Who did it? Attribution challenges in the cyber space

BANGALORE, INDIA: 2015 saw campaigns from state-enabled actors, including the groups responsible for gaining unauthorized access to health care organizations and stealing personal information on millions of customers and employees.

Many people point to companies victimized by cyber attacks, seeking to hold them accountable for not doing enough to protect intellectual property, consumer data, or other assets. And some people recognize that not enough attention is being spent on identifying and bringing risks and consequences to bear on the attackers – indeed recognizing that victim organizations have suffered a crime.

All nations are struggling to determine how good cyber defense needs to be within the wide range of industries in the private sector. As nations recognize that much of the private and public sectors are not prepared to prevent or detect sophisticated attacks, they are exploring ways to establish and enforce behaviors.

However, that this path may raise privacy issues, which could become a part of the information sharing dialogue. There is a clear need to establish and promote clear standards with policy makers, customers, partners, and the general public to ensure responsible business practices align with that goal across the industry.

To say that attribution is pivotal because it allows us to punish bad actors is the obvious answer. The ability to identify these actors with regularity should also bring forth an environment that will deter would-be cyber attackers. Deterrence is essential in today’s cyber world, said Kevin Mandia, President of FireEye, and that deterrence will simply not be effective without attribution – without finding those responsible.

“Nations are already expressing their determination to take these kinds of steps,” Mandia says. “If a country says it will respond proportionately to cyber attacks against its infrastructure, and that it would consider non-cyber means to deter cyber attacks, then a declaration has been made and it needs to be backed up. Therefore, attribution better be right.”

Getting attribution right is no simple task, Mandia admits. He says threat actors are particularly tough to identify because most attacks are coming from outside the country – or through countries with poorly regulated infrastructures – and in those instances it is up to the respective government to identify the cyber criminals.

This is where international cooperation becomes essential. Governments working together and sharing access to transaction logs can aid in identifying threat actors, and as the process develops, improved technical infrastructure will only expedite accurate attribution, Mandia says.

Another benefit to attribution is that it can have a huge impact on the circumstances a breached company will have to endure, Mandia says. There may be big difference between a state sponsored adversary and the stereotypical “hacker in a basement.” Threats nowadays have the potential to be exceptionally complicated and stealthy when conducted by the right type of actor.

Mandia says he knows that if an advanced attacker targets a company, a breach is inevitable. He says that most victim organizations should not be expected to withstand, for example, a military cyber attack, and that the government should stand behind the company in that instance.

“I am not comfortable deeming any organization irresponsible when it suffers from a military cyber attack,” Mandia says. “It does not seem reasonable to expect the majority of the private sector to defend itself from military cyber attacks. We do not expect a homeowner to prevent a military unit from breaking into their bedrooms, so why should we expect companies to prevent or detect similar attacks in cyberspace?”