In the world of cybersecurity, questions regarding attribution are most frequently focused on 'who' is behind a particular attack or intrusion – and may also delve into the 'why'. We want to know who the threat actor or threat agent is, whether it is a nation state, organized crime, an insider, or some organization to which we can ascribe blame for what occurred and for the damage inflicted. Those less familiar with cyberattacks may often ask, “Why did they hack me?”

These questions are rarely helpful, providing only psychological comfort, like a blanket for an anxious child, and quite often distract us from asking the one question that can really make a difference: “HOW did this happen?”

The current focus on the WHO and the WHY does the industry as a whole little service. Not only in this particular instance, regarding the hacking and leaks from the DNC and others during the 2016 political season, but also in almost every major attack or intrusion.

Rethinking the Security Risk Equation

Let’s start by looking at the popular 'risk equation' commonly used when assessing the possibility of a breach or cyberattack:

Risk = ThreatVulnerability x Asset Value or Consequence/Impact

As someone who has been responsible for managing information risk and security in the enterprise for 15-plus years, I have thought through this equation countless times strategically, as well as tactically, during an incident. The conclusion I have arrived at over and over and over again is that I have little control or influence over threat actors and threat agents - the 'threat' part of the above equation. The primary variable I do have control over is how vulnerable I am – meaning the strength of my present as well as my future control.

So what must always be analyzed and reported on is HOW an intrusion or attack was successful, so we can give attribution to either the control(s) that failed, the lack of control(s), and to those responsible for maintaining proper control.

A great example of this sort of investigation and analysis is the House Committee on Oversight and Government Reform OPM breach report (1). In a report published last week by the Office of the Director of National Intelligence (2), there are a few important items to note from the upfront background section:

1) “Intelligence Community judgments often include two important elements: judgments of how likely it is that something has happened or will happen (using terms such as 'likely' or 'unlikely') and confidence levels in those judgments (low, moderate, and high) that refer to the evidentiary basis, logic and reasoning, and precedents that underpin the judgments.”

2) The nature of cyberspace makes the attribution of cyber operations difficult but not impossible. Every kind of cyber operation—malicious or not—leaves a trail. U.S. Intelligence Community analysts use this information, their constantly growing knowledge base of previous events and known malicious actors, and their understanding of how these malicious actors work and the tools that they use, to attempt to trace these operations back to their source.

The government - which has badges, guns, jails and laws to enforce - should continue to focus law enforcement and other government agencies on attribution related to the source(s) of attacks, so they can take action to deter (via conviction and jail time) the threat actors who wish to do harm. They can also post an incident if enough evidence exists, and attempt to detain and prosecute those responsible. However, this alone is a completely insufficient forum of attribution and per the report itself, has a degree of judgment.