• United States



Contributing writer

Whodunit? In cybercrime, attribution is not easy

Feb 09, 20157 mins
CybercrimeData BreachSony

The U.S. government’s announcement that North Korea was behind the hack of Sony Pictures Entertainment reignited the debate on how accurate cyber attribution can be

“Whodunit” is essential to solving crimes. You can’t make an arrest or prosecute a crime if you don’t even know who committed it.

That makes “attribution” one of the major challenges of law enforcement. But while identifying perpetrators is difficult enough in the physical world, it is even tougher in the cyber world, where the ways for perpetrators to cover their tracks or make it look like a breach was committed by someone else are both sophisticated and practically limitless.

Even experts who argue that credible attribution is possible don’t claim it is easy or quick.

But the debate over whether it is even possible in any meaningful way continues to rage.

On one side are experts like Stewart Baker, a partner at the law firm Steptoe & Johnson who has also held high-level positions at both the National Security Agency (NSA) and Department of Homeland Security (DHS), whose only partially tongue-in-cheek “Baker’s Law” has been, “Our security sucks. But so does theirs.”

In other words, Baker’s more serious argument, which he has made for years, is that attribution of cybercrimes ranging from theft to espionage is well within reach of the good guys because, “the same human flaws that make it nearly impossible to completely secure our networks are at work in our attackers too. And, in the end, those flaws will compromise the anonymity of cyberspies.”

He is joined in that view by academics like Thomas Rid, professor of Security Studies at King’s College London, coauthor of the recent paper, “Attributing Cyber Attacks.”

[ Cybercrime Fight Hurt By Apathy, Law Enforcement Hurdles ]

In it, Rid and coauthor Ben Buchanan argue that attribution is not so much a black-and-white issue that is either solvable or not, but a more nuanced process that in large measure “depends on what states make of it,” and “minimizing uncertainty.”

On the other side are high-profile skeptics like Gary McGraw, CTO of Cigital; Bruce Schneier, CTO of Co3 Systems; Jeffrey Carr, president and CEO of Taia Global; and Marc Rogers, principal security researcher at CloudFlare.

McGraw has argued for years that while attribution is not impossible, it is close to it without credible human intelligence. “And people are unbelievably slow compared to computers,” he said.

According to McGraw, there is a big difference between identifying a machine and identifying who controls it.

“You can compromise a box where one of those machines is installed, and find out a lot about that machine,” he said. “But the question is: Who is running the machine? There’s no blood or DNA mapping going on. If you’re a nation-state-level attacker and want an adversary to believe that another nation state is doing it, there is nothing that can stop that.”

[ Questions remain after FBI charges North Korea with attack on Sony Pictures ]

Carr contends that it is a matter of scale. He agrees in part with Stewart that security may be poor, but only for, “low-level attackers or amateurs.” On a larger scale, he agrees with McGraw. Those weaknesses, he said, “don’t apply to foreign intelligence services or professional mercenary hackers.”

The debate on attribution has heated up again in the wake of the hack last fall of Sony Pictures Entertainment, which both FBI Director James Comey and Admiral Michael Rogers, director of the NSA, attributed to the Democratic Republic of North Korea. Comey went so far as to say that the “entire intelligence community” shared his confidence in that attribution.

Perhaps within government, but the view is not unanimous in the private sector.

In a recent podcast debate Baker hosted on attribution, that included both Rid and Carr, Rid argued that the U.S. got it right, and that outside critics need to acknowledge the reality that U.S. intelligence agencies have much more access to other countries’ cyber infrastructure than they can publicly admit.

“An intelligence agency, especially a well-resourced and powerful intelligence agency like the NSA, will have more visibility into this space than any private company,” he said. “That’s just a fact of life.”

To Carr’s argument that other nation states hostile to the U.S. could be “spoofing” the origin of the attack, or that even an ally like South Korea might not be providing accurate information, Stewart responded that the NSA doesn’t take anything at face value.

“Of course the NSA knows people may be lying to them,” he said. “That’s Tradecraft 101. The question is how do we verify, based on other info, what they’re saying to each other and to other sources.”

Joel Harding, a retired military intelligence officer and now a consultant on information operations, said he thinks, “attribution has improved tremendously. We have much better analytical tools for identifying code, techniques, unique exploits and signatures. We have better collaborative environments and education for the analysts from more experienced analysts and far greater cross-fertilization between analytical programs,” he said.

But he agrees that the Sony attribution, coming only days after the intrusion was discovered, was “highly suspicious.”

And critics like McGraw don’t buy the argument that government has much better access to cyber intelligence than the private sector. “That’s just BS,” he said, noting past U.S. intelligence failures like the claim of weapons of mass destruction in Iraq. “Everybody likes to pretend they’re more important than they really are,” he said.

Rogers, writing on his personal blog, also remained skeptical, noting that leaked information from U.S. intelligence agencies claimed evidence had been gathered from North Korean networks that had been compromised by multiple parties.

“It’s hard to say that anything coming from a machine that’s been ‘hacked to pieces’ by multiple parties can definitively be attributed to anyone,” he wrote.

And recent revelations have given more ammunition to the skeptics.

Carr’s firm, Taia Global, announced just a week ago in a paper titled, “The Sony Breach: From Russia, No Love,” that it had credible evidence that a team of Russian hackers had not only gained access to SPE in late 2014, but were still inside the company’s network.

Taia said it was possible that the Russian attack was separate from the North Koreans, or that North Korea was telling the truth when it denied the attack, and, “that other hackers did, and at least one or more of those that did were Russian.”

Taia relied on what it called, “a trusted Russian contact,” a black-hat hacker who uses the alias “Yama Tough,” who had served time in U.S. prison for cyber crimes and was deported to Russia upon his release.

Yama Tough made contact with who he said was a member of the team that hacked SPE, and provided Taia with documents and emails different from those that had already been made public – one of them as late as Jan. 23.

That, the Taia report said, means SPE, “is still in a state of breach … Yama Tough’s Russian source appears to have at-will access to the company.”

Carr, asked if his firm’s report undermines his assertion that good attribution is next to impossible, said it was the human element that clinched it.

“When someone knocks on your door and hands you an envelope, assuming that you aren’t blind, attribution is pretty easy,” he said, adding that while he didn’t trust Yama Tough in the beginning, “over time he has earned my trust by delivering lots of solid data to me.”

Stewart, in a brief email interview, said the Taia revelation is, “interesting but doesn’t draw the North Korea attribution into question.”

Whatever the level of attribution accuracy, experts say it is well worth continuing to try to get it right. Harding said while the U.S. cannot prosecute state-sponsored hackers in China for espionage, it should affect the relationship between the two countries.

“It is almost impossible to quantify the amount of intellectual property stolen from U.S. servers,” he said. “It is on a scale that defies belief.”