Security researchers have long spoken about “the attribution problem” – that is, the difficulty of pinning a specific security event to a specific threat actor with a particular motivation and support group. But we forget the other part of the attribution problem – what happens when we actually ARE able to attribute a specific attack to a specific actor? Once we publicly attribute an act, we kinda sorta have to do something. And that’s an entirely different kind of problem altogether.
Recently, the Trump administration announced publicly that the WannaCry ransom attack was the work of the Lazarus Group working on behalf of the North Korean government – and that Pyongyang used tools stolen from the NSA to perpetuate the attack. The WannaCry attack which was launched last may was a cryptolocker attack which not only disrupted computers belonging to more than 200,000 companies around the world causing billions of dollars in losses but also lead to the payment of at least tens of millions of dollars in cryptocurrency as ransom to release the data in those computers. Thus, as a state-sponsored attack, it served several purposes. It announced the DPRK’s ability to either directly or indirectly infiltrate and obtain NSA secrets (or at least exploit these purloined secrets obtained by a group called Shadow Brokers which the government did not directly attribute to North Korea); it announced that disruption attacks will be used as weapons of war; and finally, it announced that nation-states will use cyber attacks as a means of financing themselves and their other activities. Thus, future nuclear preparations, chemical warfare, kinetic attacks or support for terrorist or other activities may be financed by ransomware attacks.
This follows on the heels of the 2014 SONY attack – also widely but not yet officially attributed to North Korea, in which confidential memoranda and communications of SONY corporate officials were publicly disseminated in reprisal for the film studio’s release of a movie perceived to be critical of the North Korean dear leader.
So, the question is – now that we have publicly attributed the WannaCry attack to the Kim regime, what do we do about it?
A Few Good Options
Trump administration Homeland Security Advisor Thomas P. Bossert described the administration’s proposed response to the nation-state threat of cyber attack in a letter to the Wall Street Journal noting that, “We call on the private sector to increase its accountability in the cyber realm by taking actions that deny North Korea and other bad actors the ability to launch reckless and destructive cyberattacks. We applaud Microsoft and others for acting on their own initiative last week, without any direction or participation by the U.S., to disrupt the activities of North Korean hackers.”
That’s a curious response by a government agency.
Imagine if attackers from Canada lobbed missiles at buildings in New York and the Department of Defense called on the private sector to increase its accountability to take actions to prevent the Canadians from having the ability to attack further. It’s also strange for the U.S. government to implore private companies to engage in what the law calls “self-help” in disrupting foreign state actors.
The options for private companies are also limited when it comes to responding to state-sponsored attacks. Of course, they can increase their defenses, responses, and resilience to such attacks – hardening the bunkers and increasing their monitoring. Some types of attack – like DDoS or similar disruptions can be minimized or diverted. Threat intelligence can be a useful tool for learning about adversary intentions and abilities. But regarding actual response, private sector actors – either working alone or in concert – have limited legal options. They can share information; they can block malicious traffic, they can even create an electronic “blockade” or “quarantine” of known bad domains or IP addresses. But they can’t send in troops, they can’t impose economic sanctions (well, maybe they can), and they can’t disrupt infrastructure – well, they can’t do that legally.
The U.S. government has attributed other cyber attacks to North Korea as well. In addition to WannaCry and SONY, the government and security researchers have attributed attacks to the BitCoin and other cryptocurrency networks to the DPRK and other state actors – again as a means of financing other activities, as part of what Reuters attributed to a U.S. government source as “a continued pattern of North Korea misbehaving, whether destructive cyber-attacks, hacking for financial gain, or targeting infrastructure around the globe.”
In the case of Chinese hacking, the U.S. has taken a different tack. In several cases, the U.S. has used the criminal justice system to indict alleged Chinese state actors for hacking activities which impacted U.S. computers or companies. In November 2017 the U.S. indicted three employees of Chinese security company Guangzhou Bo Yu Information Technology Company Limited (“Boyusec”) for economic espionage. This is on the heels of a May 2014 indictment of five Chinese military hackers for computer hacking, economic espionage and other offenses directed at six American victims in the U.S. nuclear power, metals and solar products industries. Of course, without obtaining the actual bodies of those responsible, the indictments themselves result in a pyrrhic victory – a government to government shot across the bow.
A Matter of Proportion
Under the Law of Armed Conflict (LOAC), the 1949 Geneva Conventions, and implementing regulations under DoDD 5100.77 (among others), combatants should adhere to certain principles when it comes to war. These include military necessity (acts necessary to accomplish a legitimate military objective); distinction (discriminating between lawful combatant targets and noncombatants); and proportionality (using only as much force as necessary to accomplish objectives). But what is the “appropriate” or “proportionate” response to a WannaCry attack on hospitals in Great Britain? What are the appropriate targets? How can or should they be attacked? Should the U.S. Air Force bomb the North Korean cyber infrastructure? Should we launch our own DDoS attack on the Lazarus Group? Grenades lobbed at hackers?
The problem with matching cyber attacks with cyber attacks relate not only to attribution and blowback but also to target selection and collateral damage. If a state sponsor disrupts civilian infrastructure, should another state then disrupt that country’s infrastructure – including hospitals, universities, transportation, etc. ? Not a lot of good options.
To paraphrase Winston Churchill, “We shall go on to the end. We shall fight in Cyberspace; we shall fight on the routers and firewalls, we shall fight with growing confidence and growing strength in the WiFi, we shall defend our domain, whatever the cost may be. We shall fight on the DMZ’s; we shall fight on the proxies, we shall fight in the servers and in the desktops, we shall fight in the network; we shall never surrender.” Bits, sweat, and tears.
The lack of good options here almost makes you wanna cry.