By Harry Oppenheimer
After the US-Russia summit in Geneva, Switzerland back in June 2021, Russian President Vladimir Putin held a news conference where he made several apparently questionable claims. In one of these, he asserted that Russia was not a significant source of cyberattacks around the world:
“From American sources, it follows that most of the cyberattacks in the world are carried out from the cyberrealm of the United States. Second place is Canada. Then two Latin American countries. Afterward comes Great Britain. Russia is not on the list of countries from where—from the cyberspace of which—most of the various cyberattacks are carried out.”
Most members of the media were quick to dismiss Putin’s claim as propaganda. After all, Russian hackers had shut down parts of Ukraine’s power grid, targeted US political campaigns, and caused over ten billion dollars of damage through the malware attacks known as NotPetya.
Cybersecurity forensic data on where threats originate show a different story: the Russian president was right. It is not news among the technical community that the United States hosts the most malicious software, or malware. But missing from that fact is an important nuance: even when cyberattacks are hosted in the US, digital threats cross national boundaries frequently—and combating them necessitates transnational cooperation. While other countries may be behind threats in the first place, attacks are hosted within and between the world’s most connected countries. While this may sound like a technicality, it has significant implications for how we think about cybersecurity policy and international cooperation in the digital age.
Furthermore, internet security presents a puzzle for modern democratic societies, and my research presents a tradeoff. On the one hand, increasing interdependence through internet diffusion has brought millions of people out of poverty and helped achieve a new global society. While we want to maintain this system, an implication of interdependence is shared security challenges and demand for new regulation. However, regulating cybersecurity and managing digital interdependence may limit the free flow of information at the core of democratic societies.
The Nature of Cyberattacks
Contrary to popular belief, many scholars note that cyberattacks between nation-states are rare. That said, cyberattacks themselves certainly are not rare. Digital threats are estimated to cost the global economy six trillion dollars per year, and they affected 180 million internet users last year. Governments and private companies spend over 200 billion dollars a year to mitigate them. And although cybersecurity threats don’t just occur between one government and another, they do present transnational policy challenges that require coordination and cooperation.
As countries exchange more data between them, they begin to face shared threats—hackers who use computers in multiple countries to launch and control attacks. To effectively target systems in the US or Europe, attackers need access to hosts in the US or Europe. Some malicious hosts might be run by agents from foreign governments who will use them to carry out espionage or target military systems. However, these are the exception, not the rule.
How do these attacks work? Think of malicious program hosts as safe houses for a criminal network. When a criminal decides to commit a crime, they may use a series of hosts to deliver their attack, moving from one to another until they are as close as possible to their target. They may have hosts in multiple cities or countries to avoid the authorities, and the more hosts they have, the less it matters whether they lose one. They might steal something in one place and then pass it through their safe houses until they feel ready to possess it in the open. They will change up the way that they move between hosts over time so they minimize behavior patterns that might alert investigating authorities.
The nature of cyberattacks has evolved over the years. It used to be the case that attacks would exist as a one-time event, with malware delivered through an executable file, for example, that a user would unknowingly download and infect their computer. Attacks have since grown more sophisticated, and now may include “command and control” tactics—where the malware establishes communication between the user and the attacker, allowing the attacker to make ongoing changes to the user’s computer.
How Cyberforensic Data Can Shed Light
Cyberforensic data can be used not only to understand where digital threats originate, but also how they link countries. The largest accessible source of cyberforensic data is Georgia Tech’s dataset on malware hosting—essentially a look at how digital threats target users leveraging the architecture of the internet. Overall, the dataset contains 65,083,243 unique suspicious programs, and the IP addresses of 733,214 unique command and control hosts. Cybersecurity professionals use these data to understand how malware programs try to evade detection, target networks, and find victims. Political scientists can use these data to understand the geography of digital threats.
In this dataset on malware hosting, 21 percent of all the threats the researchers examined use hosts in more than one country. This means that one hacker is leveraging computers in multiple countries to deliver threats. Of those 13,601,662 threats, 93.3 percent of them used at least one host in the United States, 5.7 percent of them used at least one host in Russia, and none of them ever used North Korea’s internet space to facilitate attacks. This means that while Russian hackers could be a great threat, US computers are most often how all hackers deliver their threats.
There are several ways that we can use these data to understand how and when states cooperate. Networks are all around states, whether networks of activists, supply chains, financial flows, or alliances. While we think that the internet represents a new and important network we know very little about how it interacts with international cooperation. In part of my research, I ask how states get to the center of the digital threat network. Is it that they lack effective regulation, they have many enemies, or that their citizens have poor computer skills and poor cyber “hygiene”? Instead, using data on the internet’s technical structure I can show that countries at the geographic center of the internet are the most exposed to risk, independent of their ability to unilaterally respond or adjust. As in many historical issue areas in international relations, like banking or maritime trade, the actors that benefit from globalization and are highly interdependent are also the most exposed to the negative parts of the system. These states should have the greatest incentives to contribute to global cybersecurity goods like capacity assistance, developing new standards, and targeting criminal networks. At the bilateral level, we can also ask whether countries that share significant threats work together on combating digital threats, and if not, what this tells us about the barriers to international cooperation.
