When Cyber Attacks Occur, Who Should Investigate?


Dec 6, 2018

World map with electronic circuits

Photo by turk_stock_photographer/Getty Images

Marriott announced last week that it had suffered a major data breach. Hackers made off with the personal details of 500 million customers dating back to 2014. The Marriott cyber incident is just the latest of many occurring in recent years, often with what feels like escalating stakes. Many of these data breaches and cyberattacks cross geopolitical boundaries. They target individuals, corporations and governments and have led to the theft of information and money, as well as the disruption of critical infrastructure, such as power stations and hospitals.

The Marriott attack came just days after the U.S. Department of Justice indicted two Iranians (PDF) for the cyberattacks that crippled much of Atlanta city's government systems earlier this year. Unfortunately, the assignment of blame like this is rare and victims of cyberattacks are often left to fend for themselves. While Marriott International stated that it reached out to cybersecurity experts and law enforcement, identifying attackers is very challenging and there is no authoritative international body to rush to the digital crime scene to determine who is responsible.

In November, French President Emmanuel Macron called for greater global cooperation on cybersecurity issues. At the same time, the cybersecurity firm FireEye called for "a global community that agrees to a set of unacceptable actions, and that works together to ensure there exists a deterrent to avoid such actions." Attribution, the company said in its report (PDF), “will be key.”

Although the U.S. government has publicly identified the attackers in a few high-profile cases, this is more the exception than the norm and the vast majority of attacks are never officially attributed. This means that cyber perpetrators are rarely held accountable for their actions. In light of attacks such as the Democratic National Committee cyberattack or the cyber intrusion into the U.S. power grid by Russian state actors, perhaps it is time that an international authoritative cyber attribution body be created with the goal of promoting accountability in cyberspace.

A world with more and more networked devices, the growing availability of cyber weapons, and the absence of accountability in cyberspace has led to the emergence of a digital wild west of cyber conflict and vigilantism. The private sector has responded accordingly with market solutions that can help defend against aggressors where government does not. These solutions include products like anti-virus software aimed at protecting average users against common attacks.

The private sector has also developed a variety of forensic tools, techniques and expertise that enable the identification of breach characteristics. In particular, a bevy of cyberthreat intelligence companies offer cybersecurity services that support cyber attribution, through the use of technology, intelligence and political insights to determine who is responsible for an attack. For example, CrowdStrike provided forensics analysis of the DNC computer servers that ultimately led to attributing the DNC hack to Russian government-backed actors. Private sector cyber attribution services such as these are an attempt to fill an important need.

Nevertheless, these cyber attribution services raise some concerns. The current cyber attribution landscape is fragmented and confusing. The growing market opportunities have incentivized companies to demonstrate unique or novel techniques and splashy attribution statements. These different actors use different naming conventions (Fancy Bear, APT 28 (PDF), Sofacy, etc.) to refer to responsible parties. They use their own standards for assessment and publish their attribution findings in different ways with different levels of granularity. Some companies publicly present data to support their findings, some provide certain limited evidence publicly while other evidence is provided privately, and still others publish no attribution statements at all.

There are some efforts within the U.S. government to try to facilitate regularized attribution. For instance, a bipartisan bill, the Active Cyber Defense Certainty, seeks to reform the Computer Fraud and Abuse Act to explicitly exempt private sector firms from prosecution when collecting data for the purposes of cyber attribution. The measure focuses on allowing defenders to use beaconing software that would trace the source of an attack, an arguably benign defense mechanism. But such a law might also encourage digital vigilantism and could facilitate attribution practices that are inconsistent and unbounded.

In a perfect world, cyberattackers would be attributed transparently with full confidence and be held accountable to prevent a repeat or future attack. But holding the attacker accountable should require a burden of proof that is scientific in methodology, consistent with that of other attacks and generally accepted.

As an alternative to the market and the sporadic and political decisions of national governments to publicly attribute, consider a solution in which a qualified, widely accepted, non-governmental body could conduct investigations and preside over cyber attribution decisions. Such a body could narrowly focus on engaging in attribution investigations in a transparent, systematic and consistent manner. The membership of such a body could be made up of technical and policy experts, perhaps on fellowship from private cybersecurity firms. More importantly, to avoid the perception of politicization or bias, the membership could be geopolitically diverse with mechanisms for dissent.

To prevent descending further into the digital wild west where every computer user must fend for itself, some thought could be given to creating a structure for enabling systematic accountability. We believe that creating a global body with a narrow focus on investigating and assigning responsibility for cyberattacks could be the first step to creating a digital world with accountability.

John Davis is a senior information scientist; Jonathan Welburn is an associate operations researcher; Benjamin Boudreaux is a senior policy analyst; and Jair Aguirre is a senior technical analyst at the nonprofit, nonpartisan RAND Corporation.

This commentary originally appeared on United Press International on December 6, 2018. Outside View © 2018 United Press International.

More About This Commentary

Commentary gives RAND researchers a platform to convey insights based on their professional expertise and often on their peer-reviewed research and analysis.