Attribution: Cure Worse Than the Illness?
Technology to Ferret Adversaries Also Exposes Political Dissidents
"If you have a purist view of attribution ... it is extremely difficult technologically to guarantee you know who human person is on the end," Edward Giorgio, president of IT security services provider Ponte Technologies and onetime chief code maker and code breaker at the National Security Agency, told the House Science and Technology Subcommittee on Technology and Innovation. "But that doesn't mean that some attack attribution technology wouldn't give us lots of information which could be used for other purpose, such as shutting down the computer at the other end, independent on who's on it."
Many attribution techniques require prepositioning of technologies along the network. "You can't wake up in the morning and say, 'I'd like to know where this attack came from,'" David Wheeler, a researcher at the Institute of Defense Analyses, a not-for-profit corporation that operates three federally funded research and development centers, told lawmakers. In his prepared testimony, Wheeler addressed the big challenge in prepositioning: "To be effective, many attribution techniques require some sort of cooperation by networks along the path from the attacker to the victim. Gaining such trust, unfortunately, can be very difficult. Even when trust is gained, convincing others to implement attribution tools can be a significant challenge."
Should attribution identify the virtual assailant, another witness said it raises a daunting challenge: how to respond. "We don't lack attribution; we lack response options," said Robert Knake, international affairs fellow in residence at the think tank Council on Foreign Relations. "We don't know what we should do when we discover that the Chinese have hacked into Google and 30 other countries. We seem to have very good evidence that they did that; we traced the attack back. We then asked for explanation, but we have not received it. I'm not sure how better attribution one further layer down would help resolve that problem. Similarly, with French intelligence or Russian criminals or Nigerian scammers, we know their national origin. We simply lack response options and a mechanism for cooperating and requiring cooperation internationally."
Knake said too many people put too much faith in iron-clad attribution in real time, which he characterized as the Holy Grail. The expense to create a so-called license plate for the Internet, which would label all packets with unique identifiers tied to an individual user, would unlikely be worth the investment.
Citing analysts who studied foreign governments and private groups, Knake said no more than 100 groups and possibly four or fewer militaries possess the capabilities to cause significant harm through cyber attacks. "While technical attribution may provide only limited evidence of who is behind the attack, traditional intelligence and law enforcement investigation can make up the difference," Knake said. "I have no doubt that in the event of a the so-called cyber Pearl Harbor, cyber 9/11 or cyber Katrina that we will be able to amass enough evidence for the president to take action."
Whether attribution works as a cyber defender, the technologies aimed at ferreting out adversaries and criminals also could expose political dissidents and whistleblowers. This point was emphasized during a discussion about services that provide online pseudonyms, in which Internet users can conceal their public identity. Though it furnishes elements of anonymity, it's not true anonymity; a government or court could compel an Internet service provider to reveal an individual's identity.
"That's the hard problem," said Marc Rotenberg, president of the Electronic Privacy Information Center, a public interest research group. "True anonymity, which we think is important, will protect the political dissident in a country hostile to that person's views, and may, in fact, imprison the person if his identity is known. Pure anonymity will also protect the pedophile who's trying to distribute images on the Internet and should be prosecuted and imprisoned. It's not a simple problem."
