Though, unlike characterization and attribution, the U.S. retaliation policies are contained in different documents, none has the preciseness required to be effective.
Author
Mujib Jimoh, Jindal Global law School, O.P. Jindal Global University, Sonipat, Haryana, India.
Summary
This paper critiques the U.S. characterization, attribution, and retaliation laws and policies for cyberattacks. Characterization, attribution, and retaliation are part of the most important aspects of responding to cyberattacks. The U.S. does not have a clearly defined characterization process, other than the Government Accountability Office (GAO), Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Homeland Security (DHS)’s Threat Table which characterizes the different motivations for carrying out cyberattacks by cyber threat actors.
This Threat Table has hardly changed since 2005, yet, cyber threat actors continually develop their tactics, techniques, and procedures (TTPs) and conceal their real motivations for carrying out cyberattacks. Like characterization, the U.S. does not have a known attribution procedure, nor is a single agency tasked with the function of attribution.
Different agencies – the Department of Justice (DoJ), the Federal Bureau of Investigation (FBI), the National Cyber Investigative Joint Task Force (NCIJTF), and the Office of the Director of National Intelligence (ODNI) – and even private sectors companies, participate in the attribution process.
This invites potential contradiction and interference with the attribution process. Though, unlike characterization and attribution, the U.S. retaliation policies are contained in different documents, none has the preciseness required to be effective. This paper thus, makes recommendations for each of these aspects of cyberattack response.
Published in: Computer Law & Security Review
To read the full article, please click here.
