Category Archives: Emerging Technology

Attribution in Cyber Attacks is Difficult, But Not Impossible

The recent media attention surrounding Google’s admission that actors originating from China attacked its network highlights an apparent problem plaguing any cyber defense posture. In the aftermath of Google’s announcements commentators and experts alike lamented the difficulty of assigning direct attribution for the attacks to the Chinese military or its government. Conventional wisdom dictates that it is nearly impossible to assign attribution of a cyber attacker. According to this school of thought the open nature of the Internet allows an attacker to spoof their IP address and obfuscate their identity by routing through a series of proxy servers or utilizing a botnet. Further, it is believed that even with the technical capacity to accurately trace the origin of an attack, it is impossible with current technology to know who is at the keyboard executing the attack.

As the attribution problem is central to a number of vexing cyber security predicaments, it is important to study and validate the assumption that attribution is nearly impossible. While it is technically difficult to trace the origin of attack through a confusing maze of proxy servers or infected bots, attribution is not solely dependent on the technology needed to identify an accurate IP address.

A number of others technical and non-technical data points can help identify the source of an attack. For example, if the source of an attack is a bot investigators can attempt to identify who wrote the bot code and who currently controls the bot. In the summer of 2008 a large botnet was used to launch DDoS attacks against targets in Georgia. While the use of a botnet appeared to complicate the task of identifying those responsible for the attack, a closer examination revealed that the botnet used during the attack was known as “Machbot”. According to Arbor Network’s Danny McPherson, “Machbot is primarily a Web-based Russian DDOS botnet written in Russian, used by several different groups, but not widely available.” While the identification of the botnet used for the attacks on Georgia does not provide irrefutable proof of Russia’s responsibility for the attacks, it certainly does provide compelling evidence that Russian nationalist hackers and possibly the Russian government were involved in these attacks.

Additionally, analyzing the attacker’s target may help reveal his or her identity. The target of the attack reveals information about the intentions of the attacker and can therefore aid in attribution. Returning to the example of the cyber attacks against Georgia, the corresponding phsyical conflict between Russian and Georgian troops in South Ossetia led many analyst to suspect that Russian nationalist hackers, possibly at the direction of the Russian Government, were responsible for the DDoS against Georgian websites.

Finally, patient and clever cyber intelligence gathering can reveal a tremendous amount of information the individuals or entities responsible for an attack. After the presence of the Ghostnet cyber espionage network was revealed by the Citizen Lab at the University of Toronto, Heike and Jumper from the Dark Visitor blog demonstrated that patient cyber intelligence gathering can aid in attribution. Specifically, via clever analysis of whois registration data and patient trolling of chinese hacker forums, Heike and Jumper were able to identify at least one individual believed to be responsible for the Ghostnet cyber espionage network.

In short, it vitally important to understand that attribution is difficult, but not impossible. There may not be fancy technology that can discover the origination point of an attack and identify the individual at the keyboard. However, through patience and old school detective work it is possible to identify the hackers, criminals, spies, or terrorists responsible for a cyber attack.

How the Rise of Social Media Transformed Disaster Response in Haiti

When the earthquake struck Haiti this January, a number of administrations were quick to respond: government organizations, NGOs, IGOs, and foreign militaries. They had a difficult time coordinating efforts, but nonetheless different organizations found ways to contribute, the US Military leading the way in opening sea lanes and airports among other efforts. The initial relief effort in Haiti was a product of more global activism and funding than any other disaster relief initiative in human history.

And, for some reason, it wasn’t surprising. To me anyway. Thinking back to other recent natural catastrophes, including the 2004 Indian Ocean Tsunami, the 2008 Sichuan Earthquake, and even Katrina, none of them seemed so fully covered by the news, and more importantly none seemed to galvanize support so quickly as this one. Surely the US would have been quicker to mobilize a relief effort to its own citizens in New Orleans than to mobilize a relief effort to a foreign country—be it so close in proximity.

It must have been something else which expedited the relief effort. Maybe in the case of the US it was partially a sense that it had to make up for its abysmal response to Katrina five years ago. More significantly, I think, it was the rise of social media that accelerated the global response effort. Social media existed during other recent major natural disasters, but its continuing skyrocketing usage likely surpassed some sort of tipping point, enabling it to substantially change the way we execute disaster relief. Listed below are five ways in which social media aided or altered the disaster relief effort, including both the civilian and the military side:

Social media may have changed disaster relief forever. Future natural disaster relief efforts will likely continue to feature similar response initiatives as social media continue to develop and expand, and continue to supply new avenues for relief. Of course, Haiti’s proximity to the US may have actually allowed the social media disaster relief revolution to take place; the US is a nexus for social media, a highly modernized country, and one with a vast collection of relief organizations. Likewise, a similarly monumental social media relief effort would be likely to take place near, say France or Japan, but less likely in sub-Saharan Africa. In this way, social media’s impact on natural disaster relief efforts may continue to increase on average in the future, but will likely be affected by other variables.

