Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Whodunit? In cybercrime, attribution is not easy

Taylor Armerding | Feb. 10, 2015
"Whodunit" is essential to solving crimes. You can't make an arrest or prosecute a crime if you don't even know who committed it.

"Whodunit" is essential to solving crimes. You can't make an arrest or prosecute a crime if you don't even know who committed it.

That makes "attribution" one of the major challenges of law enforcement. But while identifying perpetrators is difficult enough in the physical world, it is even tougher in the cyber world, where the ways for perpetrators to cover their tracks or make it look like a breach was committed by someone else are both sophisticated and practically limitless.

Even experts who argue that credible attribution is possible don't claim it is easy or quick.

But the debate over whether it is even possible in any meaningful way continues to rage.

On one side are experts like Stewart Baker, a partner at the law firm Steptoe & Johnson who has also held high-level positions at both the National Security Agency (NSA) and Department of Homeland Security (DHS), whose only partially tongue-in-cheek "Baker's Law" has been, "Our security sucks. But so does theirs."

In other words, Baker's more serious argument, which he has made for years, is that attribution of cybercrimes ranging from theft to espionage is well within reach of the good guys because, "the same human flaws that make it nearly impossible to completely secure our networks are at work in our attackers too. And, in the end, those flaws will compromise the anonymity of cyberspies."

He is joined in that view by academics like Thomas Rid, professor of Security Studies at King's College London, coauthor of the recent paper, "Attributing Cyber Attacks."

In it, Rid and coauthor Ben Buchanan argue that attribution is not so much a black-and-white issue that is either solvable or not, but a more nuanced process that in large measure "depends on what states make of it," and "minimizing uncertainty."

On the other side are high-profile skeptics like Gary McGraw, CTO of Cigital; Bruce Schneier, CTO of Co3 Systems; Jeffrey Carr, president and CEO of Taia Global; and Marc Rogers, principal security researcher at CloudFlare.

McGraw has argued for years that while attribution is not impossible, it is close to it without credible human intelligence. "And people are unbelievably slow compared to computers," he said.

According to McGraw, there is a big difference between identifying a machine and identifying who controls it.

"You can compromise a box where one of those machines is installed, and find out a lot about that machine," he said. "But the question is: Who is running the machine? There's no blood or DNA mapping going on. If you're a nation-state-level attacker and want an adversary to believe that another nation state is doing it, there is nothing that can stop that."

 

1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.