The first issue one, discussed last week, is about the importance of distinguishing between a cyber intrusion and a cyber attack. This week, I want to address the comment I hear too often that “we know for a fact” who are behind the cyber attacks.
I called a CISO (chief information security officer) of a critical infrastructure and a subject matter expert that worked with three-letter agencies on cyber event investigations. I barely finished relating the statement when he replied “That’s bulls**t and went on to talk about cyber break-in investigations that went on for “years” without identifying who was behind the attack.
One of the most challenging aspects of cyber attack attribution is the international routing / staging of cyber attacks. Cyber attack designers often use cross jurisdictional routing/staging to add complexity to attribution and to delay or even halt the investigation due to their involving an unfriendly or uncooperative country in their communications pathway used in the cyber attack process.
If I were to launch a cyber attack on the United States and route the malicious traffic through a compromised server in Venezuela, you can be sure Hugo Chavez would not grant access to the server or servers located in his country that would help the U.S. in their investigation.
Multiple intelligence segments must come together in support of cyber incident investigation. Only through cooperation between the public and private sector, law enforcement and government of foreign countries will we have a chance at attribution. Attitudes like this only increase our risks!
Kevin G. Coleman is a long-time security technology executive and former Chief Strategist at Netscape. He is Senior Fellow with the Technolytics Institute, where he provides consulting services on strategic technology and security issues.