Why Do Governments Reveal Cyber Intrusions?

Gil Baram
Wednesday, November 24, 2021, 8:01 AM

Germany’s decision to publicly name the Ghostwriter hacking group as the perpetrator targeting its political institutions should not be taken lightly.

The Reichstag building, which houses the Bundestag. (Jorge Royan, https://tinyurl.com/f2vsyh; https://tinyurl.com/f2vsyh, https://creativecommons.org/licenses/by-sa/3.0/deed.en)

Published by The Lawfare Institute
in Cooperation With

On Sept. 26, Germany held federal elections to select the new members of the Bundestag, the country’s national parliament. Neither of the leading parties secured enough seats to govern alone, and it’s been estimated that it might be weeks before the public knows the political future of Europe’s largest economy. And while the three parties likely to constitute Germany’s next governing coalition announced on Nov. 16 that they are close to sealing a deal, concerns of election meddling and cyber intrusions against political institutions before and during the elections have made the political situation even more complex.

On Sept. 6, the German government publicly revealed it had been affected by “illegal cyber-activities,” such as direct phishing attacks on politicians, and attributed these to Moscow. According to Foreign Ministry spokeswoman Andrea Sasse, “the German government considers this unacceptable action a threat to the security of the Federal Republic of Germany and to the democratic decision-making process and a serious burden on bilateral relations.”

Germany publicly attributing the attack to Russia reflected a direct and specific approach. Sasse stated that there are “reliable findings” that the activities of the Ghostwriter hacking group—they’ve also been operating in Poland, Latvia and Lithuania since 2017—can be attributed to “cyber-actors of the Russian state” and specifically its military intelligence service (GRU). The hacking campaign focused on phishing attacks against politicians and decision-makers, impersonating government and diplomatic correspondence, and disseminating false information aimed at interfering with the internal affairs of European countries. 

Germany’s decision to publicly name the perpetrator of the attack should not be taken lightly. Cyber intrusions can be kept covert, so in this case, Germany could have decided to remain silent and not raise public attention and speculations before the elections. However, it decided to make a specific attribution and blame Russia. This was not the first time: Last year Chancellor Angela Merkel accused Russia of an “outrageous cyberattack on the German parliament” in 2015. So how do decision-makers choose a course of action for a country’s public response? 

My research into understanding why countries choose to give up the advantages of secrecy shows that, after experiencing a cyberattack or intrusion, there are at least four strategies available to affected countries: full concealment, partial concealment, publicizing the attack without attribution and publicizing the attack with public attribution. Choosing any of these options may have implications for the state, its leaders and its relations in the international arena. Therefore, it is important to examine in depth the calculations that may influence decision-makers to choose each strategy, the possible factors that led to the choice and the implications of the strategy ultimately chosen. 

Full Concealment

States might opt for full concealment when they want to avoid an obligation to respond. This option allows states to contain the attack while preventing an undesirable escalation. Additionally, they might opt for concealment to deceive the rival and learn its methods of operation. Giving a false impression that the attack has gone undetected allows the victim to monitor its opponent, study its methods and even implement its measures of deception. 

Furthermore, concealing the intrusion can help maintain the status quo without enhancing the tension between the countries involved. An attack may also be concealed to ensure the non-glorification of the attacker. Exposing the attacker could cause public concern and fear, leading to national anxiety that can even influence the decision-making process. A country wishing to avoid this will choose not to expose the attack and the attacker. 

Theoretically, Germany could have chosen this option, especially with the upcoming elections. But this was no longer a viable option since the private security company FireEye publicized that the Ghostwriter group was operating against German politicians back in April 2021.

Partial Concealment

States might choose partial concealment only when full concealment is not possible. The attack’s occurrence may be evidenced by the damage it causes or if the attacker or a third party discloses it. The victim still has options, as they can acknowledge the damage but may attribute it to a different cause, such as technical malfunction, and not a direct cyberattack. 

One example of possible partial concealment might have occurred with the collision involving the U.S. Navy warship USS John S. McCain. In August 2017, USS John S. McCain collided with an oil tanker near the coast of Singapore. Ten U.S. sailors were killed and 50 were injured. The chief of naval operations and the team sent by U.S. Cyber Command to investigate have subsequently stated that there was no evidence suggesting the accident was a result of a cyberattack. However, experts claimed it was hard to believe that the accident was a result of human error only. This marked the fourth incident of this kind in 2017 in the western pacific, with the USS Fitzgerald experiencing similar collisions in June 2017. Both destroyers belong to the Navy’s Seventh Fleet, so experts believed these cases might be related and were caused by a cyberattack. 

Although official investigations have found no clear evidence of a cyberattack, the prevailing assessment among experts was that the latest collision was not a result of a mere malfunction. Furthermore, the visible and public nature of the damage meant the U.S. government could not choose the strategy of full concealment. And even if a malfunction is discovered in a computer-related system, the covert nature of cyber intrusions makes it difficult to determine whether it is the result of an attack or a legitimate technical issue. In such cases, there will always be an element of uncertainty, illustrating the current problems in the process of identifying and dealing with cyber intrusions.

