U.S. SECDEF on Attribution - A Little Too Optimistic?


U.S. Secretary of Defense Leon Panetta gave a speech on Thursday, October 11, 2012 at the Business Executives for National Security (BENS) Eisenhower Award dinner in New York City where he made the following statement:
In addition to defending the Department’s networks, we also help deter attacks. Our cyber adversaries will be far less likely to hit us if they know we will be able to link them to the attack, or that their effort will fail against our strong defenses. The Department has made significant advances in solving a problem that makes deterring cyber adversaries more complex:the difficulty of identifying the origins of an attack. Over the last two years, the Department has made significant investments in forensics to address this problem of attribution, and we are seeing returns on those investments. Potential aggressors should be aware that the United States has the capacity to locate them and hold them accountable for actions that harm America or its interests.
With great respect for our former Director of Central Intelligence, now SECDEF, I don't believe that we're anywhere near being able to identify sophisticated adversaries in cyberspace that extends beyond being able to give code names to anonymous hacker groups or recognizing certain TTPs. For one thing, five seconds before Secretary Panetta made the above remarks he said "Moreover, DoD is already in an intense daily struggle against thousands of cyber actors who probe the Defense Department’s networks millions of times per day." So clearly if we have "made significant advances to link our cyber adversaries to an attack" and we're still fending off thousands of cyber actors probing DoD networks every day, then someone didn't get the memo!

In fairness, the Secretary didn't say that we are able today to solve the attribution problem. He said that we're making "significant advances" which is too nebulous a phrase to have a fact-based discussion about. The reason why I'm skeptical is because attribution is the kind of hard challenge that DOD farms out to private contractors, who sub-contract that work out to specialists at boutique security firms and I know a lot of those firms. They're all still focused on finding an answer by focusing on the forensics, and the answer won't ever be found through pure forensic research. Why? Because everything that we know about forensics is also known by our adversaries thanks to 900 security cons held worldwide annually and because our adversaries in cyberspace are highly skilled.

It's also ironic that while the SECDEF talks about our growing ability to deter through attribution, that it was the U.S. who was caught conducting a cyber-sabotage operation against Iran's Natanz nuclear fuel enrichment plant, and is suspected in two other high profile cyber attacks (DuQu and Flame). If anyone has demonstrated their ability to disguise their own cyber attacks while attributing the attacks of others, it would be Russia. Many of the U.S. security companies who promote their ability to identify bad guys to the DOD and IC never seem to catch Russia doing anything, yet Kaspersky Labs produces report after report post-Stuxnet on malware that seems to have originated with the U.S. Perhaps we could solve our attribution problem by hiring more Russian security engineers.


Comments