15 November 2016

The Great Cybersecurity Attribution Problem

Jessica Smith

Rawls's theory of justice as fairness is the most well-balanced in acounting for social justice and security culture needs.

Unlike your creative writing professor, an entreaty for a suspension of disbeliefis not a term of endearment to a cybersecurity practitioner.

In fact, such language in this social clique is downright indecent. But to cyber constructivists like former Director of National Intelligence and the National Security Agency, Mike McConnell, attribution systems prove an exception to the rule.

In a 2010 Washington Post article, McConnell boldly asserted that: “[W]e need to reengineer the Internet to make attribution . . . who did it, from where, why and what was the result – more manageable. The technologies are already available from public and private sources and can be further developed if we have the will to build them into our systems and to work with our allies.” Thus, if a new attribution system could indeed be readily implemented, how might it look from a security culture and social justice standpoint?

Because constructivism focuses on understanding the impact of ideas and how actors define their interests and identities in a social system, the article identifies the archetypal interests of six cyber stakeholders against the backdrop of several attribution frameworks. The utility of this approach, as derived from political constructivist philosopher, John Rawls, is that by first understanding the conflicting attribution preferences at both the individual and state level, and then treating all stakeholders as “rational and mutually disinterested” – behind a veil of ignorance – we can arrive at design principles that are predicated on notions of both justice and security.

So, Which Cyber Stakeholder Are You?

To establish granularity, this article draws on the general interests of the following six cyber stakeholders: (1) journalists and researchers (2) law enforcement and the military, (3) criminal entities, (4) activists and whistleblowers, (5) the government and (6) business entities. Whilst this list is not exhaustive, it is nonetheless grounded in a real-world context, for it is partially modeled after the diverse list of actors that Tor has categorized as users of its services.

Having introduced the cast of characters, our focus shifts to setting the stage with the different attribution frameworks and examining the interplay of those interests and identities. The following attribution frameworks were developed by Matthew Bishop, Carrie Gates, and Jeffrey Hunker in The Sisterhood of the Traveling Packets, and serve as the corpus of this cybersecurity thought experiment.

Perfect Attribution

In a perfect attribution system, the so-called “attribution challenge,” simply does not exist. This is because “attributes of both the sender and recipient are known to both,” such that attribution is always knowable in real-time, and at little financial cost to the investigating party. From the perspective of a business entity, this would be desirable condition for conducting commercial transactions online, for a certain level of authentication is required for both contract formation and payment verification purposes. A surveillance state regime would also be a proponent of this model. This is because it amplifies a state’s ability to monitor the online activities of its citizenry, weed out political dissidents and criminals, and also punish those who accessed censored content, or espoused anti-regime rhetoric.

In contrast, this model would likely be most abhorrent to journalists, researchers, whistleblowers, activists, and criminals, for it would strip them of any sense of security and anonymity in their online activities. In terms of the interests of law enforcement and the military, this would require more nuance to explain. On the one hand, perfect attribution would significantly aid law enforcement in apprehending cyber criminals who engaged in acts of computer fraud and abuse, intellectual property theft, or circulating child pornography. On the other hand, the military and intelligence community would be operating at both a tactical and strategic loss. The reason being, it would significantly impede efforts to conduct covert cyber operations, as well as to safeguard the identities of its operatives and informational assets.

Perfect Non-Attribution

In a perfect non-attribution system, the present-day expression, “attribution is hard” roughly translates into “gosh, attribution is impossible!” More concretely, a perfect non-attribution system is the converse of the aforementioned system. Here, perfect non-attribution would hold considerable appeal for activists, whistleblowers, and criminals, who would be able to enjoy the full protections of anonymity. In sharp contrast, a surveillance state would vociferously protest this type of attribution framework, in fear that it would weaken their control over anti-regime activists and regulation of “unsavory” speech. Perfect non-attribution would also stymie law enforcement’s efforts to apprehend cyber criminals, as well as the intelligence community’s ability to collect and analyze information. Even the business entities would find it difficult to operate at a profit under this system, for the ability to conduct e-commerce under a low margin of risk here, would become severely imbalanced.

