Nearly a year ago, we witnessed an act of cyber destruction directed against the networks of Sony Pictures Entertainment. The destruction was serious and somewhat unprecedented – frozen computers, leaked proprietary and personal information accompanied by threats against movie theaters. After the attack came an argument about attribution—whodunit?—lasting several weeks within and outside the cyber security community. Theories and counterclaims shot across cyber publications and blogs.
Shortly after the attack, the FBI fingered the North Koreans, who had previously engaged in a more limited pattern of cyber activity, targeting South Korea, with little indication that the country had grander plans. Arguments raged over the technical data, over whether the FBI knew what it was talking about, and over claims that the North Koreans didn’t have a clear motive for the attack (as if getting into the head of North Korean leader Kim Jong-eun was an easy matter).
Some contended that this devastating attack was apparently retribution for a satirical movie produced by Sony that showed North Korea’s leader in a disparaging light. But how could this possibly be motivation for an act of “cyber vandalism,” as President Obama called it? There were even claims of an “inside job” at Sony, accompanied by voluminous analysis of the partial data available to those not involved in the FBI or internal Sony investigation.
Did attribution even matter in this case? Some say it didn’t—and that attribution doesn’t generally matter… except when it does.
Attribution matters for cyber defense but becomes even more critical as we focus on the policy potential of cyber deterrence, and the inherent policy and legal issues. Our policies and our rules of engagement demand accountability and therefore must be premised on knowing the perpetrator’s identity. Likewise, common sense demands clarity and evidence. Our network defenders in both the private and public sectors need to know who they are facing and what these adversaries seek in our networks.
So what did we learn from the Sony attribution circus?
- Whatever the government says, some in the cyber security community will doubt it. Certainly post-Snowden, many in the cyber security arena simply do not trust the government’s claims. Skepticism is probably a healthy reaction in attribution discussions, but it should not become the sole guiding principle.
- It’s not all about the technical and tactical data. Sure, it’s great to be able to track perpetrators through previous signatures and malware, and that’s a big part of the attribution puzzle, but it is NOT the entire picture. Intelligence information and a strategic understanding of the attackers’ objectives matters too.
- We know intelligence matters because in the Sony attack, the government eventually admitted that intelligence and existing operations against North Korean networks formed the core of U.S. officials’ conclusion that Pyongyang was responsible for the activity.
- Understanding and evaluating threat and risk should be part of a holistic approach. We’re still talking about good, old-fashioned, actionable intelligence analysis here, albeit with some more complex technical data. If we want to design effective cyber defenses and deterrence, it’s not just about the information, it’s about the intelligence and the tactics, techniques, and procedures employed by the adversary. It’s about context.
- Context can also help us in finding the right standard for attribution – a standard which should emphasize critical thinking and analysis, not just speed or public relations.
And there’s an added bonus to this approach: at a time when we bemoan the lack of interest in the cyber professions, we have a perfect opportunity to broaden the cyber security field by welcoming individuals with other types of analytic skills to the fight and not just the technical experts alone.