A few weeks ago it was reported that significant hacking activity had been traced to a particular building in Shanghai, and to the obscure unit of the Chinese military that occupies it. Most news accounts stressed that long-standing suspicions of Chinese official cyber assault had now been confirmed. At about the same time it was reported that the National Security Agency (NSA), which is responsible for electronic intelligence (and its cousin, the integrity of U.S. electronic systems) was to assist major U.S. companies under electronic attack by foreign entities. That was a dramatic departure from previous NSA practice. The agency is famous not only for its enormous resources, but also for its abhorrence of all publicity, to the extent that wags sometimes say that its initials stand for “No Such Agency.” The combination of the identification of the Chinese hackers and NSA assistance seem to be the public face of a new national cyber-defense strategy.
The Chinese story suggests that what had been considered impossible was now reality: computers used for cyber attack are no longer anonymous, at least when the NSA or some similarly powerful entity wants to hunt them down. For some time there have been news reports to the effect that some cyber activity has been traced to a particular geographical area. The recent report suggests even more specific localization. This development seems to be far more important than the seismic shift in the NSA’s behavior.
Tracking the Source
How might the originator of a cyber attack be localized and identified? There may be some way to measure the timing of Internet signals on a very fine scale and therefore to determine the distance between the offending computer and its victim. Although the Internet seems to offer instantaneous access to anywhere in the world, signals can travel no faster than light. Every so often there is reference to MASINT, which is usually translated as measurement intelligence, the science of signatures (the acronym SIGINT has already been taken). The originating computer may leave some subtle trace of itself on the digital signal it sends, which other computers resend. If that sounds impossible, remember that a ship at sea can be tracked using the Doppler it imposes on a satellite uplink. That is how the Argentines tracked the British fleet going down to the Falklands in 1982. That was a MASINT achievement, using something imposed on a digital signal. What counts now is that someone can tell that a cyber attack originated in a town in Ukraine rather than in, say, Wisconsin.
If indeed a cyber attack can be traced to a specific attacker, then it is possible to imagine a strategy of cyber warfare based on deterrence. Deterrence has two related aspects. One is obvious: Can the deterrer threaten something his target cares enough about? That is the question Iran raises: President Mahmoud Ahmadinejad sometimes says that he would welcome the nuclear destruction of his country, because it would hasten the birth of a new Islamic world. Is he serious? Or is he simply saying that our nuclear deterrent does not deter him? No one really knows, which is one reason why Iran is so frightening.
Usually we don’t think about the other aspect of deterrence: There has to be a return address to which the deterrent threat applies. If someone thinking about attacking us imagines he can do so anonymously, then deterrence evaporates. Drone strikes on terrorist leaders suggest that such anonymity is an illusion: There really is a price to pay for killing Americans. In this case the key to what we hope is deterrence is intelligence capable of locating terrorist leaders. Because we cannot be sure that deterrence works, we must couple it with a considerable defensive effort, and the scale of defense may force the terrorist leaders to work harder, thus becoming more visible and more subject to deterrence.
Anonymity also makes the “bomb in a suitcase” a frightening scenario. It is not so much that someone with a small portable nuclear bomb can do enormous damage, it is that he may be able to do so without risking counterattack. This kind of threat is why the United States invests heavily in nuclear intelligence, including sensing the nuclear debris generated even by underground tests like the recent one in North Korea. Given such debris, we can assign signatures to particular nuclear weapon makers. We can be reasonably confident that any bomb used against us would have an identifiable signature. Knowing that may help dissuade any government from handing bombs to terrorists. We would blame the donor as well as the perhaps more anonymous attackers.
Who to Blame?
Cyber attack sometimes seems to offer the apocalyptic promise of nuclear weapons with the anonymity of the average terrorist. No modern country can exist without relying heavily on digital systems, and it is impossible in practice to separate those systems completely from some form of Internet. A few governments, including the Chinese, have tried to create their own separate Internets, but they are still probably accessible to attackers.
Moreover, there is little confidence that a perfect defense can be erected against a determined cyber attack, any more than there was confidence during the Cold War that a perfect anti-missile shield could be erected. It is still well worthwhile to try, though, not least to raise the cost of attack and hence to limit its scope, but the underlying vulnerability remains. It seems impossible to produce a computer operating system, such as a version of Windows, that is without some subtle flaw an attacker can exploit. (That is aside from managers who famously fail to carry out security procedures they find onerous.) There are also ways to exploit individuals with special access to computer systems. That is how classical espionage works, and there is no reason to imagine that its techniques should cease to work where computers are concerned.
To make things worse, cyber operation is non-local. Once he has an Internet connection, an attacker can transmit his malicious code from anywhere in the world. One of the charms of the web, after all, is that distance loses its meaning. Email spans the globe almost instantly. The flip side of this is that everyone on the net has received spam from distant sources. Nigerian Internet scams, for example, have become so common that they are the subject of popular jokes. An attacker living in a foreign country is not subject to anyone else’s laws and law enforcement. If his government is happy that he is attacking a country it dislikes, it is unlikely to do anything to stop him. There is a reason that many computer attacks originate in Russia. That is not the same thing as government sponsorship.
Another interesting feature of cyber attack is that, at least in the past, it has not required the sort of vast resources needed, say, to build a nuclear weapon. A single clever programmer could produce something quite powerful and then apply it to an important victim. Governments can and have claimed that attacks were made by highly motivated individuals, and that they could not be considered responsible. For example, the Chinese government depends on strong nationalism to maintain its position, and from time to time ardent Chinese nationalists have attacked governments that displease them. It would be difficult or impossible to be sure that they are not simply cloaking an official attack.
However, there may be a way to separate individuals from governments. To the extent that cyber defenses work, they raise the cost of attacks. Ideally the price can be raised above what hackers are willing to pay. In that case it becomes much more practical to attempt deterrence. It seems that we are still far from that point; the prices on the market for exploitable flaws in computer systems are apparently well under $1 million.
Without any tie between act and perpetrator, it was impossible to punish major cyber attacks, such as those against the banking system and government of the Republic of Georgia, even though it is often fairly obvious who the likely culprits are. That is why the most prominent hacking group calls itself Anonymous. It clearly feels safe to exact revenge on those it feels have tried to reduce freedom on the Internet, as well as to attack others it believes deserve it. Anonymous has also claimed or threatened attacks in retaliation for what it sees as the persecution of Julian Assange, who led the Wikileaks organization.
What happens if Anonymous is no longer anonymous?
On a personal level, deterrence operates in the form of law enforcement, assuming that the hacker is in a jurisdiction subject to the laws of whomever or whatever he attacks. That is not limited to the country or government where the crime has been committed. The case of Assange suggests that many governments are glad to cooperate to stamp out Internet rebels of various stripes. It is even possible that, should cyber-attackers no longer be anonymous, some governments will prefer not to protect them despite disliking their targets. There is already a considerable history of successful prosecution of hackers.
The governmental dimension is more important. Many governments, our own included, have developed both defensive and offensive cyber arsenals. For example, according to a recent article on the market in “exploits,” which are keys to particular flaws in operating systems, the most active buyers are government agencies such as the NSA. They may reasonably argue that they cannot develop useful defenses unless they develop offensive weapons against which to test them. Otherwise their defenses are unlikely to be terribly effective. However, any government sponsoring offensive cyber activities must be aware that its most important targets can shoot back. Now at least some of them seem to know where to shoot.