Attributions and Arrests: Lessons from Chinese Hackers

The announcement that China arrested the attackers behind the Office of Personnel Management (OPM) breach and will prosecute them on the heels of the U.S.-China bilateral discussions this week raises some interesting questions.

Earlier this fall Chinese President Xi Jinping and American President Barack Obama agreed to stop any hacking activity as it relates to the stealing of intellectual property for economic advantage in the global economy.

Importantly, hacking as it relates to nation-state espionage was not mentioned in the agreement. That's a pretty essential component to leave out of the agreement and likely means that both countries will still have significant capabilities in this area.

The large challenge in this space is attribution. It is difficult to determine if an attack is nation-state backed, or being carried out by the stereotypical hacker in a basement. Without threat intelligence to identify and link attackers to specific groups, we will never know the difference.

If we're going to be successful in slowing the pace of attacks, then attribution is critical. Identifying attackers serves as a deterrent – less people would be inclined to carry out a crime if they knew they’d be caught. Furthermore, attackers simply must be held accountable for their actions and we can only do that if they are identified.

The threat of sanctions over supposed Chinese state-backed cyber attacks seems to have had a positive impact with the Chinese government. This wouldn't have been possible without clear attribution that attacks came from Chinese attackers. Whether or not their government was complicit in the matter remains unknown; however, what is clear is that good threat intelligence leads to attribution, and attribution can lead to consequences for attackers.

That's a good thing, and one we need more of every time we see a compromise.