In a recent column at SecurityFocus, cyber intelligence expert Jeffrey Carr discusses the diffuculties that researchers face when trying to determine the origin of attacks conducted over the internet. The problem is simple: there are lots of reports claiming attacks on important infrastructure that are “supposedly” coming from Chinese or Russian hackers. But because they might as well be coming from hacked systems in China that are being used from within a completely different country, there is no way to prove this.
Jeffrey proposes what, at first glance, seems to be a reasonable way to solve this:
One way to improve our ability to attribute attacks is to require that ISPs and nations exercise greater control. A recent breakfast conversation with a colleague on this topic resulted in what I think is a great way to assign attribution: Structure cyberspace like airspace or territorial waters with designated areas of state responsibility. In other words, each nation controls and is responsible for its own cyberspace.
In the case of airspace and territorial waters, enforcement is by international treaty. Perhaps one solution is to add cyberspace to this body of law as a fourth environment after air, land, and sea. There are penalties for violating a nation’s airspace. It seems logical to apply those penalties to cyberspace as well.
The problem with this proposal is that securing all internet traffic originating in your country is in no way comparable to supervising sea or land traffic. The volume of traffic is incredible that the only way to really solve this would be to push the responsibility all the way down to individual computers; but there have been campaigns dedicated to improving security awareness for years with no visible results whatsoever.
The other extreme, filtering all traffic as it crosses borders, is already being tried. The ironic thing is that this is being done in the country that most hacks are attributed to: China! I’m sure that if there were real, government-sponsored hackers, the government would arrange for them to work from machines outside the country, so it appears as though even with the enormous resources China has, it is impossible to filter all traffic nationwide.
While I agree that the problem of attribution of attacks is a real one that needs to be solved, I doubt simply designating Internet security as a national issue will do anything to fix this. As can be seen in China, even the best firewalls and harshest penalties will not deter hackers or secure a single PC.
Fortunately, the most pressing problem today are not individual hackers, but the large botnets that have the capability to DDos any system off the internet, and are responsible for massive amounts of spam. These typically rely on a (relatively) centralized command-and-control network; international cooperation to help track the people that operate these down will go a long way towards improving online safety. And even if it’s not possible to track down the operators directly, there is always the money trail they’re leaving behind. Ultimately, any botnet operator wants to make money, either by extortion or by selling spamvertized products. It shouldn’t be too hard to follow the money that is transferred, given some minimal international cooperation.