invoked to condemn the actions of China and other nations–nothing comparable addresses digital pillaging that victimizes targets in the realms of politics, business, and human rights. “Cyber crime is morphing into cyber espionage because of the absence of restraints at a global level,” says Ronald Deibert, who helped lead the espionage research as director of the Citizen Lab, a research outpost at the University of Toronto. “Having a treaty would help hold governments accountable. You can say: ‘Here’s the treaty, and China, you aren’t playing by the rules–but you signed it.’ ” (See “Militarizing Cyberspace,” Notebooks, p 12.) Meanwhile, it’s safe to assume the worst about the prevalence of cyber espionage. “We need to look at this as one small window into a much wider problem,” he says. “We kind of dipped our finger into a pool here.”
Then much of Estonia’s Internet was shut down by a series of cyber attacks. The difficulty of attributing those attacks highlights a need for new technologies and expanded international agreements.
Who Did It?
On the morning of April 27, 2007, the Estonian government, over protests from Russia, began moving a bronze statue of a Soviet soldier that had originally been installed in the capital city of Tallinn to commemorate World War II dead. The 300,000 ethnic Russians living in Estonia were furious. Not long after, Internet attacks began. Botnets targeted Estonian newspapers, telecoms, banks, and government sites. The nation’s network was besieged for weeks. Russia seemed the obvious culprit: its government had warned that removing the statue would be “disastrous.”
If you were watching Estonian network traffic during the attacks, you would have seen bot armies advancing from the United States, Egypt, Peru, and other countries. But closer inspection revealed that many of the bots were taking orders from computers in Russia (and instructions on how to flood Estonian websites with useless “pings” spread in Russia-based online chat rooms). Still, it was impossible to determine whether the Russian government itself was directing the hostile activities. Russia denied responsibility but refused to allow any forensic analysis of its networks.
In short, there was no easy way to attribute the attack. In a world that countenances the prospect of cyber war, situations the prospect of cyber war, situations like that are among the biggest problems that nations face, but certainly not the only ones. If a network breach aimed at espionage can’t readily be distinguished from one that is a prelude to attack, it’s hard to know when a counterattack is justified. Neither is there any way to conduct inspections for cyber weapons, measure their potential yield, or certify that they’ve been destroyed. When the Senate pressed General Alexander, the new head of U.S. Cyber Command, to explain how the United States would deal with these issues, his responses were classified. “The entire phenomenon of cyber war is shrouded in such government secrecy that it makes the Cold War look like a time of openness and transparency,” Richard Clarke, the former counterterrorism czar, writes in his new book, Cyber War: The Next Threat to National Security and What to Do About It.
But the implications of the attribution problem are clear enough. An attack on one NATO nation obligates other NATO members to join the fight, points out Michael Schmitt, a dean and professor of international law at the George C. Marshall European Center for Security Studies in Germany. Getting it wrong would be a disaster. “This isn’t a situation where you can think the other side attacked,” he says. “You have to know. As we learned recently, you need to get the evidence right when you go to war.” And in the case of a cyber threat, a government could easily misjudge its source, since Internet addresses can be concealed or faked. “I’m terrified that you attribute to a state wrongly,” Schmitt says.
Over the long term, proposed technological fixes could address this problem. Research groups at Georgia Tech, the University of California, San Diego, the University of Washington, and other institutions are working on ways to establish the provenance of data. In an approach being developed by researchers at San Diego and the University of Washington, the identity of the original computer that issued a packet of data would stay attached to that data, in encrypted form. The digital “key” to this identity would be held by a trusted third party–perhaps accessible only by court order. “All the instruments of national power, ranging from diplomatic to military force to economic influence, are pretty worthless if you can’t attribute who mounted an attack,” says Stefan Savage, a computer scientist at the University of California, San Diego, who is developing the technology. But while the technology can potentially tell you the identity