Cyberattacks add fuel to cybersecurity debate
Though the threat was minimal, thorny legal and policy questions remain unanswered
The rash of cyberattacks that temporarily knocked some U.S. government agency Web sites off-line is a warning call for policy-makers to confront all the traditional hypothetical questions surrounding the debate over cybersecurity policy, experts say.
Although the attacks were relatively unsophisticated, they have publicly framed many of the legal and policy questions that surround cyberattacks. For example: What evidence is needed to prove who was behind an attack? What are the appropriate actions for individuals and countries to take in response to different types of computer attacks? What should the rules of engagement be for the military to use cyber weapons?
The need to answer these questions prompted the Obama administration’s decision earlier this year to set up an office in the White House to coordinate cybersecurity policy. President Barack Obama gave a speech to formally announce the position in May and promised the country’s digital infrastructure would be treated as a strategic national asset.
Melissa Hathaway, who led the Obama administration’s comprehensive review of cybersecurity policy and is considered a candidate to lead that cybersecurity office, has called the effort to secure cyberspace a marathon, not a sprint.
The recent distributed denial-of-service attacks, which began over the July 4 weekend and are believed to have been launched from machines in multiple countries, provide a glimpse into how complicated the race course is.
“There’s a lot of complexity here that really needs to work itself through,” said Amit Yoran, chief executive officer of network security company NetWitness and former director of the Homeland Security Department's National Cybersecurity Division.
Almost a week after the attacks began, speculation continues to swirl around them. Tens of thousands of computers were commandeered as bots, or drone machines, and used to send massive amounts of information in an attempt to overwhelm systems and shut down sites in the United States and South Korea.
Reports from South Korea indicate further attacks continued well into the week. Meanwhile, press reports have said South Korean intelligence authorities suspect North Korea or its supporters carried out the attacks. However, security experts in the United States say definitively identifying who is behind the cyberattacks might be difficult or impossible.
“I think at this point it is highly unlikely, highly improbable that any reliable attack-attribution data is available,” Yoran said. “It’s a very intense process, and it could take weeks. … The analysis here — both technical and nontechnical — is not trivial and takes time.”
Retired Maj. Gen. Dale Meyerrose, former chief information officer of the Office of the Director of National Intelligence and now vice president and general manager of cyber programs at Harris, said his experience suggests that investigations have shown cyberattacks don’t originate from where they initially appeared to have started.
Attribution is one of the primary challenges that investigators face when dealing with cyberattacks. In March, retired Adm. Dennis Blair, director of national intelligence, told reporters that authorities could not adequately pinpoint originators of cyberattacks, and developing that capability is a high priority.
“It takes a lot work," Blair said. "It takes a lot of manpower and intensive effort to sort that out because of the ability of the attack originators to go through multiple [Internet addresses and Internet service providers] along the way. And we’re working hard on being able to do that quicker and more accurately.”
John Bumgarner, research director for security technology at the U.S. Cyber Consequences Unit, an independent research institute, said IP addresses can be spoofed, so just because you have a range of IP addresses that might be pointing to a country doesn’t mean an attack came from there. Bumgarner also said authorities lack the advanced warning or intelligence in cyberspace that they have for kinetic attacks.
Experts also point out that even if investigators could definitively attribute the origins of the recent attacks, or future attacks, it’s unclear what they would or could legally do with that information. They say legislation has not kept pace with the threat and that agency roles overlap.
“I don’t think there’s a definitive or well-published doctrine that says this is how we’re going to respond,” Yoran said. “It might be a cyber response, it might be a diplomatic response, it might be some other signal.… Who knows, maybe it’s a law enforcement type of response based on who the actor is.”
Meanwhile, Meyerrose said the attacks illustrate why the Obama administration is making cyberspace and cybersecurity a priority.
In the wake of the attack, DHS, whose U.S. Computer Emergency Readiness Team works to protect against threats to civilian government Web sites, said in a statement that officials see attacks on federal networks everyday. Defense Department officials also say there are millions of scans or probes of its Global Information Grid.
Last month, Defense Secretary Robert Gates ordered the establishment of the Cyber Command to assume responsibility for the defense of the military’s portion of cyberspace. Cybercom will be a subunit of the Strategic Command and will be commanded by the director of the National Security Agency. DHS has primary responsibility for dot-gov networks, in addition to responsibility for nongovernment critical infrastructure that the public and private sectors maintain.
The recent cyberattacks targeted U.S. civilian and defense government sites and large private-sector institutions. The variety of targets underscores the ongoing policy debate over setting roles that DHS and NSA should have in protecting cyberspace and defining jurisdictional boundaries.
Although these attacks appear to have had no major operational impact and caused no kinetic damage, they raised questions about when a cyberattack could warrant a cyber response or kinetic military reaction.
In April, a report by the National Research Council said the U.S. policy and legal framework regarding launching cyberattacks is “ill-informed, undeveloped and highly uncertain” and that the country needs a public national policy in that area that applies to sectors of government.
Yoran said, “We have to start establishing better practices in terms of what are international norms and what is acceptable. And also there are reasonable questions here about interfering in somebody’s sovereignty and what constitutes a ‘use of force’ event in the cyber domain, what is an attack versus an espionage or sort of an exploitation, and what are the applicable laws and jurisdictions."
“Somebody breaks into your house you know what to do," Meyerrose said. "Somebody breaks into your computer, who do you call? There’s a huge disparity between what happens when somebody breaks into your house versus when somebody breaks into your computer.”
Ben Bain is a reporter for Federal Computer Week.