While social media are certainly able to expedite and improve humanitarian relief efforts, there is a wide range of goals they cannot accomplish. They increased a sense of immediacy in responding to the earthquake in Haiti, but that did not necessarily equate to a substantial impact. Social media may have significantly lowered what would have been a much higher casualty count (in an area characterized by poverty and urban slum sprawl), but we cannot know for certain. More sophisticated coordination among relief organizations likely could have improved relief efforts in ways that technology could not; whether social media can assist in developing this sort of coordination is questionable.

Haiti will continue to have problems. Separations in families, destroyed infrastructure, and a lack of security will continue to torment those in the region affected by the earthquake, not to mention that Haiti is Haiti—a country consistently ranked in the 15 worst failed states, poorer than all other nations in the western hemisphere, and continually afflicted by violence including a successful military coup against the ruling power as recent as 2004. What will it take for Haiti to finally recover from the earthquake, let alone the problems that afflicted it before the earthquake, even aside from the hurricanes that barrage it every summer?

But the world’s experiences in disaster relief in Haiti will hopefully enable us to be more successful at disaster relief in the future. We learned that social media enable us to respond to disasters more quickly, and sustain response initiatives longer. We learned that social media enable anyone to participate in relief efforts from anywhere in the world. We learned that however important social media are to disaster relief efforts, there are many tasks they cannot accomplish on their own. To be more effective in the future, we much continue to increase our capacity to leverage social media, but more importantly we must find more effective ways to organize relief efforts among government organizations, militaries, IGOs, and NGOs.

FEMA was bolstered after our failures in the Katrina effort. Perhaps now the US should build up a new administration—be it through USAID, CIDI, or a version of FEMA—dedicated directly to coordinating natural disaster response initiatives, via some combination of Red Cross, Emergency Management, International Development, and military personnel. This sort of command would hopefully improve interagency coordination and task delegation within the US—though these ideals have never been a strong suit of US bureaucracy. Furthermore, any such initiative would still fall short of addressing the greater question, How can we better coordinate alongside foreign relief efforts? Would the US oblige itself to take the lead on every major disaster initiative? Some say yes; we already do by default. But what about other humanitarian crises, including ethnic conflict, slavery, civil war, and genocide? The 21st Century experiences no shortage of these, and somehow the rest of the world—including the US—continues to function as normal.

Social media have a broad capacity to improve natural disaster relief initiatives. Do they have a capacity to improve coordination among civilian organizations and military commands within disaster relief operations? Results so far are unoptimistic. And disaster relief could use the help.

Tagged , , ,

The Uneasy Line Between Terrorist and Citizen: Who is Protected?

A few weeks ago Director of National Intelligence Dennis Blair spoke to the House Intelligence Committee on the issue of targeting US citizens abroad.

For years, the “hunt and destroy” nature of US counterterrorism efforts overseas has drawn criticism from some who consider the tactic a form of targeted assassinations, rather than lawful warfare. But the stigma around the use of this tactic becomes even more complicated as the number of US citizens traveling abroad to engage in terrorist activities increases.

Director Blair’s comments came on the heels of what was, at the time, thought to be a fatal airstrike on Yemeni cleric Anwar al-Awlaki. Al-Awlaki is of Yemeni descent, but was born in the US and therefore has US citizenship. He has spent time both in the US and abroad as an Imam and has ties to some of the 9/11 hijackers and to Malik Nadal Hasan. The FBI has labeled him a “senior al-Qaeda recruiter.”

Blair’s intent was to calm the committee and citizens. The US will not indiscriminately target US citizens — only those who are really terrorists. He specifically sought to pacify objectors by mentioning that the DoD and all US agencies “follow a set of defined policy and legal procedures that are very carefully observed.” They have to ask permission.

Unlike many people, my objection to Blair’s comments does not lie in the fact that the US government can target a US citizen abroad who is engaged in terrorist activities. It lies in a deep rooted concern that we have begun to stratify “citizenship.” Viscerally, a Yemeni man who happens to be born in New York but moves back to Yemen at age 2 and becomes the leader of a large terrorist cell is a very different type of citizen than a man who owns a ranch in Kansas and has lived in the same house for 60 years. And it does seem sensible to give one more due process than the other. But that is a very, very dangerous road to walk down.

In a case less clear than al-Awlaki’s the prospect of the current system would be particularly troubling. At some point along the line of targeting requests someone will make a decision – and that decision will effectively be made by asking the following question: “is this person enough of a US citizen to protect?”

What person or process is capable of making that decision?