Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Whodunit? In cybercrime, attribution is not easy

Taylor Armerding | Feb. 10, 2015
"Whodunit" is essential to solving crimes. You can't make an arrest or prosecute a crime if you don't even know who committed it.

Carr contends that it is a matter of scale. He agrees in part with Stewart that security may be poor, but only for, "low-level attackers or amateurs." On a larger scale, he agrees with McGraw. Those weaknesses, he said, "don't apply to foreign intelligence services or professional mercenary hackers."

The debate on attribution has heated up again in the wake of the hack last fall of Sony Pictures Entertainment, which both FBI Director James Comey and Admiral Michael Rogers, director of the NSA, attributed to the Democratic Republic of North Korea. Comey went so far as to say that the "entire intelligence community" shared his confidence in that attribution.

Perhaps within government, but the view is not unanimous in the private sector.

In a recent podcast debate Baker hosted on attribution, that included both Rid and Carr, Rid argued that the U.S. got it right, and that outside critics need to acknowledge the reality that U.S. intelligence agencies have much more access to other countries' cyber infrastructure than they can publicly admit.

"An intelligence agency, especially a well-resourced and powerful intelligence agency like the NSA, will have more visibility into this space than any private company," he said. "That's just a fact of life."

To Carr's argument that other nation states hostile to the U.S. could be "spoofing" the origin of the attack, or that even an ally like South Korea might not be providing accurate information, Stewart responded that the NSA doesn't take anything at face value.

"Of course the NSA knows people may be lying to them," he said. "That's Tradecraft 101. The question is how do we verify, based on other info, what they're saying to each other and to other sources."

Joel Harding, a retired military intelligence officer and now a consultant on information operations, said he thinks, "attribution has improved tremendously. We have much better analytical tools for identifying code, techniques, unique exploits and signatures. We have better collaborative environments and education for the analysts from more experienced analysts and far greater cross-fertilization between analytical programs," he said.

But he agrees that the Sony attribution, coming only days after the intrusion was discovered, was "highly suspicious."

And critics like McGraw don't buy the argument that government has much better access to cyber intelligence than the private sector. "That's just BS," he said, noting past U.S. intelligence failures like the claim of weapons of mass destruction in Iraq. "Everybody likes to pretend they're more important than they really are," he said.

Rogers, writing on his personal blog, also remained skeptical, noting that leaked information from U.S. intelligence agencies claimed evidence had been gathered from North Korean networks that had been compromised by multiple parties.

 

Previous Page  1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.