Earlier this week, the House Subcommittee on Technology and Innovation held a hearing to explore the issue of cyber attribution, the problems it poses and the roles the private sector and government can play.
“History shows that one of the best deterrents to an attack is the ability to identify your attacker,” Committee chairman David Wu said. “This method of deterrence“”the ability to attribute an attack to a particular person, party, or system“”can be equally vital to defending against cyber attack.”
In testimony provided to the Commitee, Robert Knake of the Council for Foreign Relations questioned the usefulness and efficacy of deterrence in a cyber context.
“The utility of deterrence in cyber security may be limited and that the problem of attribution has been over-stated for the high end threats that represent a challenge to our national security,” he said.
One of the major problems Knake highlighted was the fact that many nations with cyber attack capabilities are not as reliant upon the Internet as the United States, making deterrence more difficult if the only response considered is a cyber-counterblow.
“Attribution may be a secondary problem to the lack of symmetry,” he said. “Many countries that possess sophisticated offensive capabilities do not have extensive societal reliance on the Internet or networked systems. If attribution could be achieved, deterrence might not follow because a state conducting an attack in cyberspace, may have little to lose through retaliation.”
In terms of the roles the government and industry should play attributing cyber attacks, any evidence provided for attribution must be near-irrefutable, according to Ed Giorgio, president and co-founder of Ponte Technologies.
“To achieve this, we will have to move to new protocols in the infrastructure which change the very foundation of our networks, building in attribution and accountability from the ground level,” he said. “Governments and private enterprises are facing similar threats, and trying to solve much the same problems, and so partnerships with industry will help to develop the protocols of the future.”
Marc Rotenberg of the Electronic Privacy Information Center, warned the Committee of the potential detrimental effects attribution policy can have on civil liberties and human rights.
“It may be that governments establish attribution requirements to address cyber security concerns,” he said. “But it also clear that governments impose these requirements to track the activities of citizens and to crack down on controversial political views. We know this from our research of identity requirements for Internet use outside of the United States.”