Security Experts:

Connect with us

Hi, what are you looking for?



Attribution Concerns Raised Over Cyber Sanctions Program

The recent executive order signed by President Obama establishing a sanctions program for overseas cyber-attackers gives the government a new tool to deter malicious attacks. The challenge lies in knowing who to punish, security experts warned.

The recent executive order signed by President Obama establishing a sanctions program for overseas cyber-attackers gives the government a new tool to deter malicious attacks. The challenge lies in knowing who to punish, security experts warned.

The sanctions program, announced by the White House on Wednesday, targets individuals and groups outside the United States that use cyber-attacks to threaten U.S. foreign policy, national security or economic stability.

The U.S. Department of Treasury will be able to freeze assets and bar other financial transactions of entities engaged in destructive cyber-attacks.

“From now on, we have the power to freeze their assets, make it harder for them to do business with U.S. companies, and limit their ability to profit from their misdeeds,” Obama said.

Cyber Attack Attribution: SanctionsThe executive order itself just claimed the authority to impose sanctions on cyber-attackers. No new sanctions were announced.

While the sanctions program would be one of the many tools the government can use to curtail and deter malicious activity, the program won’t succeed if the government doesn’t figure out how to handle attribution, Mike Brown, vice-president and general manager of the global public sector at RSA, told SecurityWeek. “We need to ensure there is some transparency around attribution,” he said.

Attribution is a thorny problem. Take last winter’s cyber-attack against Sony, for example. The Federal Bureau of Investigation (FBI) said the attack was the work of North Korea. In response, the White House imposed sanctions on North Korea. It turned out to be not as simple as that, since many security experts remained skeptical of the FBI claims without any evidence. Some details the FBI did eventually release seemed circumstantial, or not definitive enough, to really link the attack to North Korea. A few weeks later, Norse claimed to have uncovered evidence the attack was the work of an angry ex-employee. And just last February, Taia Global came out with its own analysis linking the attack to a Russian group.

Attribution within the information security space is not nearly as easy as it sounds,” Greg Foss, a senior security engineer at LogRhythm, told SecurityWeek. Attackers can “pivot through other countries” and make it seem as if attacks originated from a different location. Malware can contain false data to shift culpability, Foss said. It’s important to understand the specifics of how the government plans to address attribution and define methods used to identify attack origins.

Knowing who actually did the attack is a hard problem to solve, and when sanctions are involved, it’s a question no one wants to get wrong. “While the idea is novel, mistakenly placing sanctions on a country based on the actions of one potentially separate entity could have serious consequences,” Foss said.

There is also the human factor. In some cases, as sanctions will only harm the civilian population without doing anything to address the problem directly, Foss said.

Companies are investing a lot of money to improve their security defenses, but the private sector can’t solve the problem alone, Stephen Cobb, a senior security researcher at ESET, told SecurityWeek. There are “elements of the global cybercrime infrastructure that only persist due to the complicity of corrupt officials and unscrupulous businesses that turn a blind eye to cybercrime,” Cobb said. Coordinated government action—both nationally and internationally—is necessary to shut those elements down, he said.

Until recently, it seemed a lion’s share of cyber-attacks against the United States could somehow be traced back to China, which has consistently denied its involvement. The new program could be used to combat economic espionage by China, James A. Lewis, a cyberpolicy expert at the Center for Strategic and International Studies, told the Washington Post. “You have to create a process to change the behavior of people who do cyber-economic espionage,” Lewis told the Post. “Some of that is to create a way to say it’s not penalty free. This is an effective penalty. So it moves them in the right direction.”

A Chinese government official criticized the sanctions program, reiterating that China does not endorse cyber-attacks and remain committed to fighting cyber-attacks in any form.

“Cyber security concerns the common interests of all countries. The international community should jointly solve the issue of cyber-attacks through dialogue and cooperation, and based on mutual respect and trust,” Chinese Foreign Ministry spokesperson Hua Chunying said during a regular press briefing, China Daily reported.

In its daily roundup, iSIGHT Partners expressed concern the program would not be “a significant deterrent for organizations and states that would seek to benefit from cyber espionage.”

The company also remained “uncertain whether the US can reasonably expect to demonstrate the attribution and intent that seem to be required to trigger these new sanctions.”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.