Hu's face turned quizzical when Gates mentioned the test.
"Hu turned to the guy next to him and asked if he knew what I was talking about," Gates said. "That guy shook his head no and moved down the line." The pattern continued until they hit the first officer in uniform. He knew all about it. The test, it was reported, had been rescheduled from an earlier date because of a minor equipment malfunction.2
Curious, Sanger later asked Gates whether Hu actually knew. The secretary replied with a diplomatic 'yes,' but may have had doubts. Still curious, Sanger asked a diplomat and one of Gates' aides why the Chinese made the test. He got two answers. The diplomat said that it was to send a message to the United States and to Gates. Gates' man said it was to send a message--'screw you,' he said--to Hu, who had told the military to patch up their relationship with the Pentagon.
Was the military really acting on its own, contrary to direction from the senior leadership? The truth is, we can guess, but we don't know.
When cyberattacks are attributed to nation-states, as in Estonia in 2007, Georgia in 2008, or with Stuxnet, the assumption is often made that the attack has been approved by the senior leadership. The state is seen as a unitary actor, with all actions coordinated among all the players.
Clearly that is a simplification of what actually happens, but it is true enough, often enough, that this simple assumption is a useful one to make. But the incident Sanger cites tells us that it is not always so, and that it behooves those who make policy in one country to understand how policy is made in the states they blame.
This is often something that policymakers know little about. It is not always easy to understand how decisions are made even in a raucous democracy like the United States or the UK, where the press has access to most of the players and the players want their part known. Sanger's revelations about Olympic Games are a case in point.3 . In authoritarian societies like China and Russia it becomes much more difficult. In an isolated society like North Korea, it is close to impossible.
What this means for the attribution of cyberattacks is that forensics may give us the technical knowledge to attribute an attack to a nation-state. We may know enough about how that state operates in the cyber domain to pin the attack on it.4 But the question of motivation can become more complex than the reality of decision-making can allow. That simple assumption that decisionmakers act as one may woefully distort our understanding of how the decision to attack was made. Which leaves us not knowing with certainty who is responsible and why.
In most circumstances, this particular problem with attribution will be of little consequence. Most cyberattacks are not made by states, after all. Moreover, few attacks by nation states require an immediate, direct, and public reaction. Most, in fact, are merely digital espionage and not clear acts of war.
The reality of how decisions are made is, then, one more variable that needs to be added to the equation used to determine the attribution of a cyberattack to a nation-state.
1 David E. Sanger, Confront and Conceal: Obama's Secret Wars and Surprising Use of American Power (New York: Crown Publishers, 2012), pp. 370-372. ↩
2 Sanger, Confront and Conceal, p. 371.>↩
3 Sanger, Confront and Conceal, Chapter 8.↩
4 Thomas Rid & Ben Buchanan "Attributing Cyber Attacks," Journal of Strategic Studies, retrieved on 06 January 2015 from http://dx.doi.org/10.1080/01402390.2014.977382 provide an exceedingly useful framework for examining attribution.↩
