When any cyber attack is publicly revealed one of the first questions asked is, ‘Who did it?’
In an environment where skilled coders go out of their way to hide their tracks, attribution is more art than science.
Yet if governments want to prevent an outbreak of global cyber war, attribution of nation-state attacks so they can be publicly named and shamed is vital.
However, today attribution is largely in the hands of IT companies, who use the research to partly push their brands, and governments, who can’t reveal their sources or techniques.
At the RightsCon conference in Toronto on Thursday Ron Deibert, the head of the University of Toronto’s Citizen Lab, one of the oldest public cyber investigation units, said there shouldn’t be one body doing the work. Instead he called for universities to form a global network of researchers dedicated to attributing nation-state attacks.
“Ideally there should be many, many organizations doing the work that and others are doing,” said Ron Deibert. “It should be distributed, peer-reviewed, reproducible transparent research.”
What he called an “association of attribution” would have to be independent of states and companies, but also co-operate with them. For example, Citizen Lab uses data from security vendors and Internet providers, who he said have great network visibility. And the association would have to disclose to a company any IT vulnerabilities it finds during an investigation.
The association would also have to have some relationship with governments, he added, who have the legal authority to prosecute crime.
Citizen Lab is part of the University of Toronto’s Munk School of Global Affairs and focuses on the study of digital threats to civil society groups. Its earliest research was the unveiling in 2009 of what it called the GhostNet spy network based in China that has infected more than 1,295 computers in 103 countries.
Last month it accused a Canadian-based company of allowing its technology to be used by countries for questionable practices against residents.
One of the reasons Deibert suggests universities be the hub of an attribution network is traditionally these institutions have stood for protecting knowledge.
But it is not without risk to academics.
“We’ve received death threats,” he said in an interview. “We uncover bad behaviour by companies that are litigious, we’ve been sued. We’ve exposed cyber espionage from some of the world’s worst actors, authoritarian regimes, there’s risk to us traveling to those countries.” And he admitted that universities are risk-adverse.
But he said these are problems that have to be addressed. Deibert has spoken to other universities about the network, but said it’s “years” away from being realized.
He was speaking on a RightsCon panel on creating an independent attribution body. The idea isn’t new. In 2014, as part of suggested proposals to build confidence between nations over cyber space, the Atlantic Council called for a body to conduct joint international investigations into major cyber incidents to determine responsibility and punishment.
The issue caught headlines last year when Microsoft president Brad Smith called for the creation of a “Digital Geneva Convention” to lower the heat of state-sponsored cyber attacks. An independent attribution agency is part of the idea.
Also on the RightsCon panel was Kaja Ciglic, Microsoft’s director of cyber security policy and strategy, who is working on the concept. There are more problems than merely deciding if an attribution body should be part of the United Nations, have nation-state members or be a private agency, she said.
No common framework
To start, security vendors have researchers don’t have a common framework for the sometimes bizarre names they stick on suspected threat actors or attacks (Zinc, Lazarus, Fancy Bear, Reaper …), and what data should be trusted and evaluated, let alone their different ways of attributing an attack. So, she said, part of the industry discussion on creating an attribution body also has to talk about such technical issues.
She also noted that attribution is made harder because some countries use non-state groups (sometimes criminals) to disguise their attacks.
Panelist Deborah Brown, global policy advocacy lead at the Association for Progressive Communications, which works on Internet governance, said a respected attribution body would do a lot to encourage responsible behaviour in cyber space. It would also level the field for small countries that can’t afford to engage in cyber war, she added.
Brendan Kuerbis, an expert on attribution issues with the Internet Governance Project at Georgia Tech’s school of public policy, looked at Deibert’s proposal with “cautious optimism.” There’s a lot of threat information sharing now between cyber security companies, he pointed out, so working together on attribution shouldn’t be insurmountable.
There is a science to digital forensics and technical expertise is required, to attribution, noted moderator Milton Meuller of Georgia Tech’s school of public policy and a principal at the Internet Governance Project, “but fundamentally it’s about credibility and about making an authoritative attribution.”
