Dangerous Cyberwar Rhetoric

Friday, August 05, 2011 | Marcus Ranum
In the wake of the Pentagon's release of their "Strategy for Defense in Cyberspace " this summer, IANS Faculty and Tenable CSO Marcus Ranum shares his thoughts about cyberwar attribution and how mis-attribution could lead to potentially dangerous consequences. Marcus's blog post follows:In July 2011 the Pentagon released its "Strategy for Defense in Cyberspace" and the US Cyber Command to oversee coordination between military and intelligence agencies regarding cyberwarfare. One of the statements made by DoD spokesmen was that military (real-world) response is possible to sufficiently damaging cyberattacks. On the surface this is reasonable enough, but some of us wish that the statement made was a bit stronger, in terms of the degree to which attribution would be certain before a counter-attack might be launched.I'd have also wished to hear something to the effect that evidence bolstering attribution would be presented publicly. There are several reasons this is an important aspect of the problem, which does not come up very much in conventional warfare; we need to pay close attention to evidence and attribution in cyberspace in a way that we seldom do in the real world.Let's consider the fascinating case of the ROKS Cheonan's sinking. Briefly, the incident involved a South Korean naval vessel that sank with the loss of 41 crew. Initially it was suspected that the ship was deliberately sunk, possibly by a North Korean miniature submarine, though the UN Security Council issued a statement condemning the attack without attributing it. As events unfolded, an investigative team consisting of personnel from Canada, Sweden, Britain, Australia, and the United States concluded the ship had been torpedoed and included recovered torpedo-parts that were consistent with North Korean torpedoes. The report was accepted by many as accurate, though others were skeptical, and - ultimately - the problem has been being addressed diplomatically. In many ways, this incident is a great example of how I feel a damaging cyberattack should be handled: Method, motive, and evidence, presented to the international community.So far, when it comes to cyberattacks, that's not how attribution has been being established. Apparently it is sufficient for a government to assert that there have been attacks and "the IP addresses are in the other guy's country." I believe, and I hope you do too, that if human lives are going to be placed at stake, a better standard of evidence is necessary.This is a very real and pressing issue. Let's take another example: Stuxnet. Stuxnet apparently caused crippling and costly damage to Iranian government facilities. In terms of method, Stuxnet was the method. For motive, the US and Israel come immediately to mind as the most likely suspects. If the Iranian government tried to accuse the US or Israel of releasing Stuxnet, we'd all hope for better evidence than that it came from the IP addresses of some US service provider. I, and most of the people reading this, would probably say that Iran would not be justified in launching retaliatory strikes against US critical infrastructure because of Stuxnet. I hope we'd all ask for better evidence. Which means that, when we're wagging a chastising finger of our own at some other country, we need to be asking for better than assertions about IP addresses.To head off a potentially disastrous mis-attribution or series of escalating retaliatory strikes, we must encourage our leaders to show responsibility regarding cyberattack. We need to tell them that we expect them to dial back the rhetoric, present evidence and, if necessary, establish incident review teams with international membership - to analyze and report on incidents and the available evidence before any action is taken.