Security Experts:

Attribution Concerns Raised Over Cyber Sanctions Program

The recent executive order signed by President Obama establishing a sanctions program for overseas cyber-attackers gives the government a new tool to deter malicious attacks. The challenge lies in knowing who to punish, security experts warned.

The sanctions program, announced by the White House on Wednesday, targets individuals and groups outside the United States that use cyber-attacks to threaten U.S. foreign policy, national security or economic stability.

The U.S. Department of Treasury will be able to freeze assets and bar other financial transactions of entities engaged in destructive cyber-attacks.

"From now on, we have the power to freeze their assets, make it harder for them to do business with U.S. companies, and limit their ability to profit from their misdeeds," Obama said.

Cyber Attack Attribution: SanctionsThe executive order itself just claimed the authority to impose sanctions on cyber-attackers. No new sanctions were announced.

While the sanctions program would be one of the many tools the government can use to curtail and deter malicious activity, the program won't succeed if the government doesn't figure out how to handle attribution, Mike Brown, vice-president and general manager of the global public sector at RSA, told SecurityWeek. "We need to ensure there is some transparency around attribution," he said.

Attribution is a thorny problem. Take last winter's cyber-attack against Sony, for example. The Federal Bureau of Investigation (FBI) said the attack was the work of North Korea. In response, the White House imposed sanctions on North Korea. It turned out to be not as simple as that, since many security experts remained skeptical of the FBI claims without any evidence. Some details the FBI did eventually release seemed circumstantial, or not definitive enough, to really link the attack to North Korea. A few weeks later, Norse claimed to have uncovered evidence the attack was the work of an angry ex-employee. And just last February, Taia Global came out with its own analysis linking the attack to a Russian group.

Attribution within the information security space is not nearly as easy as it sounds," Greg Foss, a senior security engineer at LogRhythm, told SecurityWeek. Attackers can "pivot through other countries" and make it seem as if attacks originated from a different location. Malware can contain false data to shift culpability, Foss said. It's important to understand the specifics of how the government plans to address attribution and define methods used to identify attack origins.

Knowing who actually did the attack is a hard problem to solve, and when sanctions are involved, it's a question no one wants to get wrong. "While the idea is novel, mistakenly placing sanctions on a country based on the actions of one potentially separate entity could have serious consequences," Foss said.

There is also the human factor. In some cases, as sanctions will only harm the civilian population without doing anything to address the problem directly, Foss said.

Companies are investing a lot of money to improve their security defenses, but the private sector can't solve the problem alone, Stephen Cobb, a senior security researcher at ESET, told SecurityWeek. There are "elements of the global cybercrime infrastructure that only persist due to the complicity of corrupt officials and unscrupulous businesses that turn a blind eye to cybercrime," Cobb said. Coordinated government action—both nationally and internationally—is necessary to shut those elements down, he said.

Until recently, it seemed a lion's share of cyber-attacks against the United States could somehow be traced back to China, which has consistently denied its involvement. The new program could be used to combat economic espionage by China, James A. Lewis, a cyberpolicy expert at the Center for Strategic and International Studies, told the Washington Post. “You have to create a process to change the behavior of people who do cyber-economic espionage,” Lewis told the Post. “Some of that is to create a way to say it’s not penalty free. This is an effective penalty. So it moves them in the right direction.”

A Chinese government official criticized the sanctions program, reiterating that China does not endorse cyber-attacks and remain committed to fighting cyber-attacks in any form.

"Cyber security concerns the common interests of all countries. The international community should jointly solve the issue of cyber-attacks through dialogue and cooperation, and based on mutual respect and trust," Chinese Foreign Ministry spokesperson Hua Chunying said during a regular press briefing, China Daily reported.

In its daily roundup, iSIGHT Partners expressed concern the program would not be "a significant deterrent for organizations and states that would seek to benefit from cyber espionage."

The company also remained "uncertain whether the US can reasonably expect to demonstrate the attribution and intent that seem to be required to trigger these new sanctions."

view counter
Fahmida Y. Rashid is a Senior Contributing Writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.