October 5, 2016
The Christian Science Monitor Passcode
If the United States does not officially attribute state-sponsored cyberattacks and cedes the field to private companies or other states, it risks losing control of both the narrative about particular cyberattacks and the evolving norms of cyberspace.
In the presidential debate last week, Hillary Clinton cited Russia’s responsibility for the hack of the Democratic National Committee (DNC). Two weeks ago, Senator Dianne Feinstein (D) and Congressman Adam Schiff (D) of California released a statement explaining, “Based on briefings we have received, we have concluded that the Russian intelligence agencies are making a serious and concerted effort to influence the U.S. election.” Despite these statements and Crowdstrike’s accusations against Russia, the executive branch has not officially attributed the DNC intrusions to Russia.
In the absence of official attribution by the US executive branch, private cybersecurity companies are playing the role of accusers of foreign governments. The DNC compromise is not the only case like this. Take the 2015 Office of Personnel Management breach. The executive branch has not formally identified the perpetrators of that intrusion either, but Crowdstrike has accused Chinese government-affiliated hackers.
Casting private companies in the role of accusers has some benefits, but relying on private attributions to the exclusion of official attributions may create some underappreciated risks for the United States.