Spectrum of State Responsibility for Cyberattacks
Attribution of cyberattacks is identifying the party responsible for them. Often, cyberattacks are defined as either state-sponsored (conducted by a government) or not (sometimes called commodity cybercrime). However, this binary is too simplistic. In reality, governments can have varying degrees of involvement in, or resistance to, cyber operations that occur within their borders. The Spectrum of State Responsibility provides labels that more realistically describe this reality, and can be useful for cyber threat intelligence analysts.
3 parties are described in The Spectrum of State Responsibility:
- The government of the country from which the attack originated.
- The attacker; the 3rd-party threat actor.
- The government of the country that was the destination of the attack; the victim. The attacked party could be a government or a private organization.
The categories describe the roles of the first 2 parties. The first 2 categories are when the government is trying to stop attacks within their borders; in the remaining categories, the government is ignoring, aiding, or directly conducting the attack.
- State-prohibited: Government will help stop the third-party attack.
- State-prohibited-but-inadequate: Government is cooperative but unable to stop the third-party attack.
- State-ignored: Government knows about third-party attacks but is unwilling to take official action.
- State-encouraged: Third parties control and conduct attack, but government encourages them as matter of policy.
- State-shaped. Third parties control and conduct the attack, but government provides some support.
- State-coordinated: Government coordinates third-party attackers (e.g., “suggests” operational details).
- State-ordered: Government directs third-party proxies to conduct attack on its behalf.
- State-rogue-conducted: Government’s cyber forces act independently of government to conduct attack.
- State-executed: Government conducts attack using cyber forces they directly control.
- State-integrated: Government attacks using cyber forces they directly control and integrated third-party proxies.
In terms of responsibility, the government in the first 2 categories has only very passive responsibility. In the remaining categories, the government bears responsibility in increasing degrees.
Cyber threat intelligence analysts and others involved in attribution and communication about cyberattacks should use language that represents this spectrum. It isn’t necessary to use these particular terms (they’re not standardized); the important thing is to recognize the range.
Also, realize that the different categories present different risks. Ensure your analysis and communication reflects that.