Guccifer’s extradition shows cybersecurity’s attribution problem in a nutshell.

The Hacker Who Leaked George Bush’s Paintings Is a Prime Example of Cybersecurity’s “Attribution Problem”

The Hacker Who Leaked George Bush’s Paintings Is a Prime Example of Cybersecurity’s “Attribution Problem”

The citizen’s guide to the future.
March 17 2016 9:30 AM

Will We Ever Solve Cybersecurity’s “Attribution Problem?” 

Identifying the perpetrators of cyberattacks is important—but it’s no magic bullet. 


Photo illustration by Lisa Larson-Walker. Photo by Negative Space/Unsplash.


Exciting news this week for dedicated cybercrime fighters: Famed Romanian hacker Marcel Lehel Lazăr, aka Guccifer, will be extradited to the United States to face hacking and identity theft charges! Guccifer made his name back in 2013 when he leaked paintings made by President George W. Bush and emails between family members about the health of President George H.W. Bush.

Unless you really liked that painting of W in the shower, you’ve probably forgotten about those incidents, and Guccifer’s numerous other email hacking exploits, by now—so many more exciting and higher-stakes cybersecurity incidents have occurred in the intervening years. But it’s worth revisiting this figure and his fate, as he is finally being forced to face the indictment issued more than a year ago in the United States. (In the interim, he also spent some time in prison in Romania.) His story—particularly the timeline—raises some interesting questions about one of the old chestnuts of cybersecurity: the attribution problem.


The attribution problem is, essentially, that it’s hard to know with any certainty who is responsible for malicious activity that happens online. This makes it difficult to retaliate against the responsible parties and complicates a lot of issues related to cyberwar, deterrence, and the overarching question faced by private companies and nation states alike: How should they deal with their enemies in cyberspace?

That’s a hard question to answer—much harder if you’re talking about a large-scale espionage data breach or interruption of critical infrastructure than if you’re talking about a guy who got into the email account of Dorothy Bush Koch and broadcasted a message about her father’s health. And Lazăr did take precautions to cover his tracks, routing his online activity through Russian servers so it would be harder to trace back to him. But signs pointed to a possible Romanian perpetrator when Guccifer hacked the email account of a high-ranking Romanian intelligence official. One of the things that Guccifer’s story makes clear is that attribution is far from the only challenge in responding to online adversaries.

Guccifer’s intrusions into the Bush family emails were reported publicly in February 2013. Lazăr was indicted 16 months later, in June 2014. The decision to extradite him came this week, some 18 months after the indictment. In other words, it took longer to get him to the United States than it did to figure out who he was: The attribution problem was less than half the battle when it came to holding Lazăr accountable.

That’s not necessarily going to be the case for every security breach—there are certainly adversaries more skilled at and committed to protecting their true identities than Lazăr—but it does put the attribution problem a little bit in perspective. Let’s say we devise a way to figure out exactly who is doing what at all times on the Internet (and there are plenty of people who think this is a crucial component of effectively dealing with cybersecurity challenges). Then what? Just because you know who the perpetrators are doesn't mean you’ll be able to stop them.


Of course, if you get the attribution right, then at least you won’t punish the wrong people. In an online world where it’s relatively straightforward to route threats through other people’s machines, thus potentially framing those innocent bystanders as the sources of attacks, it’s important to make sure that we’re not being misled before we retaliate. Uncertain or unconvincing attribution may be worse than no attribution at all in those cases, and there’s often some degree of uncertainty especially when it comes to blaming entire countries or national governments.

In one of the most prominent and well-publicized recent cyberattack attribution claims, the FBI publicly announced that the government of North Korea was responsible for the major data breach that targeted Sony in 2014. Jack Goldsmith argued persuasively that the evidence the FBI produced to back-up this claim left much to be desired and demonstrated why the U.S. government “has not come close to solving” the attribution problem. But do we know how to deal with our online adversaries even when we know who they are?

In the Sony case, for instance, the United States government may or may not have been behind the subsequent denial-of-service attacks that targeted North Korea, and those denial-of-service attacks may or may not make North Korea or other nations think twice before attacking U.S. targets. So assuming this was a response by the U.S., was it the right one? That’s awfully difficult to discern amid all those layers of uncertainty.

Going after individuals like Guccifer, rather than nation states, often requires victims to contend with the challenges of finding and arresting criminals in other countries. If those countries cooperate—as Romania did with the U.S. investigation of Guccifer—that can be doable, if slow. If those countries don’t cooperate, it can be a complete dead end.


Guccifer’s extradition is a victory for the law enforcement community but also a reminder of how many obstacles there still are to punishing the perpetrators of cybercrimes, even once you’ve cleared the attribution hurdle. Those obstacles only grow when it comes to responding to sophisticated, large-scale attacks conducted by nation states instead of relatively straightforward email hacking cases carried out by individuals like Lazăr. So it’s important not to lose sight of all those other challenges by focusing exclusively on the importance of attribution. It’s true that there are plenty of cyberattacks for which we still can’t pinpoint a perpetrator, but there are also a sizable and growing number of attacks that we can attribute, and we still haven’t figured out how to respond to effectively.

This article is part of the cyberwar installment of Futurography, a series in which Future Tense introduces readers to the technologies that will define tomorrow. Each month from January through June 2016, we’ll choose a new technology and break it down. Read more from Futurography on cyberwar:

Future Tense is a collaboration among Arizona State University, New America, and Slate. To get the latest from Futurography in your inbox, sign up for the weekly Future Tense newsletter.

Josephine Wolff is an assistant professor of public policy and computing security at Rochester Institute of Technology and a faculty associate at the Harvard Berkman Center for Internet and Society. Follow her on Twitter.