Attribution: An impossible/inconvenient task or a way to get an APT off one’s back?

Recently on the SCADASEC list there have been discussions of reports of cyber attacks on the critical infrastructures of other states with the naming of the state that is responsibe. Some say attribution of responsibility is far less important than actually investigating what happened and applying the lessons learned where appropriate. This latter approach is a must but the former is no less important. At least as a means for the defender to get the sophisticated attacker to realise that the price for attacking is getting high and it would be wiser to back off.

Defense (effective defense) however means a little more and would like to expand on this.

For one, having a attribution capability is your friend for the defense. No matter how much engineering and cyber know how you have available, it will not be enough to keep you safe. Especially if you are local and defending your own particular assets. If you are targetted (and if you are lucky enough notice in time) by an Advanced Persistant Threat (APT) it is quite likely that your subsequent defensive and corrective measures will fall far short of the capabilities of an APT. An adversary that will likely view the defenders countermeasures as just another problem to solve. The APT has the time and resources to keep on going at you until the orders come to stop.

Attribution or the capability to identify who is responsible can be a very effective means to change the perception of the APT attacking you that this work is no longer Effective, Cheap and espeically DENIABLE. The possibility to expose and embarras a nation supporting an APT can be effective. For example remember that Mandiant report from a few years back on the work of an APT that was located inside a big country in the Far East? After the report this particular APT paused their work and went off-line and to ground for several months in order to regroup.

Someone in a Scadasec list discussion characterised attribution as a political issue. Agree. It is also a matter of recognising a common danger and having the *WILL* to work together in an organised international manner. This has been demonstrated to work with some success in the area of cybercrime. Botnets are being brought down and perpetrators are being caught and sentenced in court for their offenses. Cybercrime is one of those areas that has had a good response. Law enforcement can cooperate using several international instruments.

The most notable is the Convention on Cybercrime (Budapest Convention) http://www.europarl.europa.eu/meetdocs/2014_2019/documents/libe/dv/7_conv_budapest_/7_conv_budapest_en.pdf . About 56 countries (including the US in 2007) have signed and ratified this document ( https://www.coe.int/en/web/conventions/full-list/-/conventions/treaty/185/signatures?p_auth=MUqHL8UZ ) that provides the legal framework for Law Enforcement to cooperate internationally in fighting cybercrime. A good match between adversary and those trying to defend (doing it with a common will and in a group).

This arrangment works. I overuse this example but it comes first to my head. Sven Olaf Kamphuis (of Cyber Bunker/Spamhouse fame) was a Dutch citizen who was apprehendend in response to organising what at that time (300gb/s) was the largest DDOS attack in history. The key point here was that he was caught by law enforcement not in Holland but by the Spanish police force (https://www.theguardian.com/technology/2013/may/20/man-accused-breaking-the-internet ).

For example the recent chemical weapons use in London and their reported use earlier in Syria has brought out the applicability of the Convention for the Prohibition of Chemical Weapons ( https://www.opcw.org/chemical-weapons-convention/download-the-cwc/ )

The Chemical Weapons convention has not completely stopped chemical weapons use but those choosing to use it feel that they must be at least more careful. This “soft power” or “creation of a soft fear of being caught” approach has some benefits which have been internationally recognised. I call to attention the awarding of the Noble Peace Prize “for its extensive efforts to eliminate chemical weapons” to the organisation charged with monitoring the implementing of the Convention ( https://www.nobelprize.org/nobel_prizes/peace/laureates/2013/ ) .

Nothing close is in existance to the address states (some examples are listed in the NYT article, another source indicates up to 25 states now possess this capability) who are suspected of using cyber weapons/malware against the critical infrstructure of other states.

Why not propose a similar Convention for the Prohibition of Cyber Weapons used against the critical infrastructures that states rely upon for their economic activties, national seurity, and well-being of society? And similarly the creation of an organisation to monitor and report on compliance? As with cybercrime enough nations have banded together to make cooperation effective. The issue of chemical weapons is even more widely understood as a threat to all and nearly all nations have ratified. As Klaatu said in the 1951 film “I am not saying we have achieved perfection, but we do have a system and it works”.

The attribution issue has been of great interest to me since 2011 when I participated as a co-chairman for the kick off meetings of the OCES’s Ad Hoc Workgroup tasked with coming up with proposals for Confidence and Security Building Measures in cyberspace. I was (had to be) co-chair because Lithuania had the rotating 6 month seat as President of the OSCE. The other co-chair was from the Government of a major power. I was optimistic about the possibilities offered by this group yet concerned because of the increasing amount of unsettling information about STUXNET. The gloves were coming off at the international level and here was a chance to manage a situation that threatened to spiral out of control. Attribution was one of the important issues discussed because if there was no attribution, nothing much would come from proposing that “in peacetime, states agree to restrain from directing malicious cyber activities at the critical infrastructure of other states”.

Then and until now the argument is frequently used that “attribution is technically impossibe to achieve” that we should put our faith in already established international laws that address warfare to the issues of cyberspace misbehaviour of states.

I found that the strongest proponents of this position came from states who were recognised as having significant cyber offensive capability and were also suspected of employing it. They also are the first to defend decentralised forms of Internet Governance in the way that outlaws hope that there will be no sherrif in town when they misbehave. This Janus like view gives states the excuse to say that aggreements for restraint will not work because there is no possibility to attribute and no one will seriously follow it. This line of thinking continues to cause failure of states to agree on cyberspace norms as witneesed by the U.N.’s Governent Group of Experts to agree on any cyberspace norms (in particular the restraint proposal mentioned above) last summer.

Since this past summer despite all the efforts of defenders to analyse and come up with better ways to proect their assets the advesary stays several steps ahead. The discoveries of malware and vulnerabilities affecting industrial systems after the announcement of WannaCry to the end of year announcement of Hatman has indicated that the work for the defender is only getting harder.

The days of a 0.75 cent error in an accounting program being used by single cyber “Sherlock Holmes” to find and capture a Soviet Spy in cyberspace are probably over (the book to read is “The Cuckoos Egg” by Cliff Stohll). The scale of the problem has probably even execeeded what an Ad Hoc on-line group of volunteers working on different continents did in sink holing the Conficker Worm in 2008 (The book to read is “Worm” by Bowden). In both cases even the single sleuth and group efforts needed extra outside help to succeed in their efforts. In both cases Governments were of little help if at all.

Todays growing threats to critical infrastructure can only be met by concerted international cooperation which includes establishment of attribution and monitoring capabilities that will only be achieved through information sharing and a willingness to indulge in some self-restraint and transparency. Only then will other countries start to trust each other and see the advantage of working together to address the common threat (like the way they did with chemical, nuclear weapons and other WMD) and share the benefits of progress made toward increasing the capability to react and help each other.

I know I have said similar things in the past but I hope in the light of continuing reports of increasingly dangerous incidents involving cyber, critical infrastructure and probable state involvement that no one minds if I raise them every now and again.

Vytautas Butrimas

About Vytautas Butrimas

NOTE: The views expressed within this blog entry are the authors’ and do not represent the official view of any institution or organization affiliated thereof. Vytautas Butrimas has been working in information technology and security policy for over 28 years. Mr. Butrimas has participated in several cybersecurity exercises, contributed to various international reports and trade journals, and has published numerous articles on cybersecurity and policy issues.