AFTER MONTHS OF news about Russian meddling in this year’s US presidential election you’re probably sick of speculation and ready for answers: What exactly did Russia do and why? It sounds simple enough, but a fundamental concept in cybersecurity and digital forensics is the fact that it is sometimes extremely difficult after a cyberattack to definitively name a perpetrator. Hackers have a lot of technical tools at their disposal to cover their tracks. And even when analysts figure out which computer a hacker used, going from there to who used it is very difficult. This is known as the attribution problem.
The quandary has gained visibility in recent years as more nation-state hacking makes attribution a geopolitical issue. And this amplifies the problem significantly by necessitating public disclosures. In the US, when the intelligence community is in agreement about an attribution and is ready for the presidential administration to share it publicly, citizens want proof or an explanation of how the attribution was reached. But releasing information about technical and physical intelligence capabilities and initiatives can undermine current and future operations. As a result, even when intelligence agencies can make a determination with a high degree of confidence, they face a second attribution problem in the court of public opinion.
“Obviously there are cases where we cannot come to a clear conclusion in digital forensics. It’s always a question of what evidence did you get,” says Thomas Rid, a cybersecurity-focused professor in the department of War Studies at King’s College London and author of the 2014 paper Attributing Cyber Attacks. “But there is still this ‘attribution is impossible’ knee jerk reaction that occasionally pops up, which really doesn’t make much sense. The idea that attribution is not possible really doesn’t carry any weight in the technically informed community anymore.”
When the Obama administration placed blame for the 2014 Sony Pictures hack on North Korea, for example, much of the security community agreed with the consensus, but there was also some prominent skepticism. Part of this was because Obama did not disclose that the US had the direct ability to spy on North Korean internet activity before and during the attack on Sony. These details were later reportedby the New York Times. But inconsistent access to full evidence can make it difficult for individuals and civilian security firms to vet government attributions.
In 2016, President-elect Trump has leaned on the attribution problem to dismiss consensus about Russia’s political hacking during the presidential campaign. Speaking to FOX News on Dec. 11, Trump said, “Once they hack, if you don’t catch them in the act you’re not going to catch them. [Intelligence agencies] have no idea if it’s Russia or China or somebody. It could be somebody sitting in a bed some place. … I don’t really think it is [the Russians], but who knows? I don’t know either. They don’t know and I don’t know.”
President-elect Trump has made many similar statements referencing the difficulty of tracing well-executed cyber attacks. But this frames the attribution problem at an inaccurate extreme, suggesting that it is absolutely never possible to determine the source of a cyber attack unless analysts observe it as it is happening. (Trump’s statements are also inaccurate given that digital forensic analysts, particularly the civilian firm CrowdStrike, did catch Russian actors “in the act.”) “What I can say is in my experience being in an intelligence agency, if the CIA came to me and had a high confidence level with supporting evidence—to dismiss that is definitely alarming,” says David Kennedy, CEO of the security firm TrustedSec, who formerly worked at the NSA and with the Marine Corps’ signal intelligence unit. “No supporting evidence has been released to the public, but would assume it has to Obama, intelligence officers, and Trump.”
In a broad sense, the attribution problem applies to any type of investigation, not just a digital one. There isn’t always iron-clad direct proof of who committed a crime and it can be difficult or even impossible to discern a culprit from the evidence and information available. Nonetheless, it is possible to codify a justice system that identifies suspects and then decides whether they are innocent or guilty of crimes based on available evidence. Absent perfect information, a justice system will certainly make inaccurate determinations at times, but if the overall rate of success is satisfactory the framework can function.
Though cyber attacks and digital attribution are in their infancy compared with that of physical crimes, systems for cyber attribution are slowly developing in the same way. And since attribution deals in degrees of certainty, not absolutes, people are still evolving their standard for what rate of success and confidence level is enough. “Attribution is extremely difficult and requires intelligence sources that are reliable and accurate,” Kennedy says. “The intelligence community typically monitors specific groups and activity in order to have high confidence. It’s not a perfect system, but the US is one of the best.”
For now, the intelligence community consensus about the Russian attribution is not firm enough for some, who still have doubts about whether the US can reasonably base retaliation against Russia on it. The attribution problem is exactly that—a problem. But it is not an irreconcilable barrier. “You can identify hackers even if you do not catch them in the act,” Rid says. “Digital forensics as a profession is exactly there to solve that problem and it can be solved. Sometimes it can’t, but often it can.”