Perfect Selective Attribution

In a perfect selective attribution system, the actor “wants the attributes known to some entities but not to others[.]” Here, each of the actors would be endowed with the ability to choose to whom their true attributes would be made known, and to what extent (e.g. name, organization, Internet Protocol address, Internet Service Provider, etc.) Thus, if each actor were to pursue their own self-interest, this might manifest in certain actors choosing to either protect their anonymity, or operate from a need to further a collective national security interest. However, this design also raises a practical issue – what if the selected recipient of this data knowingly chose to (or even unwittingly) disclose those attributes? We can imagine a variety of scenarios: Perhaps the recipient might be motivated to disclose it to a government or business entity for personal gain, maybe use it to blackmail the actor, or even use it to generate misinformation as part of a larger gray strategy campaign.

False Attribution

Lastly, in a false attribution system, an actor can determine attributes of the cyber act and/or message, but the data is inaccurate. Put another way, this attribution system would be overpopulated by “digital straw men,” and embody the ideal petri dish for waging false flag operations. Similar to the perfect non-attribution system, here, criminals, activists, whistleblowers, and journalists would find this model favorable in protecting their anonymity and personal security. Perhaps even some business entities, at least in the short-term, might look favorably upon this model, for it would allow them to surreptitiously learn about the business practices or methods of a top market competitor.

Understanding the law enforcement and defense community’s perspective, however, requires a little more finesse to unpack. On the one hand, false attribution could enable law enforcement to conduct sting operations to catch cyber criminals. However, the accuracy of the attributes known about the target would accordingly be called into question, and might fall short of satisfying basic evidentiary standards in a court of law. This dichotomy also impacts the military’s overall mission readiness for waging cyber operations. While false attribution could augment the effectiveness of offensive and defensive cyber operations, it also presents complications with upholding the Law of Armed Conflict, not to mention the duties of member states under the United Nation’s Charter, and the ability to lawfully invoke the right to self-defense under Article 51.

Designing an Attribution System from Behind the Veil of Ignorance

Having outlined the actors and the frameworks, how might a fair attribution system be designed from behind the veil of ignorance? According to John Rawls, the veil of ignorance constitutes a neutral decision making position, or “initial status quo,” for rational actors. Rawls posited that when individuals are confronted with making a decision from behind a veil of ignorance, a more egalitarian outcome is likely because “all are similarly situated and no one is able to design principles to favor his particular condition[.]”

Put another way, as Professor Ian Shapiro of Yale University explains, the Rawlsian experiment encourages us to ask ourselves: “What are the best social rules for people, regardless of who they turn out to be? If we accept Rawls’s major premise of justice as fairness as a system output, then this framework can be transposed to identifying the design requirements for a just attribution system.

While each attribution framework presents a particular set of risks and benefits to the stakeholders, if tasked to select a system from behind the veil of ignorance, the perfect selective attribution system best captures Rawls’s theory of justice as fairness.

Why?

Perfect selective attribution is the most well-balanced in accounting for social justice and security culture needs. The reason being is that it enables all cyber stakeholders with the freedom of choice in disclosing their true personal and/or organizational attributes to an intended recipient, and equally importantly, to what extent. And although each actor is endowed with the power of freedom of choice, every cyber action is also accompanied by the freedom of failure.

In essence, the system operates on a basic assumption of mutual trust between the parties. If the recipient of the actor’s true attributes either intentionally, or unintentionally, betrays that confidence to a law enforcement or intelligence agency, then a collective security interest is furthered at the expense of a personal interest.

However, recipients that disclose such information are not immune themselves, for in this digital ecosystem, an actor’s true attributes are only as secure as the other party’s attributes. Thus, as Professor Shapiro explains, the Rawlsian standpoint of justice becomes “the standpoint of the least advantaged person.”

As this article has highlighted, there is a curious duality to this system that is fed from both a parochial self-interest, as well as a collective security interest. In summary, the perfect selective attribution system is the best positioned to balance the competing interests of all cyber stakeholders. And from Friedrich Nietzsche’s observation that “out of chaos comes order,” similarly here, a veil of ignorance approach to the “attribution challenge,” offers promise for order in cyberspace.

Jessica “Zhanna” Malekos Smith is a postdoctoral fellow with the Belfer Center's Cyber Security Project at the Harvard Kennedy School. She received her B.A. from Wellesley College and J.D. from the University of California, Davis School of Law. Malekos Smith is a M.A. candidate in International Relations and Contemporary War at King's College London, War Studies.

No comments: