Two recent stories of significant cyber attacks come close to blaming the Chinese for the intrusions but stop short.
In a highly successful cyber intrusion, hackers compromised numerous systems associated with the Office of His Holiness the Dalai Lama, the Asian Development Bank and the Association of Southeast Asian Nations (ASEAN). In a second incident, sensationally reported by the Wall Street Journal, online intruders had installed malicious software on computers associated with the U.S. electrical grid. In both cases, the most likely suspect is the Chinese government. Yet, in each case, researchers and sources stopped short of blaming the Chinese.
The problems with attributing cyber attacks are well known. While we can safely assume that some of the successful attacks on our critical infrastructure are due to external actors rather than insiders, identifying the source of those attacks — routed through numerous proxies, including servers hosted within our own nation — is a difficult puzzle. The majority of attackers are likely just nationalistic opportunists, but certainly some are operating under the direction of a foreign nation.
Yet, as the United States forms a national cyber policy, the issue of attribution looms large as a significant impediment to deterrence of cyber attacks. The researchers involved in documenting the attacks on the Dalai Lama and other organizations prove the point.
The Information Warfare Monitor, which is associated with the University of Toronto, issued a widely publicized and incredibly detailed report on what its analysts dubbed GhostNet, while researchers from the University of Cambridge, who had access to the same source evidence, issued a separate report. Both teams were able to trace several of the attacking IP addresses back to Hainan Island, home of the Lingshui signals intelligence facility and the Third Technical Department of the Peoples Liberation Army (PLA), yet only the Cambridge investigators felt comfortable laying attribution at the doorstep of the People's Republic of China. The IWM report acknowledged the evidence supporting PLA involvement, but also presented some alternative scenarios that could account for the evidence, including (1) a random occurrence, (2) a criminal for-profit enterprise, (3) non-state hackers operating without the consent of the PRC, and (4) a nation other than China attempting to implicate the PRC — typically known as a "false flag" operation.
While each of these options is a possible alternative, they may be ranked in terms of plausibility by asking questions of means and motive.
Attackers often identify themselves by their selection of a victim. Ongoing tensions if not outright hostilities between China and Tibet have been well-documented over the years. Such circumstantial evidence would certainly suggest that China had a role in GhostNet.
A January 2009 report by Team Cymru on Supervisory Control and Data Acquisition (SCADA) systems — those used by utilities and manufacturing plants to control and monitor complex systems — identified China as the source of the vast majority of scans looking for vulnerable ports into a SCADA network. Again, direct attribution to the Chinese government was not possible because of the alternative and very likely scenario that the source of the probes were computers compromised as part of a botnet and used to attack the U.S. The botnet's controller could be located anywhere in the world.
Every responsible authority agrees that these penetrations must be defended against, however if a nation wants the capability to conduct offensive operations against the attacking group or state, it must be able to prove attribution. Deterrence, a prime strategy during the Cold War, requires attribution to be at all effective.
Still, what is the standard of proof that should apply in these cross-border cases? There are currently no international treaties that govern this area, which adds to the complexity of the attribution question.
One way to improve our ability to attribute attacks is to require that ISPs and nations exercise greater control. A recent breakfast conversation with a colleague on this topic resulted in what I think is a great way to assign attribution: Structure cyberspace like airspace or territorial waters with designated areas of state responsibility. In other words, each nation controls and is responsible for its own cyberspace.
In the case of airspace and territorial waters, enforcement is by international treaty. Perhaps one solution is to add cyberspace to this body of law as a fourth environment after air, land, and sea. There are penalties for violating a nations airspace. It seems logical to apply those penalties to cyberspace as well.
If enacted, this would put the onus on hosting companies licensed to do business in their respective countries to more vigorously enforce anti-piracy software laws, require registrars operating within their borders to make a better effort at validating WHOIS data, and require hosting companies to be more attentive to gross violations by their customers or be subject to civil and criminal penalties. This includes companies based in the U.S. like The Planet and SoftLayer Technologies, who join eight Chinese companies in a top ten list of bad network blocks as assessed by StopBadware.org.
By requiring each nation police their own cyberspace, we set a precedent for holding governments responsible for their policies on the Internet, including their own military doctrines regarding information warfare. Until governments are willing to assume the same responsibility for cyberspace that they do for their airspace and territorial waters, they should not be surprised nor outraged by the attempts of security and intelligence professionals to identify who's responsible by other means.