By Geoff Fein
The ability to trace a large-scale cyber attack might be easier than thought given our adversaries’ capabilities required to carry out such an effort, according to a cybersecurity and homeland security expert.
Instead of attribution, countries that serve as a base for cyber attacks need to be proactive in investigating these acts or be seen as complicit in such acts, Robert Knake, International Affairs Fellow, Council on Foreign Relations, yesterday told the House Committee on Science and Technology Subcommittee on Technology and Innovation.
“For the high-end threats that my work is focused on, attribution will almost certainly be possible due to the limited number of actors that possess the capability to present a national security challenge in cyber space,” he told lawmakers yesterday at a hearing on Planning for the Future of Cyber Attack Attribution.
Analysts who have studied capabilities of foreign governments and private groups have concluded that no more than 100 groups and possibly as few as four foreign militaries have the capability to cause real world harm through cyber attacks, Knake said.
“Such an attack would also take significant investments of time and money and teams of highly skilled specialists,” he added. “While technical attribution may only provide limited evidence of who is behind the attack, traditional intelligence and law enforcement can make up the difference.”
Knake added he had no doubt that the government would be able to amass enough evidence in the event of a cyber Pearl Harbor for the president to take action.
But instead of attribution, he added, focus should be put on accountability in cyber space.
“Non-cooperation in investigating international cyber attacks should be taken as a sign of culpability,” he said. “States must be held responsible for securing their national cyber space and should have an obligation when citizens within their country are involved in a cyber attack.”
There is a need to move to a situation where countries not only participate in investigating cyber attacks, but move to a mechanism to shut down systems that are controlling attacks or participating in botnets, Knake said. “Failure to assist should be treated as complicity.”
As for the concept of deterrence, finding an analogy between the Cold War and cyber space is unpersuasive, he said.
“Because many potential adversaries do not have as heavy reliance on networks in their industries, governments or militaries, in order to retaliate in any significant way we would be forced to escalate out of the cyber domain and conduct kinetic attacks,” Knake said. “That is not a situation we want to be in, and the threat to do so may be perceived as incredible thus limiting the deterrent factor. We need to focus on improving our defenses and making investments to secure our portion of cyber space.”
Additionally, current attribution capabilities are clearly no deterrent, Ed Giorgio, president and co-founder Ponte Technologies, told lawmakers.
“Post attack attribution today is not effective and the protocols we have today are inefficient to provide it,” he said.
If the government wants the ability to attribute attacks, it may have to pay directly for the technologies to do so, David Wheeler, research staff member, Information Technology and Systems Division, Institute for Defense Analyses (IDA), told subcommittee members.
“There is little evidence that the commercial sector is willing to shoulder the cost of attribution capability,” he said. “Most companies view identifying attackers as a law enforcement or military action, not a commercial one.”
One approach would be to fund the development and deployment of these applications with proprietary and open source software, Wheeler noted. “One product in each category should be funded so the government isn’t locked in with a single supplier.”
Additionally, standards are critically necessary for some attribution technology, he said. Those should be open standards to promote competition and the U.S. government should be involved in development of such standards, Wheeler added.
Rep. Adrian Smith (R-Neb.) questioned whether efforts to attribute a cyber attack are futile.
“I don’t think they are futile and I think it is important for us to improve security through education and open standards,” Marc Rotenberg, president, Electronic Privacy Information Center, said. “It is important to develop better forensic techniques so it is possible to trace back attacks. [It would] be a mistake for practical reasons to place too much emphasis on attribution.”