Sunday, July 18, 2010

The Future of Cyber Attack Attribution

On July 15th, the US House of Representatives' Committee on Science and Technology's Subcommittee on Technology & Innovation held a hearing called Planning for the Future of Cyber Attack Attribution.

I was drawn to the topic, having a great deal of experience with the puzzles of finding bad guys on the Internet who need badly to spend some time deprived of freedom as a consequence for their actions. Unfortunately, the hearings really stressed the problem that using technology to make attribution certain creates human rights issues around the globe. Conversely, the creation of privacy tools can grant bullet-proof privacy to child pornographers, terrorists, and cyber criminals.

Finding almost no mention of this hearing in any media source, I wanted to at least give a brief outline of what happened.

Chairman David Wu, an advocate for cybersecurity, and co-author of the excellent Cybersecurity Enhancement Act of 2010, made the Opening Statement to kick off the hearings, putting this hearing in context in the overall series of hearings on cyber threats that have been held over the past two years. Wu said that "Now more than ever, we need to be focused on the development of tools and technologies to prevent, detect, and respond to cyber attacks." Wu went on to say that one method of deterrence, the focus of the hearings on this day, was "the ability to attribute an attack to a particular person, party, or system" and that this could be "vital to defending against cyber attack." The desire for attribution though was tempered by a reminder that Chairman Wu was "personally very concerned about the potential implications to privacy and internet freedom posed by attribution technologies."

Mr. Wu had to apologize for the lack of attendance by his committee, but ensured the panelists that the full committee will have read their written testimony, although at least one attending member admitted he had "browsed through" their testimony and "read some of it." It seems that only seven Congressmen were able to attend.

Each of the four witnesses below had been given four questions to answer in their written testimony:

Q1: As has been stated by many experts, deterrence is a productive way to prevent physical attacks. How can attack attribution play a role in deterring cyber attacks?

Q2: What are the proper roles of both the government and private industry in developing and improving attack attribution capabilities? What R&D is needed to address capability gaps in attack attribution and who should be responsible for completing that R&D?

Q3: What are the distinguishing factors between anonymity and privacy? How should we account for both in the development and use of attribution technologies?

Q4: Is there a need for standards in the development and implementation of attack attribution technologies? Is there a specific need for privacy standards and if so, what should be the government’s role in the development of these standards?

The video of the spoken testimony and Q&A is available. I encourage interested parties to avail themselves of the video and the written testimony. The notes below are my personal "sketchy" notes as I tried to reduce an hour of video and 150 pages or so of testimony into a blog entry.

The witnesses for the hearing were each given five minutes to make an opening statement. I took a few notes below, but would again recommend interested parties to the originals:

Dr. David A. Wheeler

- the Institute for Defense Analyses: Information Technology and Systems Division - I have to say that Wheeler's written "testimony" was quite disappointing. Introduced into a Senate hearing in 2010 is Wheeler's 85 page DARPA paper for the "Defense-Wide Information Assurance Program" called "Techniques for Cyber Attack Attribution", which was an excellent, thorough, and timely report, when it was authored in October of 2003. While it does provide a nice framework for possible forms of attribution, the paper is about fifty years old in "Internet years", making the relevance of much of the paper questionable. It was the only one of the four responses that actually talked about what could be done technologically with attribution, but most of the papers cited as references are from the late 90s or early 2000s, including things like Staniford-Chen's work from 1995, Stefan Savage's work from 2000 on "IP Network Traceback", and Jelena Mirkovic and Dave Dittrich writing about DDOS attacks in 2001. Good stuff, but quite dated.

The paper in fact specifically excuses itself from addressing nearly every modern form of cyber attack when it declares (p. 20 of the testimony):

This paper does not cover identifying or locating people who are not DIRECTLY ATTACKING the defender.

So, if they are attacking via a botnet, via a proxy, via malware already installed in the attacking organization, this paper doesn't address any of that. It also excludes itself from social engineering, determining HOW an attacker attacked. Another useful feature of this particular "testimony" is that most of the URLs referenced in the paper don't work. Nice.

Dr. Wheeler began his spoken testimony by cautioning about 4th amendment protection from "unreasonable search". One point he made was that if we cannot make attribution, then there is no chance of making a successful counter-attack, either over the network or using a "kinetic attack."

Mr. Robert Knake

- International Affairs Fellow at the Council on Foreign Relations. Mr. Knake started his spoken testimony by saying that the problem of attribution is "largely overstated", and went on to say that no more than 100 groups, and possibly as few as FOUR possess the capability to cause "real world" harm through cyber attacks.

Knake suggests that labeling all packets with a so-called "Internet license plate" would be more useful for authoritative regimes to deny their citizens any anonymity or freedom of speech, while criminals would probably find a way to work around these identifying mechanisms. He also gives the current example from China that even when we positively identify the attacking system, the owner of the system, or in this case the Chinese government, can say that while the attack traffic originated on that system, it was probably a case of that system having poor security itself and being used as a proxy. Because of the lack of our ability to overcome these doubts, attribution will likely never reach a level where a kinetic counter-attack can be justified.

Mr. Knake's Written Testimony contained one fairly interesting graphic, which I share here:

Mr. Knake's written testimony asks three main questions:

- what degree of certainty in attribution is necessary to take action?
- what would that action look like?
- how will we make potential adversaries understand the answer to those questions - because if they don't understand, they will not be deterred!

He goes on to discuss espionage, crime, terrorism, and the fact that you can't actually LEGISLATE this successfully, mentioning that the CAN-SPAM act made it a law that email marketers are required to "attribute" emails to themselves, yet 9 of every 10 emails on the Internet do not do so!

