Cyberattacks add fuel to cybersecurity debate
Though the threat was minimal, thorny legal and policy questions remain unanswered
The rash of cyberattacks that temporarily knocked some U.S. government agency Web sites off-line is a warning call for policy-makers to confront all the traditional hypothetical questions surrounding the debate over cybersecurity policy, experts say.
Though the attacks were relatively unsophisticated in their nature, they have publicly framed many of the legal and policy questions that surround cyberattacks. Top among them are: What evidence is needed to prove who was behind an attack? What are the appropriate actions for individuals and countries to take in response to different types of computer attacks? What should the rules of engagement be for the military to use cyber weapons?
The need to answer these questions prompted the Obama administration’s decision earlier this year to set up an office in the White House to coordinate cybersecurity policy. President Barack Obama gave a speech to formally announce the position in May and promised the country’s digital infrastructure would be treated “as a strategic national asset.”
Melissa Hathaway, who led the Obama administration’s comprehensive review of cybersecurity policy and is considered a candidate to head up that cybersecurity office, has called the effort to secure cyberspace a marathon, not a sprint.
The recent distributed-denial-of-service attacks, which began over the July 4 weekend and are believed to have been launched from machines in multiple countries, provide a glimpse into how complicated the race course is.
“There’s a lot of complexity here that really needs to work itself through,” said Amit Yoran, chief executive officer of network security company NetWitness and former director of the Homeland Security Department's National Cybersecurity Division.
Almost a week after the attacks began, speculation continues to swirl around them. Tens of thousands of computers were commandeered as “bots,” or drone machines, and used to send massive amounts of information in an attempt to overwhelm systems and shut down sites in the United States and South Korea.
Reports from South Korea indicate further attacks continued well into the week. Meanwhile, press reports have said South Korean intelligence authorities suspect North Korea or its supporters carried out the attacks. However, security experts in the U.S. say definitively identifying who is behind the cyberattacks may be difficult or impossible.
“I think at this point it is highly unlikely, highly improbable that any reliable attack-attribution data is available,” said Yoran. “It’s a very intense process and it could take weeks. ... The analysis here — both technical and nontechnical — is not trivial and takes time.”
Retired Maj. Gen. Dale Meyerrose, the former chief information officer of the Office of the Director of National Intelligence, who is now vice president and general manager of cyber programs at Harris Corp., said his experience suggests that investigations have shown cyberattacks don’t originate from where they initially appeared to have started.
Attribution is one of the primary challenges that investigators face when dealing with cyberattacks. In March, retired Adm. Dennis Blair, the director of national intelligence, told reporters that authorities were not where they want to be yet in terms of attribution and that it is a high priority.
“It takes a lot work. It takes a lot of manpower and intensive effort to sort that out because of the ability of the attack originators to go through multiple [internet addresses and internet service providers] along the way. And we’re working hard on being able to do that quicker and more accurately,” Blair said.
John Bumgarner, research director for security technology at the U.S. Cyber Consequences Unit, an independent research institute, said IP addresses can be spoofed, so just because you have a range of IP addresses that may be pointing to a country doesn’t mean an attack actually came from there. Bumgarner also said authorities lack the advanced warning or intelligence in cyberspace that they have for kinetic attacks.
Experts also point out that even if investigators could definitively attribute the origins of the recent attacks, or future attacks, it’s unclear what they would or could legally do with that information. They say current laws have not kept pace with the threat and that agency roles overlap.
“I don’t think there’s a definitive or well-published doctrine that says this is how we’re going to respond,” Yoran said. “It might be a cyber response, it might be a diplomatic response, it might be some other signal. … Who knows, maybe it’s a law-enforcement type of response based on who the actor is.”
Meanwhile, Meyerrose said the attacks illustrate why the Obama administration is making cyberspace and cybersecurity a priority.
In the wake of the attack, DHS, whose U.S. Computer Emergency Readiness Team works to protect against threats to civilian government Web sites, said in a statement that officials see attacks on federal networks everyday. Defense Department officials also say there are millions of scans or probes of its Global Information Grid.
Last month, Defense Secretary Robert Gates ordered the establishment of a new Cyber Command to assume responsibility for the defense of the military’s portion of cyberspace. The new Cybercom will be a subunit of the U.S. Strategic Command and will be commanded by the director of the National Security Agency. DHS has primary responsibility for .gov networks, and responsibility for nongovernment critical infrastructure falls to both the public and private sectors.
U.S. government sites reported to have been among the targets were both military and civilian; large private-sector institutions were also targets. The disparity in targets underscores the ongoing policy debate over the roles that DHS and NSA should have in protecting cyberspace and where their respective jurisdictions end.
Although these attacks appear to have had no major operational impact and caused no kinetic damage, they raised questions about when a cyberattack could warrant a cyber response or kinetic military reaction.
In April, a report by the National Research Council said the U.S. policy and legal framework regarding launching cyberattacks is “ill-informed, undeveloped and highly uncertain” and that the country needs a public national policy in that area that applies to sectors of government.
Yoran said, “We have to start establishing better practices in terms of what are international norms and what is acceptable. And also there are reasonable questions here about interfering in somebody’s sovereignty and what constitutes a ‘use of force’ event in the cyber domain, what is an attack versus an espionage or sort of an exploitation, and what are the applicable laws and jurisdictions."
“Somebody breaks into your house you know what to do. … Somebody breaks into your computer, who do you call?” Meyerrose said. “There’s a huge disparity between what happens when somebody breaks into your house versus when somebody breaks into your computer.”
Ben Bain is a reporter for Federal Computer Week.