The Cyber Attribution Dilemma: 3 Barriers to Cyber Deterrence

Given that the most serious threats in cyberspace are other state actors and their proxies, traditional thinking is focused on deterrence. Yet there are significant challenges for cyber deterrence.

The concept of deterrence was originally developed during the rise of nuclear technology. It relies on second-strike capabilities of opponents and complete certainty of who the opponent is, that it can survive the first strike and that it can strike back. This is known as mutually assured destruction (MAD).

Deterrence strategies have worked well throughout history to deter nuclear proliferation because only nation-states have access to the resources and technologies to get in the game. Of those actors, a basic self-interest in survival underpins the effectiveness of MAD.

There are many methods available for monitoring the mining and use of nuclear materials and technologies, and we have a fairly accurate inventory. In the cyber theater, however, the cyber attribution dilemma essentially nullifies the traditional model of deterrence as previously applied to military strategies in conventional warfare. As mentioned, MAD depends on knowing who your opponent is and understanding their capabilities for a second strike. In the cyber theater, both of these requirements are virtually impossible to fulfill.

What Are the Top Challenges to Cyber Deterrence?

Because of the inherent architecture of the internet and threat actors’ ability to obfuscate the source of an attack, it is nearly impossible to attribute attacks with a high degree of certainty. This results in a cyber attribution dilemma whereby the need to impose the costs necessary for cyber deterrence is juxtaposed with the potential costs of misattribution.

1. Misattribution

Many are concerned about the dangers of misattribution in cyber warfare and the potential escalations it could cause. The current deterrence paradigm of mutually assured disruption — the equivalent of MAD in the cyber arena — has a high risk of escalating into a tit-for-tat exchange as a result of a false accusation.

2. False Flags

Adversaries have historically used false flag operations to make an operation appear as though it was perpetrated by someone else. Because of the cyber attribution dilemma, false flags are much easier to execute in cyberspace, where the challenge of attribution already exists. False flags in cyberspace exploit this existing uncertainty and further compound doubt by casting suspicion on other actors.

3. Plausible Deniability

The attribution dilemma also gives threat actors the benefit of plausible deniability, further reducing the risks and costs associated with cyber actions. If you can’t be certain who is responsible, once again, you can’t impose costs without risking imposing the costs on the wrong actor.

In the Absence of Attribution, Resilience Is Critical

The stakes are high in cyberspace and growing daily. Deterrence rests on enterprises’ ability to impose costs or deny gains. Without the ability to impose costs while avoiding misattribution and escalation, denying gains and surviving cyberattacks through resilience is hypercritical.

Advanced attacks executed by sophisticated actors who know how to stay under the radar often cause the most damage. Adopting threat hunting in your security operations center (SOC) can help reduce dwell time as well as the cost and impact of attacks.

Read the SANS threat hunting survey


Jan Dyment

i2 Threat Hunting Product Marketing Manager at IBM Security

Jan’s passion is a fusion of her education in international relations and her career in the cybersecurity industry...