The cyclic nature of cyber-attack attribution and maintaining anonymity online presents a conundrum to the security industry.
A few days ago, the Indian Congress vice-president Rahul Gandhi’s Twitter account appeared to be hacked, followed by dozens of offensive tweets being posted. Within minutes of the first hack, the Twitterati engaged in a game of ‘whodunit?’ On one hand, people accused PM Modi’s followers for the hack, and on the other, some called it a staged drama by the Congress Party. Premature at best, the accusations were baseless and lacked evidence, highlighting the challenging nature of attribution.
The most common factor leading the attribution dialogue today is the un-traceability of a cyber-attack. Attacks do not come with a return address. Tools available to obscure an attack’s origins are becoming more and more sophisticated by the day. Even if an attack can be traced to a system, there are chances of it being a deliberate misdirection.
Anonymity online is crucial for legitimate reasons, privacy at the heart of it, and also being able to voice concerns against strict government rules without reprisals, which is a basic right under any democratic government. There are sophisticated ways to maintain anonymity; you can mask your IP address, use fake accounts, virtual machines, strong encryption, etc.
Better tools for anonymity consequently lead to either lack of attribution or improper attribution on cyber-attacks. The lack of proper attribution gives way for increased cyber-attacks, consequently leading to improved techniques for better attribution from the “anti-anonymity” group. Hence, to continually thwart the efforts of anti-anonymity groups, pro-anonymity groups come up with better technological capabilities to maintain their anonymity. This shows a recurring nature between the need to fight against anonymity and the need for anonymity. The recurring nature is the status quo.
This status quo of recurring nature begs the question: Why waste time on attribution when those resources can be better spent on enhancing one’s security and capability?
In his article about attribution, Lital Asher-Dotan, the founder of cyber security company Alfa Tech, argues that the security industry spends too much time and resources in attributing cyber-attacks, which is highly inefficient. According to him “a company’s limited security resources are better spent understanding how the attackers infiltrated the network and their capabilities and using this intelligence to prevent future attacks”
While I agree with Lital that attributing is highly inefficient, I disagree with the notion of not giving enough significance to attribution.
Let’s take the extreme version of this where we do not spend any time or energy into answering the “Who did it” and that time and energy is spent on enhancing security systems. The other side of this coin is that, the lack of attention to attribution leads to a counter response with increased cyber-attacks without fear of reprisals; more creative and dangerous attacks at that. The likelihood of successfully infiltrating a security system increases with disastrous consequences. So, this extreme version of scenario does not yield well.
Even if attribution may not yield to anything, it is an essential aspect of cyber-security. Eliminating attribution is not a logical option. It acts as a deterrence. Hence there is a heightened need to strike the right balance between energy spent on attribution and defending cyber-attacks, where one does not need to compromise resources from the other.
Puru Naidu (@Brocolli88) is a Research Analyst at the Takshashila Institution