PhD Thesis Introduction: A New Deterrence and Attribution Framework for Cyber Attacks against States: Analysis of US and China Cyber Standoff

Introduction

1. Problem Statement

Attribution and deterrence are two essential instruments of international relations associated with conflict resolution and diplomatic interactions between states (Cheung & Bell, 2021; Liang et al., 2020; Welburn et al., 2023). The first concept is usually defined as the process through which governments assign responsibilities for events or actions initiated by other countries that cause harm to their economy, security, or reputation (Baliga et al., 2020). Attribution frequently takes the form of public diplomacy where the affected state informs its own citizens, the citizens of the offending party, its government, and other global parties about the circumstances, credible proof of attacks against it, and planned response to such attacks (Yaghlane & Azaiez, 2019). This process can be explored within the scope of a larger deterrence theory investigating the ways countries prevent or punish adversarial actions against them. Attribution is frequently considered a crucial antecedent of such activities, since it provides the foundation upon which such response strategies can be realised and presented as fair, proportional to the damage done, and guided against the actual offender (Bier & Gutfraind, 2019).

This poses one of the main problems in contemporary deterrence, since misattributed actions can lead to unnecessary escalations, confrontations, and tensions between countries (Banks et al., 2022; Hausken, 2017; Hausken, 2024). Such issues may be especially threatening if the presented offending part is one of the leading global economies, such as China or the US. In this scenario, the lack of credible proof directly linking attacks with the country’s government can make deterrence unsubstantiated and stimulate response actions from both the state accused of the attacks and other global actors (Solak & Zhuo, 2020). The situation is further complicated by the fact that terrorist organisations and other criminal groups can operate from the territories of certain states but not have explicit relationships with their leaders. Additionally, local enforcement agencies may not accept the interventions of international entities in their internal affairs, such as open military operations against such violators (Kovenock & Roberson, 2018). This creates a complicated situation where countries that are not linked with mutual agreements to assist each other in fighting certain types of crime may not be willing to share relevant information or track criminals on their territories upon receiving requests to do so from their political rivals (Shan & Zhuang, 2018).

Cyber warfare may be seen as a major challenge in this aspect according to multiple recent studies (Dacorogna et al., 2023; Hausken et al., 2024; Welburn et al., 2023). Such high-level accidents as the breach of the Guam communications network of 2023, cyberattacks against Romania in 2022, 2020 cyberattacks against Sri Lanka, and many earlier events have all caused substantial damage in terms of infrastructural disruptions, disclosed sensitive data, or theft of data that can be used in future attacks or sold on the darknet (Dacorogna & Kratz, 2023; Mijwil et al., 2023). While hackers can be traced back to the territories of certain countries in most cases, linking them with local organisations or governments presents a major cybersecurity challenge due to a number of factors. First, cyberattacks frequently use advanced traffic obfuscation tactics making it difficult to identify the actual location from which an attack is launched (Khan, 2022). If some countries do not wish to disclose data from their internal networks to international investigators, it may be difficult to identify whether the hackers operate from these countries or simply use their proxy servers as another obfuscation instrument (Lonergan & Schneider, 2023).

Second, misidentification can be associated with the willingness of hackers to mask themselves as other hacker groups (Cunningham, 2022; Solak & Zhuo, 2020). In this scenario, the attacked party retaliates against the wrong party, which decreases its relationship with it and does not result in more effective deterrence. As a result, it is still exposed to future threats and is less likely to find support from others due to past misidentifications undermining trust towards it (Beckerman, 2022). Third, high-quality deterrence implies that the affected party possesses the means for a counterattack and can recuperate some of its losses by launching it (Borghard & Lonergan, 2023; Xu & Zhuang, 2019). This may be challenging in the case where the opponent possesses greater resources or lacks ‘weak points’, such as shared economic networks suffering from sanctions or critical infrastructures that can be disrupted via retaliatory attacks.

