How the Attribution Revolution is Changing Cyberthreats
By Stewart Baler
Wednesday, May 8th, 2013 @ 2:18PM
*Stewart Baker, former Assistant Secretary for Policy, DHS, is partner at Steptoe & Johnson. These are his transcribed remarks from ACD/EWI briefing, “CyberThreats & The Economy” (April 9, 2013)
I’m going to talk about the good news here, because I think we are a little behind the times in thinking about some of these cyber problems.
There is a revolution going on in attribution, and the Mandiant report is a good example of that, and the revolution, properly understood, is going to change our policy options. The question is whether we’re going to seize the opportunity to use the policy options that we are being provided by the ability to attribute some of these attacks that we’re beginning to discover.
Now, this is from a larger presentation that I do about attack and defense that begins more or less, since every general in the Pentagon seems to be waiting for the lawyers to tell them what they can do before they come up with a cyber war strategy. Well, I’ve got a JD, so I’ll give you a strategy.
Let’s start with the attack part of our strategy. That’s what everybody likes to hear about, and of course the next problem is who we’re going to attack, at which point people start to wring their hands and say, “Oh, dear, we don’t know who’s attacking us! It’s so hard, it’s so hard!”
It’s not that hard.
That’s what we have discovered. As I said to Chairman Rogers, we’ve discovered that not because the CIA has told us, not because NSA has told us, or DHS, but because brave people got into command and control servers that were owned by the Chinese — got in and looked around and told us what they found. They found a hell of a lot. They found the hacker’s girlfriend’s pictures. They found phone numbers and QQ addresses and a whole bunch of stuff that allowed us to determine who was attacking us.
That’s because it is not possible to operate in cyberspace these days without leaving little digital bits of your DNA all over cyberspace. It’s just like Pigpen. We’ve got this cloud of data falling off us whenever we move around in cyberspace.
I should have said this is going to be the “Huffington Post” version of cyber security. You get a little bit of fact and you get a fair amount of opinion and you get a strategic amount of cleavage.
So, what are these digital bits that we leave behind? Here’s one. [laughter]
So this picture was put up on a site of law enforcement agencies that had been hacked by Anonymous. In leetspeak this says, “You’ve been pwned by wormer & CabinCrew-Love you bitches!” The rest of the picture speaks for itself.
It turns out that this was taken with an Apple iPhone. And unbeknownst to the guy who took it, it very helpfully included the geographic coordinates of where it was taken. The FBI went to this suburb of Sydney and as they say, “Obtained a positive identification of the subject.” Apparently, the Secret Service is not the only law enforcement agency that’s having a great time abroad.
They then discovered that her boyfriend lived in Corpus Christi, Texas; he is now serving a year in prison for his attack. And just to make this G rated, he has married the subject of the photo. So it’s turned out well for everybody.
That’s kind of an unclassified view of attribution. I’ve been trying to popularize Baker’s Law, which sums up the attribution opportunity this way: “Our security sucks, but so does theirs.” That’s what we need to remember. The hackers are no better at securing their communications and their data than we are, and we know we’re bad at it, right?
Let’s start taking advantage of the fact that we can find out all kinds of stuff about the people who are attacking us.
This creates an enormous set of options for policy makers. Many people know what attribution 101 is. You’ve got all the people who’ve been compromised up on that top line. Then the command and control server which tells them all what to do and receives all their reports about the information. Then headquarters takes that information from the command and control and ultimately passes on to some final customer who actually is going to use the information that has been stolen.
If we can break down that set of information, we can start penetrating each of those steps along the espionage trail. We can go from attribution to, not deterrence, but retribution.
Come on! That’s what we should be doing. We can expose and isolate nation-states, show that they are engaged in activity that will embarrass. That’s a great opportunity.We can impose sanctions on spies. Why not say, “We are designating you a specially designated national hacker?” We already have specially designated nationals for blood diamond traders. Really, that is not our most important national security problem.
What you have here is a couple of people whose pictures were actually taken with their home PC cameras by counter hackers who were investigating the attack. We can identify these guys and impose sanctions on them individually.
This is my favorite story here. One of the hackers actually had a blog. One of the hackers who did the United States government serious, serious damage had a blog that he was running under a pseudonym in which he complained the site of the “Prison Break” TV series complained about how horrible his life was. How bored he was out in the suburbs, and how much he yearned to break free of the prison that his hacking unit had imposed on him.
I thought to myself, “Wow! We could figure out who these guys are. They’re so bored. We’ll offer them a million dollars and an S Visa to come to the United States. The first one gets a million dollars. The second one gets a $100,000. The third one gets $10,000. Everybody else gets indicted. [laughter] Prison break meets prisoner’s dilemma. We could do it tomorrow if we had the nerve.
We could deny visas to companies who are hiring these guys. We’ve seen Tencent, which apparently actually hired one of the hackers who attacked United States government agencies. We should be investigating that hacker and saying to the company, “You know, if you want to come to the United States, do business here and have visas to come here, you need to cooperate with our investigation.” We aren’t doing that, but we could.
Then finally, to my mind the ultimate goal is to find the guys who are actually using the data. Governments are not using most of the data they’re stealing. They’re probably giving it to state-owned enterprises so that those state-owned enterprises can go out and do business successfully in the West — where we can reach them and prosecute them. If we can establish that a foreign company got stolen information, if we can find that information inside their crappy, unsecured networks we can prosecute them. That will change everybody’s view about how much fun it is to engage in that activity.
So, last point. What’s the role for private companies? You know how much help you’re going to get from the police if somebody steals your bike: They will tell you how sorry they feel about it, and they will tell you what kind of lock you should buy next time for the next bike you own. That is the treatment we’re getting now from the FBI and the CIA when they don’t have the ability and don’t have the resources to do the help.
But the private sector is willing to spend a lot of money to find out who’s attacking them. We should help them to get the kinds of information that’s necessary to bring a criminal action against the people who are attacking us. That’s what we need.
Instead, what we’re getting, and I think even from Chairman Rogers, is a classic government response. “We can’t actually help you with your criminal problem, but we can make sure that you can’t defend yourself.”
That can’t be the right answer. We’ve got to find a new approach that relies on the capabilities of the private sector as well as government resources.