Who Hit Me & Why Does It Matter? Legal and

Transcript:Who Hit Me & Why Does It Matter? Legal and:
Who Hit Me & Why Does It Matter? Legal and Policy Challenges in Attributing Cyber Attacks ISR Research Forum 6.2.17 Bryan Cunningham This presentation does not constitute, and should not be treated as, legal advice or counsel What is Attribution Attribution refers to identifying the agent responsible for a cyber attack or action Three Types of Attribution (from a legal/policy standpoint) Attribution to a machine Attribution to a person Attribution to a responsible party Attribution key to deterrence (fear of penalties/responsive action can deter some adversaries) However, retaliation can happen only when the responsible party can be clearly identified and proven 2 Common Methods of Attribution Technical Forensics Code and Methodology Matching Human Sources and signals intelligence (traditionally available to law enforcement/intelligence agencies) Potential motives of attackers: Who benefits? Rarely will there be “smoking gun” or single sufficient source of information and you generally need to prove not just who did it but on whose behalf US Director of National Intelligence: “An assessment of attribution usually is not a simple statement of who conducted an operation, but rather a series of judgments that describe whether it was an isolated incident, who was the likely perpetrator, that perpetrator’s possible motivations, and whether a foreign government had a role in ordering or leading the operation.” Statement from the Office of then-DNI James Clapper 3 Former Asst. Attorney General for National Security on Attribution Some government tools for attribution Physical examination of servers Interviews with network users Requesting/compelling providers to turn in copies or records Search and seize physical devices Cooperative relationships (corporates or individuals; other jurisdictions) Intelligence collection and sharing activities Former Assistant Attorney General for National Security John Carlin Many of these techniques not traditionally available to private sector 4 Possible Remedies Beyond Company Security Fixes Government cooperation/help – especially if botnet or state actor compromises Civil or criminal legal action Particularly in the future, “active defense” or other self-help remedies All of these depend to some degree on attribution 5 What is the Attribution problem? Who Did It? Now, Prove It “We need to … identify intrusions and locate the source of attacks with a trail of evidence that can support diplomatic, military and legal options …. Former Director of National Intelligence/NSA Director Mike McConnell Attribution, using current methods, is hard: “Attributing the adversary behind a cyber attack ranks as perhaps the hardest challenge in all of cyber security…” Anup