
We will no longer sit back and take cybercrime and cyberattacks on the chin, says the UK government. Instead it wants to hit back. Fine words, but I have my doubts.
Putting its money where its mouth is, it pledged to spend , allowing it to at criminal gangs and nation state-backed hackers who commit cybercrime or attack critical infrastructure such as hospitals, power grids and air traffic control systems.
This provoked triumphant headlines declaring ““. The underlying message was that intelligence services could now reliably trace attack routes, locate the sources and, as one newspaper had it, hit an attacking nation’s power grids and ground their planes in return.
Advertisement
Indeed, so assured was the message in these reports that I wondered if I had somehow missed a major breakthrough in cybersecurity technology.
So I asked Jay Abbott, managing director of Falanx Cyber Defence in London, if the long-standing problem of attributing a cyberattack has finally been solved.
“In short, hell no,” says Abbott, who also helps oversee the , a series of hacker “war games” designed to spot talent for the nation’s intelligence and security sector.
Politician’s answer
, an information security specialist at Norwich University, Vermont, agrees. “Attribution is not a solved problem,” he says, adding that it merely suits some governments to say so when it fits their political narrative.
Identifying the source of an internet-based attack is difficult for historical reasons. The internet was designed during the cold war to be a resilient means of communication, with the mass damage of nuclear weapons in mind. In the event that part of the network is destroyed, internet messages – which include a source and destination address – can reroute themselves around the damage and still reach their target.
It is this ability to take alternate routes that makes tracking a cyberattack so difficult: it does not necessarily originate from where it appears to be coming from. So mounting cyberattacks that cross multiple countries using multiple routes and using spoof addresses results in significant confusion. Attackers can effectively hide the source of an attack. As a result, it is still remarkably easy to hide in plain sight on the internet.
Intelligent inferences
What is needed for full attribution is to reverse-engineer the entire path an attack takes. And that, says Bilar, verges on the impossible: “You need very quick coordination and the cooperation of many cross-jurisdictional law enforcement bodies to do that.” As well as technical problems, that poses legal and diplomatic ones.
This is not to say that technology won’t ultimately find a way. But for now, attribution requires intelligent inferences based on, for instance, factors like the political climate and the likely time zones the hackers seem to be working in. In other words, it is guesswork.
So until some all-seeing technology is available to cyberdefenders, it remains a fiction for any government to claim it can strike back at will.