Tuesday, February 26, 2013

Who Spilt the Milk? The Importance of Attribution

This article was originally posted in November of 2012 at 10GbE.net.


As a parent the moment we hear a glass of milk bounce off the floor we're conditioned to assign blame, and if necessary meter out punishment. In the real world attribution for a kinetic attack has become much easier given our satellite, ground & ocean sensor networks, and forensic sciences. Today determining who launched an air strike, fired off a missile or attacked an embassy can often be resolved in hours, or worst case days. In the world of cyberspace the exact opposite is true. Furthermore, even if a nation could unequivocally attribute an attack, international case law for cyber warfare doesn't exist so justifying a counter strike, cyber or kinetic, is uncharted territory. 

Many techniques, and tools exist to intentionally obfuscate the source of an attack. Furthermore, the most sophisticated assaults are designed to morph with each stage of the deployment so the strategy itself is also hidden. This can be done many ways, but the intent is always the same, to further mask the original target and the method of the offensive attack. That way when the forensic computer scientists come knocking all they will find are empty cyber shell casings, of the most generic type, devoid of any usable digital fingerprints. If there are clues, it's very likely those were planted to frame a believable third party so that retribution will result in a secondary attack perhaps on the actual intended target. Suppose you whack the biggest bully in school on the back of the head, and quickly your friend assigns blame to your enemy, who also just happens to be standing there. Now you know the bully will deliver a far more destructive attack than you ever could so why wouldn't you leverage such a strategy. If it's executed properly only you and your buddy will ever really know what happened. 

Why is attribution important? Because the US, and other countries, have publicly stated that given the void of international cyber warfare case law a significant attack in cyberspace will be met with a declaration of war. Attacking nations of the world have been put on notice to expect both a kinetic, and a cyber response. Not responding will be seen as a sign of weakness. So what does a country do though when attribution is murky or impossible? Are they justified in launching their own covert stealthy cyber attack?

No comments:

Post a Comment