Just Security's editor: This post is the latest installment of our “Monday Reflections” feature, in which a different Just Security editor examines the big stories from the previous week or looks ahead to key developments on the horizon. The end of 2015 brought a flurry of announcements from tech companies, including Facebook, Yahoo, and Microsoft, promising to notify their users if the company believes that state-sponsored actors are targeting the users’ accounts. These state-sponsored-attacker notifications share features of other kinds of attributions. On the one hand, like the Mandiant report and other reports by cybersecurity companies highlighting state-sponsored cyberintrusions, private companies are responsible for the attribution. On the other hand, like the limited evidentiary disclosures made by the US government in attributing the Sony Pictures hack to North Korea, the companies withhold the evidentiary basis for the notifications in order to protect their detection methods and avoid tipping off attackers. The notifications contribute to evolving debates about the requisite evidentiary basis for attribution of state-sponsored cyberattacks—debates over types of evidence, amounts of evidence, and levels of public disclosure that should be required for attribution in different contexts. The notifications also show that while standards of evidence for attribution are discussed in multilateral fora like the United Nations, states are not the only parties whose practice matters. Company Notifications Google pioneered notifications to users about state-sponsored attacks in 2012. The company explained in a blog post at the time that in response to “specific intelligence—either directly from users or from [its] own monitoring efforts”—it would display a banner stating “Warning: We believe state-sponsored attackers may be attempting to compromise your account or computer.” Facebook made a similar announcement in October 2015. In a blog post by Chief Security Officer Alex Stamos, Facebook explained that it would show users a warning if the company has “a strong suspicion that an attack could be government-sponsored.” According to the New York Times, in the wake of the Iranian nuclear deal and “[j]ust weeks into the new [Facebook] alert system,” numerous State Department officials who work on Iran and the Middle East received notifications that their accounts had been targeted by a state-sponsored actor. In mid-December, Twitter, which had not previously announced a policy on state-sponsored attacks, notified some users that their accounts “may have been targeted by state-sponsored actors,” who were “trying to obtain information such as email addresses, IP addresses, and/or phone numbers.” (A copy a notification sent to another user is available here.) On December 21, Yahoo Chief Information Security Officer Bob Lord announced that “Yahoo will now notify you if we strongly suspect that your account may have been targeted by a state-sponsored actor.” Microsoft followed suit on December 30, announcing in a blog post by Corporate Vice President for Trustworthy Computing Scott Charney that Microsoft “will now notify you if we believe your account has been targeted or compromised by an individual or group working on behalf of a nation state.” According to the companies, they issue notifications for state-sponsored attackers in particular because, as Facebook explains, “these types of attacks tend to be more advanced and dangerous than others.” The notifications are intended to prompt users to better secure their account with the notifying company and other online accounts by, for example, enabling two-step verification, changing passwords, and monitoring for unusual activity. Similarities to and Differences From Other Attributions to Nation-States The state-sponsored-attacker notifications share similarities with prior attributions by both the private sector and the US government. On the one hand, the notifications (and the attributions supporting them) are done by private companies, like the reports on state-sponsored intrusions issued by cybersecurity companies like Mandiant and Crowdstrike that I discussed in an earlier post. On the other hand, unlike the extensive technical details that often accompany such reports (see, for example, the Mandiant APT1 report), the state-sponsored-attacker notifications do not come with evidence to back up the attribution. Google’s post on the notifications explains: “You might ask how we know this activity is state-sponsored. We can’t go into the details without giving away information that would be helpful to these bad actors, but our detailed analysis—as well as victim reports—strongly suggest the involvement of states or groups that are state-sponsored.” Facebook’s post similarly states, “To protect the integrity of our methods and processes, we often won’t be able to explain how we attribute certain attacks to suspected attackers.” The invocation of secrecy to protect “methods and processes” echoes similar statements made by the FBI in announcing the attribution of the Sony Pictures hack to North Korea. The FBI press release explained that the “need to protect sensitive sources and methods” prevented the Bureau from sharing details of its evidence against North Korea. The FBI provided a general description of the evidence supporting the attribution, including, for example, “significant overlap between the infrastructure used in this attack and other malicious cyber activity the U.S. government has previously linked directly to North Korea.” But the lack of detailed information triggered significant skepticism within the security community, prompting FBI Director James Comey to release additional information several weeks later. Unlike the other types of attribution, the state-sponsored-attacker notifications do not name the state involved. They simply inform a user that some “state-sponsored actor” has targeted the user’s account. Of course, upon receipt of a notification, some users may have a pretty good idea which state is targeting them, and the pattern of accounts targeted may reveal the state’s identity to the company or to the public if/when the notifications become public. That may be what happened with the Facebook notifications to State Department employees discussed above. Still, the notifications’ failure to name the particular state involved renders them somewhat less accusatory than attributions that name a specific state... In full, with links: https://www.justsecurity.org/28731/your-account-targeted-state-sponsored-act... -- RR "You might want to ask an expert about that - I just fiddled around with mine until it worked..."