Existing models of attribution and deterrence were historically developed in the field of international politics (Cremer et al., 2024; Welburn et al., 2023). In these scenarios, attacks took the form of espionage and other primarily physical activities that were much easier to track than cyberattacks. However, the latter are more difficult to classify in terms of both technical attribution as a forensic investigation of ‘digital traces’ left by hackers and analytic attribution as the identification of their motivations and long-term intentions (Qian et al., 2022). Since major attacks against states are launched by groups rather than individuals, this elevates the threat to the level of international terrorist groups that are difficult to counter without international collaboration (Simon & Omar, 2020). At the same time, state-sponsored criminal organisations are rarer than state-sponsored cybercriminal organisations, which increases the difficulty of attribution. Requesting specific data about hacker attacks from country governments is largely similar to announcing their responsibility for them, which creates a reluctance to cooperate with the affected party of intentions to conceal potentially problematic data (Liu et al., 2018). These problems call for a new deterrence and attribution framework specifically designed for identifying, exploring, and countering cyber threats against states (Agrafiotis et al., 2018).

To achieve this goal, this study explores the history of the US and China cyber standoff. These two states were selected for the analysis due to a number of reasons (Creemers, 2024; Xu & Lu, 2021). First, past relationships between these countries included intense competition in economic, diplomatic, ideological, and political spheres (Peng, 2023). This rivalry also extends into cyberspace, where both of them seek to promote their national interests through different types of communication as well as different cyber interactions, which creates rich data for analysis that includes multiple hacker attacks attributed to Chinese hackers targeting US government agencies and top corporations in their attempts to disrupt their operations or get access to sensitive data (Gao, 2022; Papageorgiou et al., 2024). Second, both of these states possess the highest levels of technological development making their cybersecurity policies comparable in terms of their integrity, complexity, and advancement (Creemers, 2022; Khan, 2022; Papageorgiou et al., 2024). This makes China and the US interesting targets for analysis, since these countries utilise cutting-edge solutions in this sphere to protect themselves from opponents’ attacks while also exploring opportunities for espionage against rivals.

2. Aims and Objectives

This study aims to develop a comprehensive deterrence and attribution framework for the analysis and classification of cyberattacks against states (Peng, 2023). Traditional models in this sphere are mainly based on conventional conflicts, where attacks can be traced back to their source with relative ease (Agrafiotis et al., 2018; Cremer et al., 2024). On the contrary, cyber aggression creates highly adverse consequences, similar to military threats, while being more complex by its nature due to varying international norms and the technological complexity of this phenomenon (Xu & Zhuang, 2019). This implies the need for a new deterrence and attribution framework designed specifically for cyberattacks against states. This aim will be realised via the following research objectives:

1. To analyse the current models, strategies, and methods of attribution and deterrence used in contemporary international relations.

This historical overview of existing literature will allow the author to identify how established deterrence and attribution theories and models apply to cyber warfare and what are their crucial gaps and limitations in this sphere (Simon & Omar, 2020). This analysis provides a basic understanding of key challenges, as well as contextual factors influencing the success of different response strategies in this field (Lonergan & Schneider, 2023). As opposed to earlier projects, these elements are directly related to the field of cybersecurity in order to make the proposed model highly focused on the unique problems of cyberattacks.

2. To evaluate the key challenges of applying these concepts to cybersecurity attacks, with a focus on the US and China’s history of cyber aggression.

This objective develops the insights related to the gaps in existing models identified in the first objective and creates a list of key hindrances unique to the cybersecurity domain that need to be taken into account when developing the new framework (Agrafiotis et al., 2018). The two selected states were engaged in multiple trade conflicts, such as the Trade War of 2018-2019, and others involving deterrence acts, such as the ban of Huawei in response to potential threats to national cybersecurity (Creemers, 2022; Creemers, 2024), which provides rich secondary data for the analysis.

3. To propose a new framework for deterrence and attribution specifically designed for cyberattacks that incorporates both modern strategies in this sphere and contextual factors such as international norms and regulations.

The insights created by prior analysis will be used by the author to propose a revised framework that integrates established attribution and deterrence theories with specific modern strategies applicable to cyberthreats (Khan, 2022). This comprehensive model will also incorporate contextual factors, such as international laws, diplomatic considerations, and other variables, to offer a holistic approach to attribution and deterrence in this field (Lonergan & Schneider, 2023).

4. To formulate recommendations to policymakers on how the proposed model can be applied in real practice and used to improve the quality and effectiveness of attribution and deterrence in cyberconflicts.

