Attribution of malicious cyber incidents: from soup to nuts.

• Author: Lin, Herbert
• Position: P. 75-106 - Report

Attribution of malicious cyber activities is a deep issue about which confusion and disquiet can be found in abundance. Attribution has many aspects--technical, political, legal, policy, and so on. A number of well-researched and executed papers cover one or more of these aspects, but integration of these aspects is usually left as an exercise for the analyst. This paper distinguishes between attribution of malicious cyber activity to a machine, to a specific perpetrator (often a human being pressing the keys) initiating that activity, and to an adversary that is deemed ultimately responsible for that activity. Which type of attribution is relevant depends on the goals of the relevant decisionmaker. Further, attribution is a multi-dimensional issue that draws on all sources of information available, including technical forensics, human intelligence, signals intelligence, history, and geopolitics, among others. From the perspective of the victim, some degree of factual uncertainty attaches to any of these types of attribution, although the last type--attribution to an ultimately responsible party--also implicates to a very large degree legal, policy, and political questions. But from the perspective of the adversary, the ability to conceal its identity from the victim with high confidence is also uncertain. It is the very existence of such risk that underpins the possibility of deterring hostile actions in cyberspace.

**********

Attribution of malicious cyber activities is a deep issue, about which confusion and disquiet can be found in abundance. Attribution has many aspects, and a variety of well-researched and well-executed papers cover one or more of these aspects; these papers are referenced in the body of the paper and are called out again in the acknowledgements section. This paper tries to synthesize the best aspects of these works with some original thoughts of the author's own into a coherent picture of how attribution works, why it is both important and difficult, and how the entire process relates to policymaking.

The primary takeaway messages of this paper are that (1) attribution has a different meaning depending on what a relevant decisionmaker wants to do (i.e., attribution of malicious cyber activity can be to a machine, to a specific perpetrator (often a human being pressing the keys) initiating that activity, or to an adversary that is deemed ultimately responsible for that activity); (2) attribution is a multi-dimensional issue that draws on all sources of information available, including forensics, human intelligence, signals intelligence, history, and geopolitics, among others; (3) all attribution judgments are necessarily accompanied by some measure of uncertainty; and (4) an adversary cannot be fully confident of its ability to conceal its identity from the victim.

WHAT IS ATTRIBUTION ABOUT?

Every parent who has ever broken up a fight between two children and tried to figure out what happened has asked, "Who started this?" The question expresses our very basic concerns about responsibility for actions that lead to conflict or harm.

Concerns about responsibility for actions or for events are embedded in domestic law. A person is found on the street with a bullet through his head, and we want to know who fired the shot. Much of our criminal justice system is devoted to "fair" processes that we believe can determine the identity of that person with sufficient certainty to mete out an appropriate punishment. International law is concerned with questions of responsibility as well, especially as it relates to matters involving conflict. With a number of important (and controversial) exceptions, states are usually regarded as accountable for actions that emanate from within their borders.

Similar concerns about responsibility are also present in cyberspace, but just how they play out is often quite different, for reasons both technical and historical. Usually captured under the rubric of attribution, concerns about responsibility generally arise when a malicious cyber activity or incident is known to have happened. (1) "Who (or what) is responsible?" is then often the question of interest.

If this question cannot be answered, it may be hard for victims to mitigate ongoing harm; to do so would require the victim to be able to quickly and correctly identify the instrument or mechanism causing the harm and find a way to stop its malicious activities. Further, it would be impossible to punish the parties responsible for causing the incident. And, if punishment is impossible, deterrence of malicious activity in the future is also difficult to achieve. (2)

We begin with a working definition of a cyber incident. We recognize a cyber incident when something "bad" happens to an information technology-based system. In this context, badness involves errant behavior of the victim's computer (or a system involving a computer)--that is, the computer or system behaves in a way that it should not behave. Examples abound: the computer freezes; commands given to the computer do not have the expected result; the printer spews out paper with gibberish. (3) More serious examples of badness include: a drive-by-wire car does not slow down when the driver presses the brake pedal; the computer-controlled missile misses a target when it should have hit it; or the ATM machine at the corner bank dispenses hundreds of $20 bills onto the street.

Investigations are usually (but alas, not always) triggered by errant computer (or system) behavior. But apart from routine inspections, investigations will not occur if the errant behavior leaves behind no clues that it has occurred. Similarly, clues may be noticed only long after the precipitating actions or events have occurred, making investigations much more difficult. (4)

The first part of the investigation is determining that something "errant" has happened at all. In all of the examples above, it is pretty clear that an undesirable outcome has occurred, and the undesirability demonstrates or at least suggests a breakdown in the program's functionality. But consider the case in which a computer system (and anything that is controlled or affected by that system) produces an undesirable result or outcome that is what would be expected given the inputs. (Most people who have tried to balance a checkbook by hand, or even with a calculator, can speak to such an experience.) In such cases, it is far more likely that the result--though undesirable--is correct and inevitable because the user has provided bad inputs than it is that the program used to calculate that result is in error.

Similarly, if the missile misses its target or the car does not slow down when the driver presses the brake pedal, it is possible that a human operator aimed the missile at a shadow or the driver pressed the accelerator when he thought he pressed the brake. In such cases, it is hard to associate "errant" behavior to the computer or system per se, since the system was given the wrong input. (5) It is also possible that the errant behavior is the result of a flaw in the program, introduced by accident rather than intentionally.

Errant behavior resulting from factors other than foul play does not usually play a part in traditional attribution concerns. Attribution usually arises as a concern when an incident is determined to have resulted from foul play (i.e., intentional harm). When the determination is made that foul play was involved, what was previously a cyber incident involving errant system behavior becomes a malicious cyber incident (or, equivalently, an intrusion)--and attribution is the process by which it is determined who or what is responsible for the intrusion.

Attribution sometimes goes hand in hand with determining if a cyber incident is malicious. That is, an investigation regarding the cause of errant system behavior may (or may not) reveal it to be the deliberate and intentional action of an actor. But identification of the specific actor is not necessarily required to infer bad intention--in many cases, a particular behavior of the system is so likely to be the result of an intentional bad action that investigators presume maliciousness.

Suppose that Bill is the legitimate user of a computer in the human resources department of a large defense contracting firm. He has been putting together a spreadsheet with all of the names, addresses, email addresses, and salaries of the other employees of this firm. One day, he opens his computer to discover that the spreadsheet has been deleted from his hard drive. He reports this to IT support, which then begins an investigation. What happened? How did the file get deleted?

The IT support staff may begin by examining who had access to the file. Susan, Bill's direct supervisor, also had access to the file. Network records demonstrate that Susan's computer did access and delete the file the evening before Bill reported it missing. Susan, however, claims that she did nothing to the file. Is Susan forgetful or lying? Or was she somehow tricked into deleting the file? Or did someone else access Bill's file, pretending to be Susan?

Perhaps the investigators determine--or make an educated guess--that Susan is indeed telling the truth, and that she inadvertently deleted the file without knowing it. Who set this action in motion? In this case, misdirection is involved: on the surface, Susan appears responsible, but she did not wish for the file to be deleted and does not actually bear any meaningful responsibility for ill intent. (6)

But the IT support staff may determine that an intruder engineered this attack through Susan's computer. Attribution has two goals: to distinguish between errant behavior that is malicious and deliberate and errant behavior that is accidental, and if the former, to distinguish between intentional, real, and meaningful responsibility on one hand and apparent responsibility on the other. The latter goal focuses...