The Solution? Interdependence
Digital threats do not just divide countries—they may also unite them. Hackers in countries such as Russia, Iran, or North Korea may be controlling hosts in the US IP space, and as mentioned above, this may sound like a technicality, but there are many opportunities to disrupt these networks in the absence of any agreement with Russia.
Cybersecurity is a process of securing digital data as it is stored and transferred across systems, and there are real ways that states can work together to increase digital security. If users in two countries experience many crimes that use both their infrastructures, they both benefit when one of them targets criminals or shares information about the threats they face.
The US has spent significant political capital trying to build cooperation with countries with whom they have few shared interests. For instance, the US carried out a series of bilateral dialogues with China and Russia in 2013. These dialogues were supposed to create confidence-building measures and opportunities for the sides to express their views on norms and standards in cyberspace. However, these conversations have been difficult to sustain—while the dialogue with China was institutionalized into a working group, China pulled out of the dialogue in 2014 after US authorities indicted People’s Liberation Army officers for a series of cyberattacks. When a bilateral cybersecurity working group was proposed between the US and Russia, one official anonymously quoted cybersecurity cooperation between the sides as “a pipe dream.”
Instead, countries could maximize impact by coordinating with those with which they have many shared interests—the countries that regulate the IP space where digital threats are hosted, and with which they are most digitally interdependent. Technical cooperation has an important and long history within international relations, and robust international mechanisms exist to facilitate technical cooperation within the European Union. The 2020 network in the graphic above shows what this looks like. Hosts in the United States and Ireland were featured together in an average of over 52,000 malicious programs per month, and between the US and the Netherlands in an average of over 48,000 malicious programs. These countries also exchange a significant amount of nonmalicious data between them—their shared level of threat is a consequence of their interdependence.
Russia’s internet space is not within the US core for threats, although Russian hackers may be controlling some of the hosts in the Netherlands. Coordination between experts in the Netherlands and the United States may be the only option to increase security. Cooperation can target the command and control networks to take a chunk out of that six trillion-dollar toll that cyberattacks cause every year. This may not end the election hacking or power grid attacks that have been the focus of high-level international engagement so far. However, cooperation can work to deny access to the hosts that enable most digital threats—and improve cybersecurity on a day-to-day basis.
Cybersecurity research programs can pivot to focus on how states work together to support the stability of the entire internet, the system that we interact with every day. There is good news—states like Australia have invested significantly in the capacity of their digital neighbors in the South Pacific; and countries at the center of the internet like the Netherlands have made significant investments in global cybersecurity goods such as information-sharing networks and capacity-building programs in the developing world. Cooperation in cyberspace is not without risks, of course—sharing information about threats might help another country patch a bug that you could have exploited yourself. A country that you help build up capacity at one moment might be your adversary at the next.
However, digital decoupling is not an option—the internet is here to stay and states have to learn how to manage the consequences. Cybersecurity threats in one state are a function of threats in another. The internet is a global system without a global government. This creates demand for cooperation, institutions, and new regulation—but regulating information is anathema to many democratic societies. Hopefully reframing cybersecurity around the risks and benefits of interdependence can encourage states to think about the absolute gains in cybersecurity. If they elevate and reframe cybersecurity cooperation, they may find many willing partners.
Harry Oppenheimer is a Graduate Student Affiliate; Weatherhead Center Dissertation Fellow; and affiliate with the Weatherhead Research Cluster on International Security. He is a PhD candidate in the Department of Government at Harvard University. His research interests include technology and international relations; political psychology; norm diffusion; and applied statistics.
- Talks between Russian President Vladimir Putin and US President Joseph Biden in Geneva on 16 June 2021. Credit: kremlin.ru. Wikimedia, Attribution 4.0 International (CC BY 4.0)
- 2020 Malware Hosting Network Graph | This figure represents the network of malware program hosts for 2020. The line thickness between countries represent average monthly number of malware programs that used both countries. The size of the circle represents the total number of connections a country has with other countries. In this graph, the weakest line is IMN-USA (Isle of Man-USA) with only one malware program using both countries; and the strongest is IRL-USA (Ireland-USA) with 52,393. The colors represent clusters of countries that feature significant cohosting. For instance, Ukraine, Latvia, Finland, and Switzerland (in purple) are a cluster that hosts significant threats. Countries colored in beige belong to no particular cluster. Credit: Harry Oppenheimer. Raw Data: "GT Malware Passive DNS Data Daily Feed," Georgia Tech Information Security Center
- Cyber techno background. Credit: Pete Linforth, Pixabay