Practical recommendations related to the developed framework will propose actionable policies that can help states implement it within the scope of their national security strategies (Welburn et al., 2023).

3. Methodology

The methodology of this study is grounded in constructivism as its main philosophical stance. This worldview suggests that social realities are mainly created via human interactions while knowledge is primarily shaped by social contexts (Mukherjee, 2019; Kumar & Kothari, 2022; Walliman, 2018). Since this thesis is focused on attribution and deterrence as a part of international diplomacy, constructivism allows the author to explore how different states perceive each other’s identities and shape their behaviours on the basis of existing norms and past engagements (Onwuegbuzie & Johnson, 2021). The choice of this philosophical stance also provides for the triangulation of primary qualitative and quantitative data in a mixed-methods research design (Rowe, 2021). While there exist multiple past publications exploring Sino-American diplomatic relations and security interactions, the opinions of cybersecurity experts are deemed necessary to expand this desk research perspective and provide richer data for developing a comprehensive deterrence and attribution network. This decision suggestion is directly associated with the earlier identified research gaps, where frameworks in this field primarily take into account traditional diplomatic problems while ignoring the unique challenges posed by cyberattacks (Phillips & Johnson, 2022; Vear, 2021).

The data collection process involved survey forms distributed between 112 cybersecurity experts recruited online, with 17 follow-up interviews with professionals from this group conducted afterwards. This corresponds to the explanatory sequential design, where initially acquired quantitative data is processed to identify unexpected findings and gaps in knowledge (Brown, 2021; Gupta & Gupta, 2020). The consequent qualitative data collection allows the author to ask additional questions to better understand what the key challenges of attribution and deterrence in cyberspace are and how they can be dealt with more effectively. Additionally, the methodological approach of this study can be characterised as a case study one (Brabazon et al., 2020). Several cases related to attribution, deterrence, and cybersecurity incidents between the US and China were selected including the Huawei case and the 2015 Office of Personnel Management Breach. These choices were substantiated by significant attention drawn to them after their emergence and the availability of rich context and research making them interesting for the analysis (Costa & Condie, 2018). Specific documents included government reports, cybersecurity white papers, scholarly articles, and state cybersecurity policies.

For the survey part, 112 specialists were recruited using industry contacts of the author and snowball sampling. Since the posed research objectives relied upon professional expertise rather than unique individual experiences, this method was deemed suitable for addressing them (Croucher & Cronn-Mills, 2018; Daverne-Bailly & Wittorski, 2022).  During the completion of online forms, the respondents were asked about their potential willingness to also take part in follow-up interviews. This formed the sample of 17 participants providing additional insights for the qualitative part. Quantitative data was processed using structured equation modelling (SEM) on SPSS. This technique allows researchers to explore the existence of relationships between individual variables and the existence of mediation relationships (Kumar & Kothari, 2022). Thematic analysis was used to process qualitative data (Brabazon et al., 2020; Phillips & Johnson, 2022). The findings were used to propose a new framework for deterrence and attribution that incorporates the factors, variables, and challenges unique to the sphere of cybersecurity.

References

Agrafiotis, I., Nurse, J., Goldsmith, M., Creese, S., & Upton, D. (2018). A taxonomy of cyber-harms: Defining the impacts of cyber-attacks and understanding how they propagate. Journal of Cybersecurity, 4(1), 1-17. https://doi.org/10.1093/cybsec/tyy006

Baliga, S., De Mesquita, E., & Wolitzky, A. (2020). Deterrence with imperfect attribution. American Political Science Review, 114(4), 1155-1178. https://doi.org/10.1017/S0003055420000362

Banks, D., Gallego, V., Naveiro, R., & Insua, D. (2022). Adversarial risk analysis: An overview. Wiley Interdisciplinary Reviews. Computational Statistics, 14(1), 1530-1546. https://doi.org/10.1002/wics.1530

Beckerman, C. (2022). Is there a cyber security dilemma? Journal of Cybersecurity, 8(1), 1-12. http://dx.doi.org/10.1093/cybsec/tyac012

Bier, V., & Gutfraind, A. (2019). Risk analysis beyond vulnerability and resilience – Characterizing the defensibility of critical systems. European Journal of Operational Research, 276(2), 626-636. https://doi.org/10.1016/j.ejor.2019.01.011

Borghard, E., & Lonergan, S. (2023). Deterrence by denial in cyberspace. Journal of Strategic Studies, 46(3), 534-569. https://doi.org/10.1080/01402390.2021.1944856

Brabazon, T., Lyndall-Knight, T., & Hills, N. (2020). The creative PhD: Challenges, opportunities, reflection. New York: Emerald Publishing Limited.

