OODA OriginalUncategorized

On Attribution

James Dunnigan reminds us that the non-shooting war is still raging:

There’s a Cyber War going on between China and the rest of the world. The problem is, there’s enough proof to know that China is behind an increasing number of Internet based attacks, but not enough to call China out on it. It began about five years ago, with an increasing number of very well executed Internet attacks that appeared to be coming from China. […]

So many discussions on this topic center around the remote hope that “digital hot pursuit” will become a commonplace realty. It was unique back in the day of the Cuckoo’s Egg and it is rare today. Such an approach suffers from three fatal flaws: That the right resources will be on line at the right time to effectively know one has been breached; that the right resources will be instantly available to effectively trace an intruder backwards; and sufficient data will be obtainable to prove who is at the keyboard and where they are really sitting. I won’t even begin to discuss the legal and sovereignty factors associated with this issue, or the myriad of subordinate technical aspects that could stop a pursuit in its tracks.

Despite a large investment in improving INFOSEC across the government, security is still an add-on. You can’t join the Army and sign up to be a firewall jockey, but if you’re the only guy in your unit that knows that “TCP/IP” isn’t a drug, you might get the extra duty. Let’s also remember that security will always take a back seat to functionality and connectivity; when the old man is screaming about getting his SIPRnet up you bring up security problems at your peril. Service CERTs are nice, but technical skill and response times at Ft. Nowheresville are what count once the alarms go off.

It is not “tactical” (misuse of that term by so many notwithstanding) but the more sane approach to the attribution problem is to evaluate who is most likely to make use of that data on any compromised system. There is a reason why Chinese SLVs and the then-Soviet space shuttle look so much like their US counterparts. In the case of China the answer is self-evident, but activity coming through South Korea or Brazil is another story. In reality there might be a half-dozen allies or adversaries who are most likely the ultimate sponsors of such activity, which means the role of the byte police is over, and it is time to put our other intel and security assets on the job.

Ultimately this boils down to a policy problem: either data is worth protecting or it isn’t. If we are no longer concerned about aggregation and we’re ready to throw out the NISPOM, then enough flailing about over digital penetrations and let’s adjust the budget accordingly. If we are serious about keeping our information to ourselves then we need to give serious consideration to pursuing a “deny all, allow some” strategy. This means less jacking around at work, but it also means less opportunity for our adversaries.

Michael Tanji

Michael Tanji

Michael Tanji spent nearly 20 years in the US intelligence community. Trained in both SIGINT and HUMINT disciplines he has worked at the Defense Intelligence Agency, the National Security Agency, and the National Reconnaissance Office. At various points in his career he served as an expert in information warfare, computer network operations, computer forensics, and indications and warning. A veteran of the US Army, Michael has served in both strategic and tactical assignments in the Pacific Theater, the Balkans, and the Middle East.