“Was it North Korea, in the drawing room, with the poker?”
When a hacking scandal engulfs a company or government, it typically brings two things: newspaper headlines shaming the victim for their incompetence, and public debate about who actually did it. The OPM breach is a good example. Katherine Archuleta resigned after being blasted by Congress. Meanwhile, US officials pointed the finger at China, while others pooh-poohed the idea.
The problem with attribution is certainty. You can’t assume that the Chinese hacked your systems just because the attacks came from Chinese IPs. There’s a long history of attackers hiding themselves behind other peoples’ systems, using compromised machines to launch attacks that look like they came from other parts of the world.
“There can be chains six, seven links long,” said Bruce Schneier, security guru and fellow at the Berkman Center for Internet and Society at Harvard Law School.
Never a sure bet
Things like that make cyber-attack attribution difficult, argued Eric Cowperthwaite, VP of advanced security and strategy at Core Security. “Look at the gyrations that happened when people tried to prove who broke into Sony, and all the finger pointing around that,” he said. “You have one group saying it was North Korea, and another saying it was insiders.”
Even Schneier changed his mind on Sony. After initial skepticism, he saw mounting evidence that eventually persuaded him North Korea was involved. But does that mean that we can now be 100% sure that North Korea hacked Sony, or that anyone is responsible for a hack against anyone else?
“How confident are you that your father is really your father?” responded Schneier.
DNA tests? Sure, but you’d have to put your dad and the lab workers through an incredible level of scrutiny during the whole process, never letting donor or sample leave your site, watching the lab worker like a hawk, and so on. That would be impractical in most cases, so you rely on the integrity of the lab process. That in turn, reduces your level of certainty below some Platonic ideal.
We have to do the same with cyberattack attribution, Schneier explained. There’s no such thing as a sure bet, but we still convict cybercriminals all the time. Courts don’t ask for 100%, absolute certainty; they typically ask for proof beyond reasonable doubt.
The FBI sent Ross Ulbricht down for running the Silk Road dark web site not because his identity was immutably recorded in the bitcoin blockchain, but because they spent months gathering a body of evidence left them convinced beyond all doubt. It was enough, just as the evidence that has convicted hundreds or thousands of people for misusing computers is enough.
The level of certainty that you need to take action changes depending on who you are and what the consequences will be, Schneier said. “If we’re going to arrest them it has to be pretty high.” If you’re dropping drones on someone or launching a counter cyber-attack, you should be pretty darn sure.
So, how much certainty do law enforcement and intelligence communities have when investigating these attacks? Richard Clarke, former National Coordinator for Security, Infrastructure Protection, and Counter-terrorism for the US government, has argued that the NSA has it covered. “You can do the forensics if you can hack into all the servers. The NSA can do that. And the NSA tells me that attribution isn’t really a problem,” he told Forbes. And that was half a decade ago.
But of course, intelligence services aren’t going to tell you exactly how they know. Nation states can’t even let each other know what data they really pulled out, let alone their media. They don’t want to give up too much about their techniques, pointed out David An, speaking at Defcon last month.
So we’re left with some publicly-released information to quarrel about, while intelligence and law enforcement agencies pointing to a set of known unknowns. Meaning, they know, and you don’t.
That’s another problem. The other is that an atmosphere of state surveillance mixed with government opacity has led to a lack of trust, which makes it difficult for many people to trust what federal agencies may be telling them.
Does it really matter who mounted an attack, as long as we can stop it? It does, especially when nation states are suspected. Nation state victims may be forced to respond, whether they are hacked themselves, or see companies underpinning their economies are hacked. To respond, they need to prove who was responsible.
The legal frameworks surrounding responses to cyberattacks are not only still murky, but where they do exist in fledgling form they potentially accentuate the attribution problem by setting high requirements for transparency and accountability. With a lot of this work happening behind the scenes, it seems unlikely that in practice, we will be able to do anything other than stand by and speculate. Kinetic wars may have become more public than ever, but cyberwars may be fought mostly in secret.
To discuss current security issues, register at SecTor, which takes place at Metro Toronto Convention Centre in downtown Toronto on October 20-21, with a training day on October 19.