Is Naming and Shaming a Legitimate Strategy in Cyberspace?

Does attempting to name and shame hostile cyber activity count as a valid deterrence strategy?

In January 2018, the White House Cybersecurity Coordinator stated that the U.S. government planned to strengthen its cyber deterrence policy over the course of this year.  Cyber deterrence has been a popular discussion at the highest levels of government, but little so far has been done to develop an actual strategy to achieve this objective.  Among the tools that have been used in trying to deter hostile activities in cyberspace include sanctions (e.g. cyber sanctions), diplomatic activities (no no-hack), retaliatory actions (e.g., knocking off North Korea off the Internet), few have demonstrated success so far.  Per the Coordinator, “naming and shaming” is an approach that the government should utilize in helping curb hostile cyber operations.

Naming and shaming” refers to the practice of publicly singling out a person, company, government, etc., for having behaved in a bad or illegal way.  It is hoped that by causing public embarrassment, the offending entity will alter its behavior and ideally, no longer conduct itself in the same manner.  While practical in the physical world where actions can be observed and recorded, similar approaches are more challenging in a borderless digital world.  Actors in cyberspace enjoy an environment in which they can find technical and operational means to obfuscate activity using proxies, anonymizing techniques, and encrypted technologies, in order to mask their identities, and afford them a level of plausible deniability.  Such realities make “naming and shaming” a questionable tactic at best.  “

Furthermore, “naming and shaming” requires the victimized government to have been able to attribute the hostile activity to another government or an agent of that government.  I, as well as many others, have long maintained that attribution in cyberspace is difficult, and while not impossible as some have intimated, it does call into question technical aspects of attribution that is heavily relied upon in determining the identities or at least countries of responsibility.  Over the past decade or so, many computer security companies have published reports detailing the tactics, techniques, and procedures (TTP) of the actors to help attribute the activity to a specific group or nation state government.

However, there has been little consideration that once these published reports of suspected nation state cyber activity are made public, that state or other actors may use the very indicators of compromise shared in the reports for their own purposes.  Once made public, any actor can use the published malware, TTPs, and target preference of one suspected state actor group to help mask its own operations.  Many of these broad cyber campaigns target across a series of verticals, allowing vendors to focus on targets that best bolster attribution narratives as little consideration is given to the other targets, as was pointed out by one security researcher.

Therefore, “naming and shaming” without showing the total evidence of culpability risks being nothing more than a finger-pointing accusation.  In the case of the Sony hack, the Federal Bureau of Investigation attempted to provide some of its evidence of North Korean guilt that was met with significant skepticism from security specialists.  The U.S. government may very well have had more information of the classified variety that solidified these assertions but keeping that close hold did nothing to sway people who wanted to see more proof.   The government has expressed confidence by barring information technology firms – notably Huawei and Kaspersky Lab – gaining a foothold in government and private networks, without providing the substantive proof that backs its fears and suspicions.

Regardless, the question remains – will naming and shaming be a successful tactic?  The success of that remains up to debate.  For example, North Korea was the first nation state government called out by the United States for attacking Sony in 2014.  Since that time, North Korea has been suspected in the following cyber attacks: 2015-2016 SWIFT banking hacks, the 2017 WannaCry ransomware attacks, and the 2017-2018 Cryptocurrency attacks.  Similarly, the U.S. government has condemned Russia for its cyber assault against the U.S. 2016 presidential election, as well as a June 2017 cyber attack against Ukraine.  Despite such allegations, if Russia was behind such attacks, Moscow does not appear to be deterred in how it operates in cyberspace.

Supporters of this tactic will assert that once China was publicly accused of its cyber espionage, it agreed to make its no-hack pact with the United States to not commit cyberespionage for commercial advantage.  While volume may have subsided, some believe that the activity continued albeit at a reduced level.  Decrease in volume does not equate to successful cyber deterrence, as it could force enterprising nation states to be more selective about what is targeted and how it goes about targeting.  A nation state can easily improve operational security, leveraging foreign language keyboards, malware written in another language, and launching attacks from even a third-party country, making technical attribution a futile effort.

Moreover, what of suspected U.S. attacks against foreign nations?  Governments such as North Korea, Iran, Russia have all publicly accused the United States of cyber attacks against organizations within their countries.  If these accusations are true, will it stop the U.S. from engaging in activities that protects and supports its national security objectives?

What this demonstrates is that absent definitive proof, governments will continue to deny involvement in any hostile cyber activities attributed to it by state agents or state-sponsored actors.  This calls into question if nation states truly want to develop a deterrence strategy in cyberspace.  The status quo facilitates states to operate as they have and currently do.  But what’s more, it allows defending governments to monitor these operations as well. Any change in current norms will force actors to adjust TTPs, implementing new tools and tactics that so far have not been recorded or observed.  Furthermore, establishing and communicating any cyber deterrent strategy may put the initiating government at a disadvantage as it could inform adversaries to conduct operations that fall just below thresholds that may incur diplomatic, economic, cyber, or kinetic retaliation.

Ultimately, naming and shaming is not a legitimate deterrence strategy, and will not deter nation states’ hostile cyber activity.  However, it does serve well as a means of signaling to the offender that they have been caught and are being monitored.  Both conducting the activity and detecting it demonstrates competence without necessarily having to reveal the full extent of capability.  And this within itself may be the best deterrent to any country seeking to increase or amplify its cyber attacks against another country.

About the author

Emilio Iasiello has more than 12 years’ experience as a strategic cyber intelligence analyst, supporting US government civilian and military intelligence organizations, as well as the private sector. He has delivered cyber threat presentations to domestic and international audiences and has published extensively in peer-reviewed journals and blogs. Follow Emilio on Twitter