Brown, G. (2021). How to get your PhD: a handbook for the journey. Oxford: Oxford University Press.

Cheung, K., & Bell, M. (2021). Attacker–defender model against quantal response adversaries for cyber security in logistics management: An introductory study. European Journal of Operational Research, 291(2), 471-481. https://doi.org/10.1016/j.ejor.2019.10.019

Costa, C., & Condie, J. (2018). Doing Research in and on the Digital: Research Methods Across Fields of Inquiry. London: Routledge.

Creemers, R. (2022). China’s emerging data protection framework. Journal of Cybersecurity, 8(1), 1-17. http://dx.doi.org/10.1093/cybsec/tyac011

Creemers, R. (2024). The Chinese Conception of Cybersecurity: A Conceptual, Institutional, and Regulatory Genealogy. Journal of Contemporary China, 33(146), 173-188. https://doi.org/10.1080/10670564.2023.2196508

Cremer, F., Sheehan, B., Fortmann, M., Mullins, M., Murphy, F., & Materne, S. (2024). Bridging the cyber protection gap: An investigation into the efficacy of the German cyber insurance market. Risk Management and Insurance Review, 27(1), 57-87. https://doi.org/10.1111/rmir.12261

Croucher, S., & Cronn-Mills, D. (2018). Understanding Communication Research Methods: A Theoretical and Practical Approach. London: Routledge.

Cunningham, F. (2022). Accommodative Signaling in Cyberspace and the Role of Risk. Security Studies, 31(4), 764-771. https://doi.org/10.1080/09636412.2022.2140601

Dacorogna, M., & Kratz, M. (2023). Managing cyber risk, a science in the making. Scandinavian Actuarial Journal, 2023(10), 1000-1021. http://dx.doi.org/10.48550/arXiv.2303.12939

Dacorogna, M., Debbabi, N., & Kratz, M. (2023). Building up cyber resilience by better grasping cyber risk via a new algorithm for modelling heavy-tailed data. European Journal of Operational Research, 311(2), 708-729. https://doi.org/10.1016/j.ejor.2023.05.003

Daverne-Bailly, C., & Wittorski, R. (2022). Research Methodology in Education and Training: Postures, Practices and Forms. Hoboken: John Wiley & Sons.

Gao, X. (2022). An attractive alternative? China’s approach to cyber governance and its implications for the Western model. The International Spectator, 57(3), 15-30. https://doi.org/10.1080/03932729.2022.2074710

Gupta, S., & Gupta, H. (2020). Business Research Methods. New York: McGraw-Hill.

Hausken, K. (2017). Information sharing among cyber  hackers in successive  attacks. International Game Theory Review, 19(2), 1-20. https://doi.org/10.1142/S0219198917500104

Hausken, K. (2024). Fifty Years of Operations Research in Defense. European Journal of Operational Research, 318(1), 355-368. http://dx.doi.org/10.1016/j.ejor.2023.12.023

Hausken, K., Welburn, J., & Zhuang, J. (2024). A Review of Attacker–Defender Games and Cyber Security. Games, 15(4), 28-43. https://doi.org/10.3390/g15040028

Khan, A. (2022). Deterrence and the Problem of Attribution in Cyberspace: An Analysis of Vulnerabilities and Options for Pakistan. BTTN Journal, 1(2), 1-19. https://doi.org/10.61732/bj.v1i2.21

Kovenock, D., & Roberson, B. (2018). The  optimal defense of  networks of targets. Economic Inquiry, 56(4), 2195-2211.  https://doi.org/10.1111/ecin.12565

Kumar, U., & Kothari, D. (2022). Research Methodology: Techniques and Trends. London: CRC Press.

