department of State for human rights as well as for the Bureau of Near Eastern Affairs (MEPI). Before her government service, she was a journalist and Fulbright scholar. She has been published in multiple books, including a handbook on digital transformation, Redesigning Organizations: Concepts for the Connected Society (Springer, 2020), and has written over a thousand articles in international press outlets.
What to do when the “bad guys” perpetrating a cyber hack or intrusion do not fit into a Cold War paradigm that separates good and evil along the border between West and East? When hacks and leaks are not directly attributable to state-supported actors, it often keeps publics and state institutions worried for a few days, but in the end, public solutions are limited to lectures about cyber hygiene, and then the world moves on … until the next cyberattack.
A recent cybersecurity hack on around 1,000 victims—including members of the German and European parliaments, famous artists, and celebrities—kept Europe’s economic powerhouse distracted this January. Politicians’ personal and credit card information was put online for all to see for days before any law enforcement agency noticed. Political leaders such as former SPD leader Sigmar Gabriel and FDP leader Christian Lindner started to receive threatening calls after their personal contact information was obtained through the hack and illegally posted.
The best and the brightest of Germany’s government techies were brought in to solve the enigma. The perpetrator’s phishing attacks on German politicians’ Outlook address books containing allies’ contacts could have caused damage on both sides of the Atlantic. The NSA was asked to provide support. In the end, the public story was that a high schooler was found responsible. He was released after questioning, though the police continue to question whether he acted alone. Before the student’s highly publicized arrest, German cyber analysts and media personalities blamed everyone from Russian spies to political right-wing extremists for the hack, claiming that such massive amounts of data had been leaked that a state institution or multiple politically-motivated hackers had to have been behind it.
Why did it take state institutions so long to identify the hacker, and why did analysts get the attribution so wrong?
Why did it take state institutions so long to identify the hacker, and why did analysts get the attribution so wrong? During the course of AICGS’ German-American Cyber Roundtable, which met over eight months in Berlin, Washington, and Brussels, participants discussed the urgency of strengthening cooperation between civil society and the private sector in improving accurate attribution. The roundtable’s Prof. John Davis of RAND discussed the importance of creating a neutral non-governmental attribution organization whose participants would focus on ensuring they use the same methodology and have similar confidence levels in identifying malicious cyber intruders.
This independent organization could cut out some measure of politics and aim for getting to a quorum faster than government institutions, which may be slowed by the bureaucracy of an increasing number of actors in different Cabinet ministries and intelligence agencies dedicated to cyber in both Germany and the United States. However, it would not have the power to punish bad actors, and by cutting out government actors all together, may not have access to some of the best intelligence.
This could be a challenge, especially if the goal is early warning. If a core attribution group consisted of government institutions as well as civil society actors and industry experts whose innovation provides critical infrastructure protection, more resources would be at hand to provide sensor and log data, operational reporting, and analytics. This could provide a more complete, and potentially a more accurate, picture of potential threats than when relying on one sector alone.
As the European Parliament elections approach in May, and the U.S. presidential elections approach next year, a strong early warning system providing alerts for malicious intervention in democratic processes is tantamount.
As the European Parliament elections approach in May, and the U.S. presidential elections approach next year, a strong early warning system providing alerts for malicious intervention in democratic processes is tantamount. As roundtable speaker Camille Stewart argues in her piece in this report, remote hacking, easy-to-hack election infrastructure, and known vulnerabilities not being fixed remain a concern for election infrastructure in the United States. Across the EU, cybersecurity readiness differs despite EU goals for synchronization of standards for infrastructure protection.
In the United States, readiness is not just a matter of coordination or updating systems. As the Wall Street Journal recently reported, external infiltration can extend beyond an election system itself. In 2017, according to a report released by the Department of Homeland Security and the FBI in March 2018, Russia gained control of the United States’ electric grid in almost half of the states. Through spear-phishing attacks on small, third party contractors, the hackers were able to intrude into control rooms of power stations and networks that were supposed to be impenetrable.
With the capability to control power grids, external actors can ensure voting machines do not have the energy to operate, affecting turn out in localities where races are very close.
What does this have to do with elections? With the capability to control power grids, external actors can ensure voting machines do not have the energy to operate, affecting turn out in localities where races are very close … just enough to change the outcome. In Ukraine, not only has the electric grid been successfully hacked, but their Central Election Commission website was hacked to proclaim the wrong winner of elections in 2014. Hackers have had years of practice to focus on more powerful targets.
And now, Europe faces similar threats. The BSI announced last year that German energy companies had been similarly targeted for over a year in a Russian cyberattack called Berserk Bear. In addition, Europeans face a true dilemma as they consider switching to 5G cellular networks, which achieve higher data rates for mobile phones, but could at the same time serve home and office networks. German security agencies have warned that if Europe continues to rely on easily hackable providers such as Huawei for a new 5G network, it could put its power grid at risk, and put valuable information in the hands of the Chinese. Because “IoT will account for one quarter of the global 41 million 5G connections in 2024,” according to Machina Research, it will be increasingly important to therefore also ensure that IoT systems are secure. As SAP’s Volkmar Lotz writes in this report, the overall security, including the operational environment of the system, have to be considered in order to ensure that vulnerabilities are not exploited.
The citizens of Germany and of the United States expect public infrastructure, free speech, and the democratic process to be supported and protected by those they have chosen to represent them. When energy grids or social media or voting machines are easily hackable or capable of being manipulated, publics begin to lose faith in government institutions and in the innovators providing solutions to the government.
Many of the proposals provided in the course of this working group and included in the essays to follow in this report provide a foundation toward rebuilding that trust. These include:
- industry charters of trust and accountability calling for common cybersecurity standards and cooperation on attribution;
- increased cooperation through preexisting CERTs for infrastructure intrusion as well as among agencies on local and federal levels;
- creation of stronger partnerships through a disinformation CERT or a rapid alert system to exchange information on ways that publics are being manipulated on social media or on the Internet through digital propaganda;
- and improving the accuracy of attribution through an independent attribution council.
Yet councils, edicts, and charters alone will not solve the cyber-enabled crisis of faith in institutions faced by publics on both sides of the Atlantic. A defense of democracy will require that all actors impacting civil society—the energy grid operator, legislators, leading government bureaucrats, local election officials, tech innovators, military analysts—are willing to work together to technically, financially, or legislatively prioritize a stronger cyber defense for more than the few weeks after an attack or before an election. It also means they are not afraid to hold bad actors accountable, regardless of the hacker’s affiliation with East or West.
 See BILD boss Julian Reichelt’s attribution to the Russian GRU and to multiple hackers or Sven Herpig’s attribution to Russia. Most news stories reporting on the attack noted that AfD politicians’ data was not leaked, and therefore asked the question whether the hacker could have been a right-wing extremist.
 This conclusion is not shared by all experts, however. According to Daniel Voelsen of Stiftung Wissenschaft und Politik, while mobile network hackers could cause problems to the energy grid, the Chinese would not have financial incentive to do this. A report by Germany’s BDI industry network calls for a more cautious approach to China, and the creation of a unified European infrastructure policy plan instead of merely acceding to China’s digital and infrastructure plan in the Belt and Road Initiative (BRI).