This question is the foundation of mystery TV shows and films, and of many criminal prosecutions. And, as it turns out, it may be the most important cybersecurity question of the next decade.
Say North Korea attacks Sony or Russia attempts to hack our elections. A proportional U.S. cyber response may be lawful under applicable principles of international law if, but only if, North Korea or Russia actually committed the act and, in some cases, the US can prove it, at the United Nations, at NATO, or in the court of public opinion.
Being able to prove in court the identity of an attacker is becoming increasingly important to companies as well. Companies are seeking court approval to gather evidence and shut down cyberattacks in order to protect their customers. As discussed below, Congress likely will grant additional legal authority for internet service providers, software and service providers , and others to respond more aggressively to cyberattacks. Such responses may be appropriate and lawful if, but only if there is sufficient evidence to demonstrate the identity of the attacker and that the response will only affect that attacker. A responder unable to do this risks significant legal penalties, potentially including criminal conviction.
It’s called the “attribution problem” and it is arguably the most important and difficult challenge in cybersecurity for the coming decade. It affects nations and private companies alike. An example will help to illustrate the problem.
In May 2017, remarks attributed to the Emir of Qatar appeared on the country’s state-run news agency, calling Iran an “Islamic Power” and saying that Qatar’s relations with Israel were “good,” both statements calculated to inflame sentiment in the Sunni Arab world against Qatar. These words, among other things, set off the worst diplomatic crisis in the Persian Gulf in decades. The diplomatic and economic blockade of Qatar by its neighbors has huge geopolitical and security implications. Qatar is home to the largest U.S. military base in the region and is the world’s largest exporter of liquefied natural gas. In the worst case for the United States, the anti-ISIS coalition could collapse and, potentially, a kinetic war could break out in the region. Though apparently unrelated, the recent Yemeni ballistic missile launch at Saudi Arabia shows that such an escalation is far from hypothetical.
The Emir’s remarks were inflammatory and blasphemous in some circles and incited a major diplomatic crisis. But they never really happened. Qatar was hacked and the false statements placed on an official state website. But Whodunnit?
On June 7 U.S. officials reportedly believed that “Russian hackers” perpetrated the hack and disinformation in order to cause a divide between the U.S. and its regional allies. This conclusion was wrong. Next, Qatar claimed the FBI had concluded that, while the attacks originated in Russia, they were the work of freelance hackers possibly hired by Saudi Arabia or the United Arab Emirates (UAE). Finally, a July 16 Washington Post report concluded, “according to U.S. intelligence officials,” that the UAE government “carried out the hacks itself or contracted to have them done.” The ongoing blockade and diplomatic crisis is the most recent, and one of the most serious, examples of cyberattacks having serious real-world effects.
It’s not the first and it won’t be the last, or likely the worst, of such incidents. A diplomatic and economic blockade is one step short of a military blockade, which is one step short of war. What if this had been the United States and Russia instead of two relatively minor Middle-Eastern powers?
So, what is the attribution problem? For present purposes, the problem has four mutually reinforcing components:
- It is extremely difficult, with current technology, to conclusively and provably determine the country or party responsible for a cyberattack, particularly given that any competent adversary has a full bag-of-tricks to obfuscate their identity;
- As indicated in the Qatar example, even once you determine the country from which an attack originated, it often is still difficult to provably assign responsibility to a particular individual, group, or government;
- Because most attacks cross one or many borders, it is nearly impossible, using current methods, to prove attribution without the cooperation of the U.S. and one or more other governments; and
- Most methods of improving the accuracy and evidentiary certainty of attribution are illegal under the Computer Fraud & Abuse Act (CFAA) and other current U.S. law.
Enter the bipartisan “Active Cyber Defense Certainty Act” of 2017. This proposed law, which has spawned significant controversy, would amend the CFAA, the primary U.S. anti-hacking law, to give companies greater legal authority to locate stolen data, attribute attacks and, under some circumstances, reach into an adversary’s network to seek out and destroy stolen data.
When some version of this bill becomes law, it will bring the attribution problem from the realm of nation states into the boardroom, dramatically raising the stakes for companies that take advantage of the new authorities but get attribution wrong. This is because the law immunizes companies, under certain circumstances, from criminal liability, but not from potentially huge money damages if they make a mistake.
So, how can we increase the ability to accurately assess and prove, using unclassified information that can be publicly cited, responsibility for cyberattacks? And equally important, how do we do so without unduly impinging on individual privacy? Developing the technology to strike this balance likely will be a generational challenge. That said, there are several necessary starting points.
First, the U.S., and then global, legal communities, need to agree on standards and levels of proof for attribution: in the realm of international law; under U.S. criminal and civil law; and even vis-a-vis high-school and college cyberstalking and bullying. Second, the academic and research communities need to create and evaluate more multidisciplinary and data science-driven approaches to provably identifying cyberattacks. For instance, UC Irvine’s Cybersecurity Policy & Research Institute is beginning to address both of those challenges. Finally, because many sophisticated adversaries use hijacked corporate and individual computers to power and obfuscate their attacks, all of us, from Fortune 100 company Chief Information Security Officers to each PC and Mac owner, can help improve attribution simply by making it more difficult for bad actors to take over their machines to enable attacks and hide their identities. In this way, each of us can add to our collective self-defense.
Bryan Cunningham is the first Executive Director of UCI’s multidisciplinary Cybersecurity Policy & Research Institute, focused on solution-oriented strategies address technical, legal and policy challenges to combat cyber threats, protect individual privacy and civil liberties, maintain public safety and economic and national security and empower Americans to take better control of their digital security. He is a cybersecurity and privacy lawyer, former Deputy Legal Adviser to then-National Security Advisor Condoleezza Rice, and a career CIA officer and federal prosecutor.