The alleged cyber “hacks” by the Russian state to either disrupt or perhaps tip the recent election raises many questions concerning how such attacks are attributed, and if true, what can be done about it.
Evidence concerning the perpetrators is rarely public, owing to the sensitivity of sources and methods, so the public is left with unsatisfactory attribution based on assertions of government intelligence agencies, and, of course, identifying the beneficiaries of the attack.
In the case of the hack of Sony Pictures in 2014, the North Korean government clearly benefited politically, so its role was more plausible, but in the case of the hacks of the Democratic National Committee and alleged trolling, the beneficiaries (besides the presidential candidate of the opposing party) are somewhat less clear.
The U.S. public has no modern-day equivalent of the photos that confirmed the presence of Russian missiles on Cuban soil in 1962, so there is understandable skepticism concerning the attribution of these attacks.
Attribution tends to follow parallel paths. One is technical evidence, either in similarity of code or patterns of cyber campaigns, that tends to support attribution to one perpetrator or another. In the case of the election cyber campaign, these attacks are consistent with the Russian state approach to cyber attacks: steal sometimes-embarrassing information and release it, and conduct trolling to “shape” public opinion.
This sort of cyber operation is consistent with recent campaigns that Russia allegedly conducted in the nations of Georgia, Estonia and, most recently, Ukraine, and is consistent with Russian information operations doctrine.
In addition, it can be presumed that the more technical forensics—the type of code, the virtual path the hackers followed in cyberspace, the origin of the attacks—are all consistent with previously witnessed cyber campaigns attributed to the Russian government.
However, both the patterns and the technical forensics are in themselves insufficient to attribute the attacks, predominantly because patterns and technical origins can be spoofed, and are often carried out by sophisticated cyber actors.
A second path toward attribution tends to be more akin to traditional spycraft: A U.S. intelligence agency gathers evidence—reports from insiders, historical evidence on the hackers' computers showing the development of the attack, or other evidence such as stolen memorandum, intercepted phone calls, or reports from foreign intelligence agencies.
Those who attribute cyber hacks always seek to answer the question: Who benefits?
Revealing such evidence could compromise the source and result in future intelligence losses or even the loss of life. Thus, such intelligence could never be revealed to the public.
Finally, in no small part, those who attribute cyber hacks always seek to answer the question: Who benefits?
Cyber attacks, especially those as sophisticated as alleged here, require planning, technical skills and precision, with just enough plausible deniability that would allow a nation to avoid retaliation or public embarrassment. Such attacks are relatively expensive and require specialized skills not to be deployed lightly.
In this case, how Russia would benefit from either a Trump presidency or a reduction in U.S. public trust in the election is not entirely clear. One can suppose affinity in the former, or perhaps favorable financial or geopolitical gain, or in the latter, a punch in the nose through election meddling (regardless of the outcome).
But to many Americans, the answer of “Russia benefits” is less compelling. Those who think about Russia daily, and who appreciate the degree of Russia's resentment against the United States and the West, find the answer more compelling.
So, did Russia do it? Unsatisfactorily, Americans will either have to believe the findings of their intelligence agencies and the government, or not. There is likely no smoking gun, but presumably a preponderance of technical evidence, intelligence, and the benefits to the Russian nation state that points in that direction.
If true, then the United States may be entering a new cold war with the Russian bear—this time, in cyberspace.
Cynthia Dion-Schwarz is a senior scientist and the manager of cyber and data sciences programs at the nonprofit, nonpartisan RAND Corporation.
This commentary originally appeared on Newsweek on December 10, 2016. Commentary gives RAND researchers a platform to convey insights based on their professional expertise and often on their peer-reviewed research and analysis.
