RomanenkoAlexey - Fotolia
The UK has been reticent historically in attributing cyber attacks, but that changed in 2016 when the government announced it point out responsibility when it was in the public interest, according to Ciaran Martin, CEO of the NCSC.
“We learned quite a lot from the US and their experience, and their success encouraged our minsters to move on from what was an understandable reticence to begin attribution,” he said in a panel discussion at the fourth annual European Cybersecurity Forum in Krakow.
Part of that reticence was around the risk of disclosing the UK’s capabilities and methods of cyber investigation, he said, but by leading the way with attributing the Sony attack in 2014 to North Korea, the US had shown how it could be done safely without exposing any secrets.
However, Martin made it clear that the UK does not attribute everything. “Sometimes because we’re not sure enough, but even when we have the highest level of confidence we may not attribute for wider policy reasons,” he said.
In the NCSC’s view, there are broad types of attribution, said Martin. “First is diplomatic attribution – that is simply calling out a state and holding them to account,” he said.
“This is for diplomatic effect to assure allies and put diplomatic pressure on the hostile state. You are also reassuring your country’s citizens that you do know something about who is behind these attacks, but there is no direct affect.”
The second form is criminal justice attribution. “This involveds indicting people and publishing the evidence. And the effect of that tends to be that those indicted can no longer travel to Western countries, and that has had an impact on state actors,” said Martin.
The most recent example of this was the US indictment of seven officers of the Russian military intelligence service (GRU) for computer hacking, wire fraud, aggravated identity theft and money laundering.
However, he added that the UK criminal system works differently to the one in the US, which means this route is more difficult, but that the NCSC was looking into how the UK can try to bring prosecutions in absentia.
The third type of attribution, he said, is remediating attribution that is aimed at raising awareness about threats and helping organisations to improve and build their cyber defences.
“This involves publishing technical indicators of compromise and giving them to companies along with advice on how to get rid of them, but this is mostly to do with sustained campaigns and intrusions that we mostly see from Russia into critical infrastructure,” said Martin.
While both of these were “diplomatic” attributions, Martin said the recent attribution of a wave of cyber attacks to Russia’s GRU was an “important and historic development” because it combined elements of all three types of attribution in light of the related US indictments announced on the same day.
This was one of the “many pleasing elements” of the announcement, he said, which enabled by the “brilliant work” by US and Dutch colleagues and support from across Europe.
The “remediating” component was the publication of and advisory on the indicators of compromise for malware used by APT28, which Martin said could be found on the NCSC website.
“The document includes a list of IP addresses and domains so that any company in the world that thinks there may be a Russian presence on their network know what to look for, and that is one of the reasons that attribution matters because it provide a way of giving organisations the tools to do something about cyber intrusions,” he said.