“Whodunit” is essential to solving crimes. You can’t make an arrest or prosecute a crime if you don’t even know who committed it.
That makes “attribution” one of the major challenges of law enforcement. But while identifying perpetrators is difficult enough in the physical world, it is even tougher in the cyber world, where the ways for perpetrators to cover their tracks or make it look like a breach was committed by someone else are both sophisticated and practically limitless.
Even experts who argue that credible attribution is possible don’t claim it is easy or quick.
But the debate over whether it is even possible in any meaningful way continues to rage.
On one side are experts like Stewart Baker, a partner at the law firm Steptoe & Johnson who has also held high-level positions at both the National Security Agency (NSA) and Department of Homeland Security (DHS), whose only partially tongue-in-cheek “Baker’s Law” has been, “Our security sucks. But so does theirs."
In other words, Baker’s more serious argument, which he has made for years, is that attribution of cybercrimes ranging from theft to espionage is well within reach of the good guys because, “the same human flaws that make it nearly impossible to completely secure our networks are at work in our attackers too. And, in the end, those flaws will compromise the anonymity of cyberspies.”
He is joined in that view by academics like Thomas Rid, professor of Security Studies at King’s College London, coauthor of the recent paper, “Attributing Cyber Attacks.”
In it, Rid and coauthor Ben Buchanan argue that attribution is not so much a black-and-white issue that is either solvable or not, but a more nuanced process that in large measure “depends on what states make of it,” and “minimizing uncertainty.”
On the other side are high-profile skeptics like Gary McGraw, CTO of Cigital; Bruce Schneier, CTO of Co3 Systems; Jeffrey Carr, president and CEO of Taia Global; and Marc Rogers, principal security researcher at CloudFlare.
McGraw has argued for years that while attribution is not impossible, it is close to it without credible human intelligence. “And people are unbelievably slow compared to computers,” he said.
According to McGraw, there is a big difference between identifying a machine and identifying who controls it.
“You can compromise a box where one of those machines is installed, and find out a lot about that machine,” he said. “But the question is: Who is running the machine? There’s no blood or DNA mapping going on. If you’re a nation-state-level attacker and want an adversary to believe that another nation state is doing it, there is nothing that can stop that.”
Carr contends that it is a matter of scale. He agrees in part with Stewart that security may be poor, but only for, “low-level attackers or amateurs.” On a larger scale, he agrees with McGraw. Those weaknesses, he said, “don’t apply to foreign intelligence services or professional mercenary hackers.”
The debate on attribution has heated up again in the wake of the hack last fall of Sony Pictures Entertainment, which both FBI Director James Comey and Admiral Michael Rogers, director of the NSA, attributed to the Democratic Republic of North Korea. Comey went so far as to say that the “entire intelligence community” shared his confidence in that attribution.
Perhaps within government, but the view is not unanimous in the private sector.
In a recent podcast debate Baker hosted on attribution, that included both Rid and Carr, Rid argued that the U.S. got it right, and that outside critics need to acknowledge the reality that U.S. intelligence agencies have much more access to other countries' cyber infrastructure than they can publicly admit.
“An intelligence agency, especially a well-resourced and powerful intelligence agency like the NSA, will have more visibility into this space than any private company,” he said. “That’s just a fact of life.”
To Carr’s argument that other nation states hostile to the U.S. could be “spoofing” the origin of the attack, or that even an ally like South Korea might not be providing accurate information, Stewart responded that the NSA doesn’t take anything at face value.
“Of course the NSA knows people may be lying to them,” he said. “That’s Tradecraft 101. The question is how do we verify, based on other info, what they’re saying to each other and to other sources.”
Joel Harding, a retired military intelligence officer and now a consultant on information operations, said he thinks, “attribution has improved tremendously. We have much better analytical tools for identifying code, techniques, unique exploits and signatures. We have better collaborative environments and education for the analysts from more experienced analysts and far greater cross-fertilization between analytical programs,” he said.