Attribution Across Cyber Attack Types: Network Intrusions and Information Operations

The objective of this paper is to articulate the problem of attribution in cyber warfare incidents, including, surveillance, data theft, espionage, and misinformation campaigns. As the stakes increase, concerted efforts are being made by intelligence and law enforcement agencies to identify the perpetrators with much painstaking effort. Attribution tools and techniques for malicious activities on the Internet are still nascent, relying mainly on technical measurements, the provenance of malicious code, and non-technical assessments of attack and attacker characteristics to link attack activities to individuals or groups. Attribution of attacks is typically done through a burdensome manual process that relies on both technical analysis and ground intelligence. As a result, this cumbersome and laborious process of attribution is primarily reserved for the most egregious cyber attack cases and those conducted against well resourced organizations. Over time, our attribution abilities have improved, however, this improvement is a two-edged sword: as attribution capabilities improve, Internet privacy is increasingly diluted. This paper discusses attribution for two vastly different types of attacks that are central to cyber conflict today: network intrusions and social bot-led misinformation campaigns. The paper discusses the state of the art regarding attribution abilities across both types of attack, provides recommendations for improved attribution, and lays out future research directions.