Mittwoch, 18. Mai 2016

NATO Paper on the TALLIN MANUAL Paper 6 Responsible Attribution: A Prerequisite For Accountability ( Summary) english


Responsible Attribution: A Prerequisite For Accountability

Jeffrey Carr

Executive Summary

 

Yet another complication is an over-reliance upon signals intelligence (SIGINT) without physical corroboration through human intelligence (HUMINT). Then there is the matter of an insecure global network, which unfortunately is considered by many to be an asset. Intelligence agencies prefer weak encryption standards to strong because the former are easier to break.

It Depends on What Is Menat by “Attribution”

themselves. For example, the FBI, in cooperation with various foreign counterparts, has been successful in catching many members of the Anonymous collective who were allegedly involved in criminal acts in cyberspace.

Training, tools, budgets, professionalism and sheer guesswork may all play a part in whether any attempt at attribution will be successful or not. This paper will grant that attribution is straightforward for low-hanging fruit like amateur hacktivists or bored Chinese soldiers with inadequate operational security. Instead, it will examine the challenge of assigning attribution when a skilled, disciplined, and well-funded team of state or non-state actors has launched a cyber attack of significance, such as one potentially causing long-term serious damage to a nation’s power, water, banking or transportation systems

Complicating Factor I

accumulates nth level effects (chaos, looting, rioting, etc.) with human casualties can be carried out in an entirely covert manner without being part of a corresponding kinetic attack or military operation.􀀃

In the recent past, military operations (e.g., 2002 Russian-Chechen war; 2007 Israeli strike against Syria; 2008 Russian invasion of Georgia; 2009 Israel’s Operation Cast Lead; 2014 Israeli-Hamas war: 2014 Russia-Ukraine conflict) have been accompanied by cyber attacks, making the attribution problem relatively moot. Stuxnet, on the other hand, was a stealth attack and while attribution by intuition laid the blame either on the U.S. or Israel or both, there was no hard evidence until the White House initiated multiple leak investigations,8 validating journalist David Sanger’s identifying claims made in his 2012 book on U.S. clandestine operations and the accompanying New York Times articles.9

If no overt hostilities or geopolitical tension exist between the victim of a cyber attack and the attacker, the victimised government must rely on its security and intelligence services to discover the responsible actor.

It is neither sufficient nor legally justifiable to simply trace an attack to a server located in a foreign country. This has been acknowledged in Rule 8 of the Tallinn Manual, which states that “the fact that a cyber operation has been routed via the cyber infrastructure located in a State is not sufficient evidence for attributing the operation to that State.

Comlicating Factor II

A cyber attack may be timed to take advantage of geopolitical tensions between two adversary states by an unknown third state or non-state actor.

It is quite easy to take over a computer in a government office and convert it to a command and control server, especially if one of the two states that is being manipulated has many of its nation’s computers already compromised by malware.

Complicating Factor III

Much of what is presumed to be known about cyber threat actors originates from the private sector and is based almost solely upon common technical indicators12 rather than first-person knowledge gained from human intelligence operations or criminal prosecutions.

The process that private cyber security firms use to identify and name cyber threat actors is arbitrary and lacks any centralised oversight or validation:

“Overall, the key findings indicate that organizations use a diverse array of approaches to perform cyber intelligence. They do not adhere to any universal standard for establishing and running a cyber intelligence program, gathering data, or training analysts to interpret the data and communicate findings and performance measures to leadership.”13

In fact, names like Comment Crew, APT1, Soy Sauce, GIF89a, Shanghai Group, and Comment Panda all represent the same “group”; a group that may or may not actually exist as a hacker organisation or military unit.14 Even if it does, no one knows who the members are (with a handful of notable exceptions15), or whether they have moved on to other groups. Hundreds of such made-up monikers have been created and no one knows if they represent actual groups, duplicates of other groups, or the product of overly presumptive cyber security companies competing with one another to sell cyber security intelligence. Some of the classified cables which surfaced during the Wikileaks revelations contained much of the same information that was previously shared by cyber security companies in public press releases and unclassified reports. This suggests that at least some of the classified threat intelligence that the U.S. Government has on Chinese hackers originated from the private sector, ostensibly with no oversight and little to no source validation.

Complicating Factor IV

When Stuxnet was developed in 2007 or 2008, it took several years and millions of dollars to create, and the malware succeeded in destroying just under 1,000 of Iran’s nuclear enrichment centrifuges at Natanz. In 2012, Shamoon was created by one or more hackers of moderate skill who tried to reverse-engineer the Wiper virus allegedly created by the same lab which created Stuxnet.16 It destroyed 2,000 servers and 32,000 workstations at Saudi Arabia’s national oil company Saudi Aramco, thereby impacting its business operations for weeks.

Think of an unregistered gun which may be used by one person to commit a crime and is then left on the street for someone else to pick up and use in a different crime, and so on.

Attribute with Caution

The attribution of an attack which is destructive enough to justify the victim’s response with force in self-defence must be done in accordance with international law and must reach a high threshold of certainty.17 The digital forensic evidence collected should certainly be shared with other nations’ CERT teams for peer review to avoid confirmation bias. While cyber attacks can be traced to infrastructure located within another state’s borders, that fact alone is not enough to justify a counter-attack. Other possibilities such as the remote control of servers in another state must also be ruled out.18 Even if the server used was connected to another state’s government network, “it is not sufficient evidence for attributing the operation to that State.”19

With respect to the technical challenges of attribution, it is important to note that the advance planning for a computer network attack of this magnitude would involve multiple servers across multiple countries. The attackers would likely also be careful to set up one or more shell businesses with corresponding servers in nations other than their own so that, even if an IP-address could be traced back through multiple hops, its originating source would still not be located in the state that planned and executed the attack. This type of operational security is used by at least one industrial espionage group in China, according to the FBI.20

Unfortunately, the rapid adoption of insecure technologies running critical infrastructure will not be stopped. As the world becomes more digitally connected, it also becomes easier for adversaries to cross physical, financial, and technological barriers that historically have made it difficult or impossible to cause harm in an anonymous manner. However, in today’s global economy, it is highly unlikely that any developed country in the G8 or G20 would attempt to take down another nation’s banking, power, or transportation system because it would serve more as a collective punishment than anything else.

The most likely adversary responsible for a covert attack against those critical systems is an extremist group (religious, political, or anarchist), and the best way to learn which of those groups may have been responsible post-attack is to already have in place a long-term counter-intelligence campaign of infiltration and the development of trusted contacts with access. This cannot be done virtually or from behind a computer. Rather, those intelligence agencies that have yet to devote the bulk of their budget to signals capabilities may be best positioned to tackle the problem of attribution. They understand the need to continue to fund and even expand human intelligence – this is still vital, despite the fact that we are living in the age of Facebook, Twitter and Instagram.

Keine Kommentare:

Kommentar veröffentlichen