Responsible Attribution: A Prerequisite For
Accountability
Jeffrey
Carr
Executive Summary
Yet another complication is an over-reliance upon
signals intelligence (SIGINT) without physical corroboration through human
intelligence (HUMINT). Then there is the matter of an insecure global network,
which unfortunately is considered by many to be an asset. Intelligence agencies
prefer weak encryption standards to strong because the former are easier to
break.
It Depends on What Is Menat by
“Attribution”
themselves. For example, the FBI, in cooperation with
various foreign counterparts, has been successful in catching many members of
the Anonymous collective who were allegedly involved in criminal acts in
cyberspace.
Training, tools, budgets, professionalism and sheer
guesswork may all play a part in whether any attempt at attribution will be
successful or not. This paper will grant that attribution is straightforward
for low-hanging fruit like amateur hacktivists or bored Chinese soldiers with
inadequate operational security. Instead, it will examine the challenge of
assigning attribution when a skilled, disciplined, and well-funded team of
state or non-state actors has launched a cyber attack of significance, such as
one potentially causing long-term serious damage to a nation’s power, water,
banking or transportation systems
Complicating Factor I
accumulates nth level
effects (chaos, looting, rioting, etc.) with human casualties can be carried
out in an entirely covert manner without being part of a corresponding kinetic
attack or military operation.
In the recent past, military operations
(e.g., 2002 Russian-Chechen war; 2007 Israeli strike against Syria; 2008
Russian invasion of Georgia; 2009 Israel’s Operation Cast Lead; 2014
Israeli-Hamas war: 2014 Russia-Ukraine conflict) have been
accompanied by cyber attacks, making the attribution problem relatively moot.
Stuxnet, on the other hand, was a stealth attack and while attribution by
intuition laid the blame either on the U.S. or Israel or both, there was no
hard evidence until the White House initiated multiple leak investigations,8 validating
journalist David Sanger’s identifying claims made in his 2012 book on U.S.
clandestine operations and the accompanying New York Times articles.9
If no overt hostilities or geopolitical tension exist
between the victim of a cyber attack and the attacker, the victimised
government must rely on its security and intelligence services to discover the
responsible actor.
It is neither sufficient nor legally justifiable to
simply trace an attack to a server located in a foreign country. This has been
acknowledged in Rule 8 of the Tallinn
Manual, which states that “the fact that a cyber operation has been
routed via the cyber infrastructure located in a State is not sufficient
evidence for attributing the operation to that State.
Comlicating Factor II
A cyber attack may be timed
to take advantage of geopolitical tensions between two adversary states by an
unknown third state or non-state actor.
It is quite easy to take over a computer in a
government office and convert it to a command and control server, especially if
one of the two states that is being manipulated has many of its nation’s
computers already compromised by malware.
Complicating Factor III
Much of what is presumed to
be known about cyber threat actors originates from the private sector and is
based almost solely upon common technical indicators12 rather than first-person knowledge gained
from human intelligence operations or criminal prosecutions.
The process that private cyber security firms use to
identify and name cyber threat actors is arbitrary and lacks any centralised
oversight or validation:
“Overall, the key findings
indicate that organizations use a diverse array of approaches to perform cyber
intelligence. They do not adhere to any universal standard for establishing and
running a cyber intelligence program, gathering data, or training analysts to
interpret the data and communicate findings
and performance measures to leadership.”13
In fact, names like Comment Crew, APT1, Soy Sauce,
GIF89a, Shanghai Group, and Comment Panda all represent the same “group”; a
group that may or may not actually exist as a hacker organisation or military
unit.14 Even if it
does, no one knows who the members are (with a handful of notable exceptions15), or whether they have moved
on to other groups. Hundreds of such made-up monikers have been created and no
one knows if they represent actual groups, duplicates of other groups, or the
product of overly presumptive cyber security companies competing with one
another to sell cyber security intelligence. Some of the classified cables
which surfaced during the Wikileaks revelations contained much of the same
information that was previously shared by cyber security companies in public
press releases and unclassified reports. This suggests that at least some of
the classified threat intelligence that the U.S. Government has on Chinese hackers
originated from the private sector, ostensibly with no oversight and little to no source
validation.
Complicating
Factor IV
When Stuxnet was developed in 2007 or 2008, it took
several years and millions of dollars to create, and the malware succeeded in
destroying just under 1,000 of Iran’s nuclear enrichment centrifuges at Natanz.
In 2012, Shamoon was created by one or more hackers of moderate skill who tried
to reverse-engineer the Wiper virus allegedly created by the same lab which
created Stuxnet.16 It
destroyed 2,000 servers and 32,000 workstations at Saudi Arabia’s national oil
company Saudi Aramco, thereby impacting its business operations for weeks.
Think of an unregistered gun which may be used by one
person to commit a crime and is then left on the street for someone else to
pick up and use in a different crime, and so on.
Attribute with Caution
The attribution of an attack which is destructive
enough to justify the victim’s response with force in self-defence must be done
in accordance with international law and must reach a high threshold of
certainty.17 The digital forensic
evidence collected should certainly be shared with other nations’ CERT teams
for peer review to avoid confirmation bias. While cyber attacks can be traced
to infrastructure located within another state’s borders, that fact alone is
not enough to justify a counter-attack. Other possibilities such as the remote
control of servers in another state must also be ruled out.18
Even if the server used was connected to another state’s
government network, “it is not sufficient evidence for attributing the
operation to that State.”19
With respect to the technical challenges of
attribution, it is important to note that the advance planning for a computer
network attack of this magnitude would involve multiple servers across multiple
countries. The attackers would likely also be careful to set up one or more
shell businesses with corresponding servers in nations other than their own so
that, even if an IP-address could be traced back through multiple hops, its
originating source would still not be located in the state that planned and executed
the attack. This type of operational security is used by at least one
industrial espionage group in China, according to the FBI.20
Unfortunately, the rapid adoption of
insecure technologies running critical infrastructure will not be stopped. As
the world becomes more digitally connected, it also becomes easier for
adversaries to cross physical, financial, and technological barriers that
historically have made it difficult or impossible to cause harm in an anonymous
manner. However, in today’s global economy, it is highly unlikely that any
developed country in the G8 or G20 would attempt to take
down another nation’s banking, power, or transportation system because it would
serve more as a collective punishment than anything else.
The most likely adversary responsible for a covert
attack against those critical systems is an extremist group (religious,
political, or anarchist), and the best way to learn which of those groups may
have been responsible post-attack is to already have in place a long-term counter-intelligence
campaign of infiltration and the development of trusted contacts with access.
This cannot be done virtually or from behind a computer. Rather, those
intelligence agencies that have yet to devote the bulk of their budget to
signals capabilities may be best positioned to tackle the problem of
attribution. They understand the need to continue to fund and even expand human
intelligence – this is still vital, despite the fact that we are living in the
age of Facebook, Twitter and Instagram.
Keine Kommentare:
Kommentar veröffentlichen