In the midst of a growing debate on social media’s role in American democracy, Twitter recently announced the removal of 32,242 accounts linked to state-sponsored information operations. The surprise finding: Chinese, not Russian, accounts made up the majority, and by a factor of more than 20 to 1.
According to Twitter, the evidence linking these accounts to a PRC information campaign was as follows: most had “little to no follower accounts”; they were tweeting “predominantly in Chinese languages”; and were “coordinated” in “spreading geopolitical narratives favorable to the Communist Party of China (CCP), while continuing to push deceptive narratives about the political dynamics in Hong Kong.”
Given everything that has happened over the last four years, one would be forgiven for asking: is that all?
Certainly, the CCP is no stranger to information warfare. But the description above could just as easily describe millions of Chinese citizens who, indoctrinated or not, share the views of their government on Hong Kong and world politics. Or does Twitter think that the thousands of Chinese student counter-protestors last year were also bots?
No less surprising was the recently-released testimony of Crowdstrike President Shawn Henry. Under oath in a classified House Intel Committee hearing, Henry refused to confirm whether data had been exfiltrated from the DNC servers: “There’s no evidence that they [the data] were actually exfiltrated. There’s circumstantial evidence—but no evidence that they were actually exfiltrated.”
When questioned by U.S. Representative Chris Stewart, Henry also stated that the conclusion of Russian involvement was based on the “tactics” involved: “There are other nation-states that collect this type of intelligence for sure, but the—what we could call the tactics and techniques were consistent with what we’d seen associated with the Russian state.” To be clear, this is the same cybersecurity firm that first announced interference in the U.S. elections, sparking the Mueller investigation and everything after.
By no means is Russia now off the hook. As of April 2020, both the Senate Intelligence Committee and CrowdStrike stand by the conclusion that Russia interfered in 2016.
But looking forward, it is obvious that Americans need to demand better answers when it comes to foreign cyber operations. And they need to start asking why private firms, and not the US Intelligence Community, are allowed to reach the first conclusions on issues of such importance to our national security.
What makes attribution so difficult in the world of bits and bytes? Attacks can be routed through proxy servers in dozens of different countries, and even through compromised machines. According to the Mueller report, this is exactly what happened during the DNC attack, where a “nerve center” in Arizona was used to direct operational traffic from proxies around the globe.
Even after tracing back to a particular country, analysts still need to determine whether an attack was state-sponsored. To maintain deniability, hostile governments often rely on third-party actors, which they know will never testify in foreign courts.
This leaves relatively few options for identification. According to the DNI’s 2018 Guide to Cyber Attribution, the most important indicator is “tradecraft”—the tools, techniques and procedures associated with a given attacker. But even these can be copied by a careful observer, as a Russian group reportedly demonstrated with Iranian techniques just last year.
Consider a hypothetical: It is now November of 2020, and Trump has lost the election by a thin margin. But before Biden can take office, the Pennsylvania Bureau of Election Security announces that their databases had been hacked, potentially affecting results in a key swing state. Irate, Trump quickly blames Iran and announces his intention to launch retaliatory strikes. “Not so fast,” say congressional Democrats, who are convinced that Russia was behind the operation.
If this scenario were to play out, it’s far from clear what a U.S. response would look like. The DoD’s first-of-its-kind Cyber Posture Review included nothing on identification, escalation, or “thresholds” - in contrast to its nuclear posture sibling. Strategic planners should know what level of attribution confidence would justify a military response, were a cyber-attack to hit U.S. infrastructure tomorrow. Unfortunately, our cybersecurity doctrine still treats it as an issue to be solved extemporaneously.
The first step is admitting that we have a problem. Democrats in Congress are naturally hesitant to talk about anything that could cast doubt on the Mueller Investigation; but they might yet be persuaded, if the threat of future election interference is used as a rallying cry. On the Republican side, concerns about China’s growing cyber capabilities should be enough to warrant a serious discussion - especially since Chinese digital espionage is estimated to cost America in the tens of billions annually.
Whatever the motivating cause, cyber attribution is an issue that deserves our full attention.
Kyle Ropp is an incoming Master's student at Johns Hopkins SAIS. He served briefly as an officer in the U.S. Army, and writes on issues related to the U.S.-Russian security relationship.