Abstract:
This article discusses the problems that could arise from the U.S. Government relying on private cybersecurity firms to attribute major cyber attacks. After the 2016 DNC hack, a private security firm was paid and asked to trace the source of the attack, taking less than a month to find and name the culprit. However, it took months for the U.S. Government to publicly attribute and denounce Russia. Private cybersecurity firms are taking on the role of naming, shaming and attributing attacks. However, there are two main issues with allowing this trend to grow and continue. First, these businesses have their own interest. The quicker they name the culprit, the more recognition they get and the more they are able to sell their products. Since there is no standard for cyber attack attribution, this could lead them to make mistakes and not taking more precautions in order to be the "first." The second is that the Government is relinquishing a certain amount of power in letting these companies do this. Public exposure and comment fro the Government is a form of deterrence as it shames the country that launched this attack for doing it but for also leaving a trace. Yet, as seen in the 2014 SONY hack, sometimes the government makes their assessment too late. Cybersecurity firms argued over who was the culprit in the attack and offered different narratives before the government released their conclusions, but this had shaken confidence in the people over who had really committed the attack. The Government should work with private cybersecurity firms to attribute and find the source of an attack.
Institution:
Wired & Council of Foreign Relations