Cyber Attrition

After the United States blamed China for the Office of Personnel Management intrusion in 2015, China called speculation on their involvement neither “responsible nor scientific.” They subsequently suggested it was “imperative to stop groundless accusations, [and] step up consultations to formulate an international code of conduct...” The US-China exchange raises a critical question: what qualifies as “groundless accusations,” and what would “responsible and scientific” attribution of nation-state sponsored attacks look like? The incident raises another question as well: what is the current US process for attribution, and is it achieving its aims? This paper argues that authoritative attribution of cyberattacks to nation-state actors requires more than purely technical solutions. New, credible institutions are needed to develop procedural checks and balances that will make attribution more than one nation pointing its finger at an adversary. This document will explore the attribution challenge, review proposed models for new institutions, and sketch an agenda for future research. The authors’ expertise in the development of transnational institutions led by non-state actors in critical Internet resources has direct policy relevance to this case, as a new institution may be needed to hold offensive actors responsible and deter future cyber-attacks.