Liang, L., Chen, J., & Siqueira, K. (2020). Revenge or continued attack and defense in defender–attacker conflicts. European Journal of Operational Research, 287(3), 1180-1190. http://dx.doi.org/10.1016/j.ejor.2020.05.026

Liu, X., Qian, X., Pei, J., & Pardalos, P. (2018). Security investment and information sharing in the market of complementary firms: impact of complementarity degree and industry size. Journal of Global Optimization, 70(1), 413-436. https://doi.org/10.1111/itor.12972

Lonergan, E., & Schneider, J. (2023). The power of beliefs in US cyber strategy: The evolving role of deterrence, norms, and escalation. Journal of Cybersecurity, 9(1), 1-14. https://doi.org/10.1093/cybsec/tyad006

Mijwil, M., Filali, Y., Aljanabi, M., Bounabi, M., & Al-Shahwani, H. (2023). The purpose of cybersecurity governance in the digital transformation of public services and protecting the digital environment. Mesopotamian Journal of Cybersecurity, 2023(1), 1-6. http://dx.doi.org/10.58496/MJCS/2023/001

Mukherjee, S. (2019). A guide to research methodology: An overview of research problems, tasks and methods. London: CRC Press.

Onwuegbuzie, A., & Johnson, B. (2021). The Routledge Reviewer’s Guide to Mixed Methods Analysis. New York: Taylor & Francis.

Papageorgiou, M., Can, M., & Vieira, A. (2024). China as a Threat and Balancing Behavior in the Realm of Emerging Technologies. Chinese Political Science Review, 10(1), 1-42. https://doi.org/10.1007/s41111-024-00248-0

Peng, S. (2023). Digital Economy and National Security: Contextualizing Cybersecurity-Related Exceptions. Journal of Contemporary China, 10(1), 173-188. https://doi.org/10.1080/10670564.2023.2196508

Phillips, E., & Johnson, C. (2022). How to Get a PhD: A handbook for students and their supervisors 7e. London: McGraw-Hill Education (UK).

Qian, X., Yang, W., Pei, J., Liu, X., & Pardalos, P. M. (2022). A game of information security investment considering security insurance and complementary information assets. International Transactions in Operational Research, 29(3), 1791-1824. https://doi.org/10.1111/itor.12972

Rowe, N. (2021). The realities of completing a PhD: how to plan for success. London: Routledge.

Shan, X., & Zhuang, J. (2018). Modeling cumulative defensive resource allocation against a strategic attacker in a multi-period multi-target sequential game. Reliability Engineering and System Safety, 179(1), 12-26. https://doi.org/10.1016/j

Simon, J., & Omar, A. (2020). Cybersecurity investments in the supply chain: Coordination and a strategic attacker. European Journal of Operational Research, 282(1), 161-171. https://doi.org/10.1016/j.ejor.2019.09.017

Solak, S., & Zhuo, Y. (2020). Optimal policies for information sharing in information system security. European Journal of Operational Research, 284(3), 934-950. http://dx.doi.org/10.1016/j.ejor.2019.12.016

Vear, C. (2021). The Routledge International Handbook of Practice-Based Research. London: Routledge.

Walliman, N. (2018). Research Methods: The Basics. London: Routledge.

Welburn, J., Grana, J., & Schwindt, K. (2023). Cyber deterrence with imperfect attribution and unverifiable signaling. European Journal of Operational Research, 306(3), 1399-1416. https://doi.org/10.1016/j.ejor.2022.07.021

Xu, M., & Lu, C. (2021). China–US cyber-crisis management. China International Strategy Review, 3(1), 97-114. https://doi.org/10.1007/s42533-021-00079-7

Xu, Z., & Zhuang, J. (2019). A study on a sequential one‐defender‐N‐attacker game. Risk Analysis, 39(6), 1414-1432. http://dx.doi.org/10.1111/risa.13257

Yaghlane, A., & Azaiez, M. (2019). System survivability to continuous attacks: A game theoretic setting for constant attack rate processes. The Journal of the Operational Research Society, 70(8), 1308-1320. https://doi.org/10.1080/01605682.2018.1489350