Oleg Shakirov is Consultant at PIR Center (Moscow) where he focuses on international security issues including arms control, cybersecurity, and Russia-U.S. relations. He is also Senior Expert at the Center for Advanced Governance (Moscow) and member of the Younger Generation Leaders Network on Euro-Atlantic Security. He holds a master’s degree from the Johns Hopkins University School of Advanced International Studies (2015) and a specialist degree from the South Ural State University (2010).
LinkedIn: Oleg Shakirov
Decoding Russia’s Quasi-Attribution of Cyber Attacks
Over the years, Russia has been a staunch opponent of unilateral attribution of cyber attacks by governments. This stance was premised on technical features of the Internet that allow for users’ anonymity. This uncertainty, according to Moscow, could only be resolved through proper international legal regulation that would specify how states should cooperate in that regard. These understandings were at the core of Russian proposals on international information security as well as its criticism of the alternative Western approach. Moscow’s criticism of unilateral attribution of cyber attacks increased in the last five years as Russian nationals and Russian organizations were more frequently being named in statements and indictments by U.S. and other Western governments as culprits of notorious cyber attacks. Russian officials consistently dismissed such accusation on the grounds that they lacked significant proof, while emphasizing the dangers of using ‘arbitrary accusations’ as potential pretext for misguided (or deliberate) aggressive actions.
At the same time, Russia itself does not completely avoid publicly attributing cyber attacks. Even though Russian security officials usually do not issue detailed reports nor identify specific groups or actors, on numerous occasions officials in Moscow did name certain countries in relation with malicious cyber activities targeting Russia.
Such statements can be referred to as quasi-attribution, which reflects both their partial, but incomplete similarity to the Western approach to public attribution as well as Russia’s critical stance towards it. This paper overviews multiple cases of Russia’s quasi-attribution of cyber attacks over the past five years and seeks to unpack the policy behind these statements. It also delves into what this means in the context of international discussion on cyber norms.