The Role of Attribution in Developing Cybersecurity Norms of Behavior
Microsoft has published a paper that proposes a series of recommended ‘norms’ of good industry behavior in cyberspace, and also a route towards implementing and achieving those norms. Most of the norms are uncontentious and self-evident – but one in particular (which is a form of ‘responsible disclosure’) is less so. Furthermore, the key feature in implementing these norms (the attribution of attacks to attackers) is particularly troublesome.
From Articulation to Implementation: Enabling progress on cybersecurity norms was developed by a team led by Scott Charney, Microsoft’s Corporate Vice President for Trustworthy Computing. To be fair, this paper nowhere uses the term ‘responsible disclosure’; instead referring to ‘coordinated disclosure’ – a term Microsoft introduced in 2010. Nevertheless, the security industry will see this as a variant of ‘responsible disclosure’ as opposed to ‘full disclosure’.
Responsible versus Full has been a thorny issue since the beginning of connected computing. Advocates of responsible disclosure (which involves disclosing to the vendor only) argue that immediate and full disclosure gives attackers the ability to develop successful exploits before the vendor has a chance to fix the flaw. Full disclosure therefore exposes the user.
Defenders of full disclosure respond that this is the only way to force vendors to provide a fix in a timely manner. They claim that if researchers can find the flaw, so can criminals — and until the vendor patches the flaw, all users are potentially exposed.
Microsoft’s coordinated disclosure is a form of responsible disclosure that also allows disclosure to CERTs as well as the vendor. The bottom line remains that public disclosure should only happen after a patch has been issued. In the paper, Microsoft suggests that this should be a cyber security norm.
“Nation-state activity in cyberspace often depends upon exploitation of vulnerabilities in ICT products and services. One of the best mitigations against this risk is coordinated vulnerability disclosure… international standards driven by industry leaders set forth appropriate practices, including a five-step process that guides vendors through initial receipt and verification of the vulnerability, developing a resolution, releasing the final fix, and communication with ICT users after the fix is released.”
This does not address the argument for full disclosure. Indeed, if a nation-state has knowledge of a zero-day vulnerability, it has free use of that vulnerability until a patch is published. Full disclosure proponents will still argue that it is therefore their duty, if necessary, to force the vendor to fix the flaw as rapidly as is realistically possible.
David Harley, senior research fellow with ESET, supports the concept of responsible disclosure but has some doubts over its practicality. “I think we can assume that it will have no impact on those looking for vulnerabilities to exploit in the pursuit of criminal aims,” he said. He also doubts whether nation-states would wish or even be able to control the activities of their own intelligence agencies who actively seek out vulnerabilities — such agencies are unlikely to ‘disclose’ at all . “But,” he added, “we shouldn’t give up on proposing ethical and moral guidelines just because not everyone will choose to go along with them.”
Juan Andres Guerrero-Saade, a senior security researcher at Kaspersky Lab, takes a similar view. “It’s a great idea to have some semblance of guiding principles,” he told SecurityWeek, “but the whole concept of ‘norms’ assumes that they relate to some homogeneous body guided by the same basic principles. That clearly isn’t so in cyber space.”
The Microsoft paper accepts that the disparate nature of cyber operators is a problem.
“The impact of cybersecurity norms depends on whether they are implemented faithfully and whether violators are held accountable.” This accountability provides the second major thrust of Charney’s argument: that serious cyber attacks must be publicly attributable to specific cyber attackers, whether they be straightforward criminal gangs, or nation-states or their proxies.
Attribution is difficult. Charney’s suggestion is that an independent, international body of public and private sector experts be given the task.
“We propose a public-private forum to address attribution of severe cyber attacks that would involve a globally-diverse group of technical experts, subject to peer review,” Charney wrote in a blog post.
“In sum,” says the paper, “having a public/private international body might be a highly constructive way to validate whether norms are being adhered to and may help create a more stable cyberspace in the future.”
But many in the security industry have their doubts.
“It’s a bit naive,” suggests Kaspersky’s Guerrero-Saade. “Consider false flags,” he said. “There are many indicators that can be faked; there are many that are being faked — it is easy to replicate a lot of the data that is being put out there. For example, one team could use the same infrastructure as another team, which would allow one nation-state to pretend to be a different one specifically to cause an international incident.”
The problem for Guerrero-Saade and many other security researchers is that while the advantages of accurate attribution are clear, the ability to accurately attribute is not. In 2013 Mandiant (now part of FireEye) famously attributed the gang known as APT1 and its attacks to the Chinese military — but still declined to comment on Charney’s paper.
“Attribution is more art than science,” F-Secure’s Sean Sullivan told SecurityWeek. “So there should always be doubt about such analysis. But it doesn’t mean it isn’t correct.”
Harley points out, “Many of the researchers who are best qualified to consider attribution are all too aware of the difficulties and pitfalls of establishing correct attribution in cases where an attacker has expended as much effort into misdirection as he has into developing the core attack technology. As the Microsoft paper acknowledges, there may be compelling reasons for not talking about attribution even when it’s considered ‘proven’.”
Although there is some common concern over the disclosure and attribution parts of this paper, it would be wrong to say that the security industry rejects Microsoft’s ‘norms’ completely. Andy Patel, security advisor at F-Secure, suggests, “It would definitely make sense for the community to work together on attribution. Not only would it allow for better sharing by TTPs, it would likely lead to more accurate results.”
Jiri Setjko, Director of Threat Lab Operations at Avast, commented: “The main benefit I see is the norm which states that global ICT companies should not allow backdoors or leave vulnerabilities unpatched for nation-states to abuse. Avast is a global company and we do not condone backdoors.”