Is the ability to identify a cyber attacker good and getting better?
At the Georgia Institute of Technology on Wednesday, Stewart A. Baker, the first assistant secretary for policy at the U.S. Department of Homeland Security, proposed that 2017 might just be a transformational moment in the quest for better cyber attribution.
“We are entering a golden age of attribution where perpetrators are increasingly being called out with reasonable certainty; but while the brave have gotten a lot of press out of it, will they regret their business approach and are their methods good enough and specific enough to be useful?” said Baker, who delivered the keynote address at the 15th Annual Georgia Tech Cyber Security Summit held Sept. 27. Today, he is a partner in Steptoe & Johnson LLP.
Baker reviewed four problems with attribution now: the balkanization of security, limited incentives to do attribution, speed of response, and availability of tools. He called for “data man traps” and cyber “beacon die-packs” like those used by banks that could make it easier for law enforcement or intelligence communities to locate cyber hackers.
Organizations are beginning to publicly voice who they suspect is behind highly publicized breaches. Sony Pictures identified North Korea as their culprit. The Democratic National Committee identified Russia. Meanwhile, universities such as Georgia Tech are working closely with government sponsors and commercial partners to develop an initial science of traceback around how attribution should be performed.
“Georgia Tech is building frameworks for attribution so that others can leverage our approach by applying their own data and analyzing the result,” said Michael Farrell, Co-Director of the Institute for Information Security & Privacy (IISP) and organizer of the Summit.
But once analyzed, key questions still remain, even when methods are sound. What is the right response when facing a nation-state hacker versus the individual criminal? What does it mean to hold nation states and companies responsible? How should the private sector use attribution information to better defend themselves and mitigate risk? What if government is wrong when it claims who is behind an attack?
“We have to start with the assumption that cybersecurity is not something the public entirely has their head around,” said Hannah Kuchler, journalist for the Financial Times, who participated on a panel at the Summit moderated by Baker. “When government agencies offer conflicting opinions, it is confusing for the public.”
“There is a dissatisfaction in Washington, D.C., with the deterrence toolbox right now,” said Robert Knake, senior fellow at the Council on Foreign Relations and also a panelist at the Summit. “A basic problem here is contagion. [Hack back tools] can reach targets they weren’t intended for. To ban certain targets as off limits [during a counterattack], you’d also have to ban certain types of attacks. I’m not sure that will work.”
In addition to Kuchler and Knake, the panel included Kim Zetter, investigative journalist and author of a 2014 book about the Stuxnet virus; Cristin Goodwin, assistant general counsel for Microsoft Corp.’s security business, and Chad Hunt of the FBI’s Atlanta office.
“What are the private actions that are available to companies?” asked Goodwin. “There are different standards of evidence when talking about attribution of individuals or groups of actors.
“What’s so frustrating about attribution right now is that governments are still wrestling with what does cyberwarfare mean,” she said. “What are the rights of states? What are the private actions that are available to companies?… Our core value at Microsoft is how do we increase the cost of an attack to make it less valuable [for the perpetrator]?”
Hunt said he finds most companies don’t actually care who is behind an attack; they “want to know what resources they’re up against” and if their technical investments are enough.
Zetter, who has covered cyberwarfare and hacking since 1999, challenged whether governments should rely on private companies for attribution assistance.
“When you have the government relying on third-party companies for evidence, I think we’re getting into really muddy ground,” she said.
The choices available to executives, law enforcement, front-line cybersecurity practitioners, and diplomats present unique facets to the problem of “what to do next” after a breach, said Farrell.
“Right now, we lack a deterrence mindset in cyberspace,” he said. “We can’t just dust off the Cold War playbook from 50 years ago and assume it applies. Attribution is a key component to dealing with malicious cyber activity that is increasing in severity and volume. Georgia Tech research is working to change that and help inform decision-makers so they can be proactive in mitigating information risk.”