The Problem Of Attribution Of Cyber Attacks

In some sense, cyber attacks are no different that physical world attacks;  in other ways, they are completely different.

Let’s assume that you did not physically catch some bad guys that broke into a building.  Do you know who broke in?  On rare occasions they leave something behind – there have been instances so rare that they make the news –  where a perpetrator drops a wallet or ID card behind.  Even then, how do you know the wallet that was dropped wasn’t stolen and then dropped.   Sometimes the police get a lead, find that person and they still have the stolen stuff – that’s pretty conclusive.  What if what was stolen was money?  You can’t say “that $20 bill over there looks like mine”.  Most of the time, you can rule out people who don’t live nearby.  It is reasonable to assume – and it is an assumption  – that someone is not going to travel from India to break into your house and steal your TV – the economics don’t work.

Cyber attacks are different.  It could be anyone with access to an Internet connection.  That narrows it down to say 2-3 billion people.  Easy job.  Since it is no harder to launch an attack on your company from 5,000 miles away than it is to launch it from 5 feet away, you can’t rule out anyone.

There are stupid cyber attacks just like there are stupid burglars, but in both cases they are likely to get caught, so I will dismiss those attacks.

The reason attribution is so important is that we want to catch the attackers.  If we cannot attribute the attack, it is hard to go after them.

The case in point is the Sony attack.  The FBI, based on forensic evidence, says it came from North Korea and it was sponsored by the North Korean government.  North Korea denies it.  Other people say it was Russia.  Still others say is was some former disgruntled Sony employees.  Others say it was a combination.  The U.S. decided to retaliate against North Korea because we don’t like them anyway, but in reality, the evidence is circumstantial.

Could some Russian hackers have reused  Korean code and servers?  Could the Russian government have paid North Korean hackers?  Were they even in North Korea?  Some people say the attackers were in Japan.

Since we don’t like North Korea anyway, it really is no big deal to us if we mis-attribute the attack to them, but what if the attack originated someplace else?  The FBI gets to claim credit, sort of (no one gets charged with a crime, gets convicted or spends time in jail). From what has been released to the media, we really don’t know who the actual attackers are.  If the attackers were in a country that we have a better relationship with, we are unlikely to issue sanctions against, say, Germany.  And, issuing sanctions doesn’t hurt the hackers – they go on their merry way.

The bottom line is that just like some murders are not solved, some cyber crimes are not solved either.  The difference is the percentage.  Especially for smaller cyber attacks, the police don’t have the resources to follow up on the attacks (they are not likely to fly to Ukraine to check up on a lead and the Ukrainian police have other things to do that are more important to them).  The reality is that many, if not most, cyber attacks are not solved.

If you have the right kind of cyber insurance it will help lessen the financial impact, but don’t count on the attackers being caught.  It just doesn’t happen very often.  Even for high profile attacks.  Have the Target attackers been caught?  What about the Home Depot attackers?  What about the J.P. Morgan Chase hackers?  Given that, how likely is it that the hacker that broke into some small or medium size business will be caught?  And, even if they are, then what?  Likely, they don’t have the money to pay for your damages.  And, that won’t repair your reputation.

In this sense, cyber attacks are quite different from physical attacks.  If someone steals your car and you have the right kind of insurance, you get a replacement car.  Yes, there is some hassle and time, but overall, it is pretty clean.  And, other than the few people you tell about it, no one knows about it.  And unless you left your key in the car, your reputation isn’t tarnished.

If someone takes down your website or defaces it or steals your customer data, it is much harder to hide the fact.  In most states, you are required by law to tell your customers, who tell the media, who tell the world.  And much harder to be made whole again.  Damage to your reputation is very difficult to repair.

You can hope that the hackers pass over you or you can spend some time and effort making it harder for them.  That time and effort could improve the odds that the hackers will looker for an easier target.

Remember, while the attack on Target was annoying, an attack on your home or business gets personal really quickly.