The ability to trace a large-scale cyber attack might be easier than thought given our adversaries’ capabilities required to carry out such an effort, according to a cybersecurity and homeland security expert.
Instead of attribution, countries that serve as a base for cyber attacks need to be proactive in investigating these acts or be seen as complicit in such acts, Robert Knake, International Affairs Fellow, Council on Foreign Relations, tells the House Committee on Science and Technology Subcommittee on Technology and Innovation.
“For the high-end threats that my work is focused on, attribution will almost certainly be possible due to the limited number of actors that possess the capability to present a national security challenge in cyber space,” he tells lawmakers this month at a hearing entitled, Planning for the Future of Cyber Attack Attribution.
Analysts who have studied capabilities of foreign governments and private groups have concluded that no more than 100 groups and possibly as few as four foreign militaries have the capability to cause real world harm through cyber attacks, Knake says.
“Such an attack would also take significant investments of time and money and teams of highly skilled specialists,” he adds. “While technical attribution may only provide limited evidence of who is behind the attack, traditional intelligence and law enforcement can make up the difference.”
Knake has no doubt that the government would be able to amass enough evidence in the event of a cyber Pearl Harbor for the president to take action.
State Responsibility
But instead of attribution, he says the focus should be put on accountability in cyber space.
“Non-cooperation in investigating international cyber attacks should be taken as a sign of culpability,” he says. “States must be held responsible for securing their national cyber space and should have an obligation when citizens within their country are involved in a cyber attack.”
There is a need to move to a situation where countries not only participate in investigating cyber attacks, but move to a mechanism to shut down systems that are controlling attacks or participating in botnets, Knake says. “Failure to assist should be treated as complicity.”
As for the concept of deterrence, finding an analogy between the Cold War and cyber space is unpersuasive, he says.
“Because many potential adversaries do not have as heavy reliance on networks in their industries, governments or militaries, in order to retaliate in any significant way we would be forced to escalate out of the cyber domain and conduct kinetic attacks,” Knake says. “That is not a situation we want to be in, and the threat to do so may be perceived as incredible thus limiting the deterrent factor. We need to focus on improving our defenses and making investments to secure our portion of cyber space.”
Additionally, current attribution capabilities are clearly no deterrent, Ed Giorgio, president and co-founder Ponte Technologies, tells the lawmakers.
“Post attack attribution today is not effective and the protocols we have today are inefficient to provide it,” he says.
If the government wants the ability to attribute attacks, it may have to pay directly for the technologies to do so, says David Wheeler, research staff member, Information Technology and Systems Division, Institute for Defense Analyses.
“There is little evidence that the commercial sector is willing to shoulder the cost of attribution capability,” Wheeler says. “Most companies view identifying attackers as a law enforcement or military action, not a commercial one.”
One approach would be to fund the development and deployment of these applications with proprietary and open source software, Wheeler notes. “One product in each category should be funded so the government isn’t locked in with a single supplier.”
Additionally, standards are critically necessary for some attribution technology, Wheeler says. Those should be open standards to promote competition and the U.S. government should be involved in development of such standards, he adds.