Mr. Ed Giorgio

- President and Co-Founder of Ponte Technologies - Mr Giorgio's testimony spoke of the need for Internet users to be allowed to create as many identities as they like, with some certificates positively identifying the real user, while other certificates guaranteed their anonymity or privacy. Mr. Giorgio said that a "trusted third party" would have to take the role of assigning these certificates, as government had so far not demonstrated the capability to do so in a trustworthy manner.

Mr. Giorgio's Written Testimony specifically mentions a number of threats:
whether it is the Chinese stealing our American innovations to produce less expensive versions, the Russians engaging in financial crimes, the Israelis' stealing our political intentions, the French stealing our competition-sensitive materials, the Nigerians conning our elderly, and so on.

He then goes on to mention that reference to foreign threats has been used in the past to justify "gross violations of domestic civil liberties" and warns that we must be cautious in this area of "dangerous constitutional grounds."

After answering the four questions, stressing the fear of government control, in an Appendix, Mr. Giorgio describes a "New Privacy Standards Framework". Remember "Alice and Bob" from crypto talks? In the new Privacy Standard we have a buyer, Bob, and a search agent, Goliath. Could Goliath = Google, Mr. Giorgio? The Framework was an interesting read, although it actually answered the opposite of what the committee was asking. It answers "how can individuals have their privacy protected?" when the question at hand was "how can we attribute attack traffic to its origins?"

Mr. Marc Rotenberg

- President of the Electronic Privacy Information Center - spoke of the fact that China has the most rigorous attribution capabilities, including a requirement that Internet users provide their true names, email addresses, and a list of news sources from which they receive information. Chinese ISPs are required to keep logs of all their activities, and Cyber cafes are required to log activities for sixty days of all users within their cafe. ".cn" domain owners have to provide both their real name and a photograph to create a domain name. "There is a real risk that attribution techniques will be used not for purposes of cyber security but in ways that have a real impact on human rights and freedom of expression. What attribution also does is make people think twice before saying something controversial. In the United States we have a strong constitutional right to speak anonymously," which Rotenburg says came from the use of anonymity in the publication of the Federalist Papers by our founding fathers.

I have to say that Mr. Rotenberg's written testimony was extremely well researched and had a fantastic list of eighty very current references, especially with great insights into China's censorship and monitoring activities. I found myself reading quite a few great papers that I hadn't seen previously as I followed the excellent footnotes prepared by EPIC's legal staff.


Mr. Wu began the Q&A by saying that "as is often the case, when there are two flies flying in the Grand Canyon, they collide," apologizing that he had to go vote on another committee and would have to leave his own hearing. He also greeted "Russia Today" who was covering the committee hearings despite the absence of interest from American media.

Question from Chairman Wu: The role of Deterrence and Attribution may be over-stated. Comments?

Mr. Rotenberg - for non-state actors, attribution outside the US would be very difficult, and response may be very difficult for reasons of national sovereignty.

Mr. Giorgio mentions that even if we can't identify the PERSON at the keyboard, it is often enough to be able to block the COMPUTER at the other end in order to disrupt an attack.

Dr. Wheeler mentions that there is value to attribution, but there are serious limitations to attribution including delayed and intermediary attacks. Attribution should only be part of a larger strategy.

Mr. Knake - our strategy for preventing terrorism in the USA focuses on prevention, protection, and resiliency rather than deterring particular cyber actors. In many cases we do not lack attribution, we lack response options. Even when we know who the attacker is, we are limited in our ability to act. Whether they are Chinese national actors, Russian cyber criminals, or Nigerian scammers, knowing the identity of the attacker does not actually assist in having a means of acting.

Question from Chairman Wu - specifically to Mr. Giorgio - if we built attribution into the backbone of the Internet, we would be limiting privacy options.

All panelists agreed that anonymity was important. One speaker talked about the current noise about Blizzard requiring true identities for World of Warcraft players. Mr. Knake talks about the need for the government to actually step in and require Internet companies to disclose how they use personally identifiable information in the form of cookies and other information to target the internet user with customized advertising.

Ranking Member Smith asked the question "What are our current methods of being able to trace attacks?"

Dr. Wheeler mentions that there are many ways of doing so (in his written testimony, he had 17 categories of methods of identifying an attacker, and he states that surely there are more since then.)

Congressman Chris Smith then asked "if attribution is futile, what are our other methods to defend ourselves?"

Congresswoman Donna Edwards asked about the balance between Privacy and Attribution, specifically asking about internet cookies.

Congressman Dana Rohrabacher asked about the capability for "automatic counter attack" to be developed, and was warned off of the subject by multiple replies, stating that actually some forms of attack may be generated specifically to cause MIS-attribution in the hopes that a counter attack may be launched against a wrongful target.

In response to another question from Mr. Rohrabacher, Mr. Knake went back to a point that was well-articulated in his written testimony. He gave the example of the Taliban in Afghanistan, and pointed out that the warning we gave the Taliban after 9/11 was that if terrorist activities occurred from their soil, we would hold them responsible for refusing to cooperate with identifying and bringing to justice the criminals and terrorists they were protecting. In a similar way, Mr. Knake suggests that we have to hold foreign countries responsible when they thwart our abilities to identify various forms of cyber attackers in their countries.

Congresswoman Edwards then asked about the creation and establishment of new standards that would assist with these attribution standards.

Mr. Wu returned to his committee, and immediately cautioned that there were only seven more minutes before they had to adjourn for a floor vote. I really felt sorry for the panelists to see that there was so little time afforded to this very important topic.

Mr. Wu mentioned several questions that he hoped could be addressed in writing in the future, especially what role International committees, treaties, and standards may play in defining what is an attack, and how attacks should be responded to.

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.