Using Attribution to Deter Cyberespionage


Foreign Policy
has published my article on how attribution can be used to deter foreign governments’cyberespionage.  Excerpts below:

The Obama-Xi summit in Sunnylands ended without any Chinese concessions on cyber-espionage. This came as no surprise; cyber spying has been an indispensable accelerant for China’s military and economic rise. And though Beijing may someday agree that international law governs cyberspace, that won’t help the victims of espionage, which is not regulated by international law. So if negotiation won’t work, what will? Not a strategy that relies entirely on defense. That’s like trying to end street crime by requiring pedestrians to wear body armor.

The good news is that there has been a revolution in our ability to identify cyberspies. It turns out that the same human flaws that make it nearly impossible to completely secure our networks are at work in our attackers too. And, in the end, those flaws will compromise the anonymity of cyberspies…

But attribution is only half the battle if we want to deter cyber-espionage. The other half is retribution. Once we identify the attackers, we need to persuade them to choose another line of work. If we’re serious about stopping cyberespionage, there are plenty of tools at our disposal …

The government already uses classified information to label terrorist supporters and drug kingpins as “specially designated nationals” and to impose sanctions on them — seizing their bank accounts and assets, for example, and prohibiting U.S. citizens from doing business with them. The United States even has such programs for sanctioning Belarusian kleptocrats and conflict diamond purveyors. Maybe it makes sense for Washington to use sanctions to punish misdeeds in Belarus or West Africa, but shouldn’t it first use these measures to punish people who are invading homes and offices in, you know, the United States?

It’s unclear why the president hasn’t done this already — he’s already got all the authority he needs to impose sanctions on cyber spies and their enablers. Under the International Emergency Economic Powers Act, the president could determine that cyber spying poses “an unusual and extraordinary threat” to the United States and declare it a “national emergency.” He could then publish a list of hackers who would be subject to sanctions. In keeping with past practice, he could rely heavily on classified data to make the designations — without disclosing any of it….

But punishing individual hackers is only part of the story. What if the United States applied all of these measures not just to the hackers themselves but to companies that benefit from the data they filch from U.S. networks? There’s no difference in criminal responsibility between a thief and the customer he’s stealing for. But there could be all the difference in the world between hackers who do their work from the safe environs of a protective government and the hackers’ customers, who can’t be truly successful in today’s world if they aren’t part of the global marketplace. And going global means exposing their companies, executives, and assets to the legal systems of the United States, Europe, and a host of other countries that are furious at the wholesale espionage aimed at their companies. If a few big companies in China find that having a cozy relationship with hackers means criminal prosecutions and asset seizures, they’re a lot more likely to say “Thanks, but no thanks” to offers of stolen data.

Of course, to bring those cases, the government will have to have those companies dead to rights, and so far it doesn’t. U.S. security researchers have done a great job of tracking the thieves back home. But they’ve had trouble identifying the companies who ultimately benefit from cyberspying.

That too is an attribution problem — the next one we have to solve if we want to really discourage commercial cyber-espionage. It will be difficult, but no harder than the first attribution problem looked five years ago. Given the stakes, improving cyber-attribution should be at the top of U.S. intelligence priorities. And now that private researchers have demonstrated how much attribution can be accomplished without all the resources and authorities of the CIA and NSA, those agencies should be embarrassed by their poor record to date. And they may not have much time before someone — Iran, North Korea, Hezbollah — causes a power outage or other control system failure in the United States. If they can’t tell the president who did that, the heads of those agencies will be looking for new jobs. As part of the attribution effort the United States needs for defense, it shouldn’t be that hard to identify the customers who benefit from cyber-espionage….

In recent months, the Hill has been buzzing with new ideas for identifying and punishing cyberspies and the companies that benefit from them.

At a recent hearing before the Senate Judiciary Committee’s Subcommittee on Crime and Terrorism, I testified about some of these ideas. Senators Sheldon Whitehouse (D-RI) and Lindsey Graham (R-SC) expressed particular interest in measures to impose sanctions on countries that support hackers as well as potential visa restrictions.

Another example is the Deter Cyber Theft Act (S. 884), which has been sponsored by a bipartisan group of senators, that includes Senators Carl Levin (D-MI), John McCain (R-AZ), Tom Coburn (R-OK), and Jay Rockefeller (D-WV). This bill would require intelligence agencies to annually report to Congress on countries and entities that engage in cyber-espionage as well as to identify intellectual property that has been stolen as a result of hacking. It further permits the president to prevent the importation into the United States of products that are linked to foreign cyber-espionage activities, such as articles that have been manufactured using stolen IP or that have been produced by companies that have benefited from it. In short, the bill would nudge the government towards broader attribution, greater naming and shaming, and some efforts to deny companies the fruits of using stolen information.

If these measures result in the punishment of Chinese companies, there is no doubt but that China will seek to reciprocate. But once again, asymmetry is likely to complicate their task. U.S. intelligence agencies do not steal commercial secrets for U.S. companies so it will be hard for China to mirror these measures without faking the evidence. In short, a focus on the beneficiaries of commercial espionage could cause real pain for cyber spies and their customers.