And going back to Germany’s case, despite the lack of evident damage, the intrusion had already been revealed, so partial concealment was not an option either. 

Publicizing the Attack Without Attribution

A state may identify the attacker but still may not want to reveal their identity to safeguard its intelligence sources. This standing concern within warfare is even more acute in cyberspace, which requires tools such as advanced signal, technological and even human intelligence to ascertain an attacker’s identity. The victim may also decide to preemptively disclose the attack to avoid humiliation in case the attacker or a third party reveals the attack. And while this disclosure of an attack may reveal a country’s shortcomings with its cyber defense, it can also illustrate its strength in being able to effectively respond to an attack. In this case, the political costs of transparency—toward both domestic and international audiences—may be less severe than those associated with concealing an incident. 

Singapore’s government may have adopted this strategy in response to the cyberattack on the country’s largest health care provider. In July 2018, SingHealth suffered a major intrusion that has been described as the most serious intrusion in the country’s history—1.5 million medical records were stolen, including those of the prime minister. 

Speaking at a press conference in July 2018, Singapore’s chief executive of the Cyber Security Authority (CSA), David Koh, confirmed that investigations “determined that this is a deliberate, targeted and well-planned cyberattack, not the work of casual hackers or criminal gangs …[.] [B]eyond this I apologize we are not able to reveal more because of operational security reasons.” It seems that for national security reasons the CSA most probably wanted to keep its intelligence resources safe and did not reveal information that could jeopardize their integrity. 

Furthermore, being transparent throughout the investigation helped Singapore avoid humiliation if the intrusion had been revealed by the attacker or a third party. Though some nations, such as China, have been pointed out by experts, Singapore’s authorities have been quiet. One explanation for this is the need to avoid escalation. The Singapore government didn’t want to risk its close trade and economic relationship with China by revealing the attacker’s identity publicly.

In the German case, Germany could have chosen this option but evidently wanted to achieve stronger gains with the next option.

Publicizing the Attack With Public Attribution

States can gain the key benefit of shaping the rules of acceptable behavior in the international arena by exposing the attack and attributing it to a specific attacker. While this may damage the victim’s public image, it still might strengthen the international image and status of the country, framing it as one with the “know-how” to deal with cyberattacks and as a model for other countries facing similar threats. This might also help the victim to join forces with its allies and start establishing the practice for what may be considered acceptable conduct in the international cyber arena. In the long run, it often serves the victim to reveal the attack and concede weakness, as this can also publicly brand the attacker as violating international norms and even international law. 

An example of this strategy might be the way the United States dealt with the Democratic National Committee (DNC) hack in 2016. Russian hackers gained access to the computers of the DNC in April 2016 and stole private emails, opposition research and campaign correspondence. WikiLeaks made nearly 20,000 of those private emails public, revealing embarrassing details. This was part of Russia’s broader campaign ahead of the 2016 U.S. presidential election, whose goal was to influence the democratic processes. 

The Department of Homeland Security and the Office of the Director of National Intelligence released a joint statement on Oct. 7, 2016, attributing the intrusion to Russia. On Oct. 12, a White House spokesman added that Russia is seeking to undermine the stability of American politics. The United States’s public attribution to Russia helped set a clear stand against the Russian cyber aggression, which other nations have followed. The publicity approach enables the U.S. to shape the acceptable ways of behaving in cyberspace.

In the German case, the public attribution to Moscow showed that the Germans have some capability to deal with such attacks and also raised the public’s awareness before the elections. Furthermore, it sent a clear message to both Russia and the international community that the Russian aggression is unacceptable and is “a serious burden on bilateral relations.” In doing so, Germany received the support of the European Union, which at the end of September warned Russia against carrying out “malicious cyber activities.” Through this publicity, the German government is positioning itself as a leading country in the international efforts to define acceptable behaviors for countries operating in cyberspace.

With cyberattacks and intrusions becoming an extension of conventional conflict and diplomacy, it is vital that decision-makers gain a deeper understanding of their public options, as these both reflect and shape the international arena. While the outcome of Germany’s strategic choice remains to be seen, the politics of cyber conflict at large, and with Russia in particular, await Germany’s next coalition.

Dr. Gil Baram is a Fulbright Cybersecurity Post-doctoral Fellow at Stanford University’s Center for International Security and an Adjunct Senior Research Fellow at the Centre of Excellence for National Security, Nanyang Technological University, Singapore. Her research examines national decision-making during cyber conflict. Previously, she served as the Head of the Cyber & Space research group at the Blavatnik Interdisciplinary Cyber Research Center at Tel Aviv University and held cyber intelligence positions within Israel’s National Information Security Authority.

Subscribe to Lawfare