At RSA, Govt. Says Attribution Key to Cyber Strategy
Despite the difficulty of attributing cyber attacks, government officials stood by attribution as a key tool in responding to cyber incidents.
The world at large may have doubts about the U.S. Government's ability to "get its man" in cyber crime cases, but Uncle Sam is putting his weight behind efforts to identify malicious online actors and, when possible, to hold them to account.
That was the clear message from a string of government officials who spoke at last week's RSA Security Conference in San Francisco, where lawyers and policy makers from the Obama Administration celebrated efforts to expose state-sponsored thieves and other criminals believed to have hacked U.S. corporations and government agencies.
In a keynote speech on April 21, Department of Homeland Secretary Jeh Johnson said that he was "enthusiastic and proud about the direction" that the U.S. government was headed on cyber security, noting that cyber security was a mission on par with counterterrorism for DHS.
Singling out the countries and even individuals behind those attacks is key to that mission, as it allows the government to direct specific sanctions against a nation-state actor or to indict individuals on criminal charges.
Speaking on Thursday evening at an event hosted by The Christian Science Monitor’s Passcode, John Carlin, the Assistant Attorney General of the National Security Division at the Department of Justice told an audience of technology executives and security researchers that the government needs to “increase costs for those who seek to harm or steal from U.S. citizens.” Sanctions, like those levied against senior officials in China’s People’s Liberation Army (PLA) and the government of North Korea.
“When we figure out who did it, we’re not afraid to say it,” said Carlin. “We’re not afraid to put some sort of costs on it.”
Carlin said economic sanctions against individuals, businesses or entire governments are one of the few levers available to the U.S. as it looks to retaliate for cyber attacks in which the malicious actors are unlikely to see the inside of a courtroom.
Still, Carlin acknowledged that attributing cyber attacks is still a dicey business.
“It is definitely difficult to do attribution in this space, but it’s not impossible,” he said.
The Obama Administration faced questions about its decision to attribute a devastating cyber attack on Sony Pictures to the government of North Korea – purportedly in retaliation to the planned release of The Interview, a comedy depicting an attempt to assassinate North Korean leader-for-life Kim Jong Un.
Some security experts claimed that evidence in the case pointed to disgruntled former employees – not North Korean hackers – as the source of the attack. In a speech this week, Kevin Mandia – president of the security firm FireEye, unequivocally denied those claims, saying the hack was not an inside job, but the work of a “nation state.”
Carlin said the case was evidence of the increasing cooperation between U.S. intelligence agencies and law enforcement.
“For too long, when it came to nation state attacks, we weren’t trying to cause pain to the adversary,” he said. Instead, intelligence agencies collected data on sophisticated hacks for “intelligence purposes,” he said.
The sanctions against North Korean and Chinese leaders increase the cost of doing a cyber attack and give the U.S. leverage in trying to discourage those countries from further attacks on U.S. interests.
“We’ve shown that we can do it, and we have to keep sending that message,” Carlin said.