Idolizing Attribution
Beauty is in the eye of the beholder, and perhaps, too, are cyber privacy and security.
Following cybersecurity coverage by the American media, and it's clear who are the "bad guys" and the "good guys." The media have given lots of coverage to hacks on Google and our military systems believed to emanate from China. Similarly, Russians are blamed for attacks on Georgian and Estonian government IT systems. Still, elsewhere in the world, the United States is viewed as warily as China and Russia, if not more so.
China and Russia - just like we Americans - claim they're among the cyber casualties, too.
"China has become one of the major victims, suffering huge losses."
That's the assertion of Liu Zhengrong, deputy director-general of the Internet Affairs Bureau in China's State Council Information Office, made at this week's global cybersecurity conference in Dallas sponsored by the think tank, EastWest Institute. Liu, according to a report in the Dallas Morning News, estimates cybercrime losses top $1 billion a year in China.
The conference has attracted leaders from the United States, Russia, China, India and more than 30 other nations to address common cybersecurity challenges, including seeking ideas to craft ways to determine who is accessing servers stealthily. Attendees agree that the key component to limit these kinds of attacks is attribution, the ability to attribute - or identify - those who sneak into IT systems.
Here's how Michael Dell, chief executive officer of PC and server maker Dell characterized the current environment:
"We have an enormous number of bad actors who are able to be completely anonymous. Can you think of any secure system where people can operate anonymously?"
Indeed, the Internet is architected to allow anonymity. One proposal offered at the conference is to create a two-tiered Internet, one in which people can communicate incognito and another where the identity of those making a transaction are identified. Supposedly, critical government and business IT systems would require those accessing their systems to be identified. That's how business is transacted in government and the private sector in the real world, said Kamlesh Bajaj, chief executive officer of the Data Security Council of India. Otherwise, as retired U.S. Army Lt. Gen. Harry Raduege, the onetime director of the Defense Information Systems Agency observed:
"If you want to work in the Wild West, you can be anonymous. But if you want to interact and conduct business, you need authentication."
Attribution, if employed properly, would provide forensic evidence on those trying to hack into a system, sorely needed proof if one nation is to challenge its adversary. Said Raduege:
"You need to be able to define who you're declaring a war on."
But could the same technology that could make attribution a reality be used to identify dissidents expressing their beliefs on the Internet? As Liu said:
"When you're speaking on the Internet, you must abide by laws."
And, a cautionary note was voiced by Andrei Korotkov of the Moscow State Institute of Foreign Affairs:
"How much privacy are you ready to delegate to the government?"
Again, we're faced with the challenge of balancing security with privacy, which adds one more bit of complexity to resolving attribution, and shows that the beauty of cyber privacy and security can mean different things to different people.
Unless otherwise cited, direct quotations for this entry were provided by the EastWest Institute.