Strategic Cybersecurity, Module 9: Problems of Identity and Attribution.
This lecture discusses the problem of determining identity and attribution on the Internet. References are made to such events as “Ghost-Net” and Russia’s meddling in the 2016 U.S. presidential election via social media.
Once you have completed the readings, lecture, activity, and assessment you will be able to
- Compare and contrast cybercrime attribution to attribution in traditional crime
- Articulate three common problems or issues with determining cybercrime attribution.
Welcome to Strategic Cybersecurity, Module 9. In this module, we will discuss the problem of determining identity and attribution on the Internet.
The readings for this module describe how the Domain Name System, or DNS, essentially translates domain names into IP addresses. This eliminates the need to remember long strings of numbers for all the web pages we visit.
As Rosenzweig notes, the DNS-addressing function is a three-way process. Someone registers a domain name, which subsequently must be hosted on a server and is then located by its association with an IP address. As was pointed out, problems occur when nefarious actors such as terrorists or criminals with the desire for anonymity register a domain using a shell company or fake persona. This, of course, can make tracing of their true identities extremely difficult.
Depending on a hacker's level of sophistication, backtracking unlawful intrusions into computer networks may be extremely laborious. Recall the story of Ghostnet from your previous readings. Ghostnet was a cyber espionage intrusion set discovered in 2009 and used to spy on offices associated with the Dalai Lama and various countries' embassies.
The Ghostnet malware appears to have entered targeted computer systems through socially engineered phishing emails. Once downloaded, the malware used a remote access tool that allowed nearly complete access to compromise computers.
The Information Warfare Monitor Group, a Canadian cybersecurity firm, spent nearly a year tracking Ghostnet before finally determining its origin: servers on China's Hainan Island, home to the headquarters of China's Signals Intelligence Agency.
Time and Resources
This story highlights the vast time and resources required to trace intrusions back to their original source, especially if someone is motivated to hide their attribution. Most individuals or companies do not have the time or money to investigate an intrusion into their computer systems, particularly if the intrusion is from a sophisticated cyber actor.
More recently, recall, again, Russia's meddling into the 2016 U.S. presidential election. Nearly a year passed after that election before social media firms, such as Facebook and Twitter, were able to determine that numerous organizational pages created on their sites were purchased by Russian actors.
Many of the accounts were meant to polarize the American public and potentially create chaos in the country. Two examples of such accounts were a “Defend the 2nd” page for gun rights supporters and an “LGBT United” page for gay rights activists: pages for two issues known to polarize the American public.
FBI investigators have determined that these two groups, and possibly hundreds more, were part of a sophisticated disinformation campaign linked to the Internet Research Agency, a company in St. Petersburg, Russia, known to be a front for the KGB.
Internet Political Discourse
Most western democracies possess a slight libertarian streak regarding the ability to hide one's identity on the Internet, but authoritarian countries like China have little appetite for it. In fact, in 2012, the Chinese government issued new rules requiring all Internet users to provide their real names to Internet service providers.
The belief was that these rules would help the government identify and clamp down on Internet political discourse contrary to that approved by the Chinese Communist Party.
Because of First and Fourth Amendment protections, we will likely never have such strict registration requirements in the United States.
However, some type of arrangement must eventually be investigated, as the problems associated with identity obfuscation on the Internet are likely to only get worse. We will probably never know if the Russian intrusions into the 2016 U.S. presidential election really influenced how people voted and thus affected the outcome of the election.
What we do know, however, is that the ability to quickly determine the identity of actors, especially nefarious actors, on the Internet is extremely important, as evidenced by the examples just noted.
But it is not just nation-state actors who are motivated to hide their attribution to spy on adversaries or sow chaos in democratic elections. We must also be concerned with criminal actors looking to hide their attribution to target individuals for specific crimes. We will consider this in the next module.
Quiz Question 1: Determining attribution in traditional crimes is made easier by the fact that, as opposed to cyber crimes, criminals are generally in close proximity to the crime scene.
The answer is True.
Quiz Question 2: Which of the following is not considered a common problem with determining attribution in cyber crimes?
A: Determining attribution can become a matter of having sufficient financial resources.
B: Cybercriminals are generally not in close proximity to their crimes.
C: Cybercriminals are generally only interested in social justice concerns.
D: Many cyber crimes are committed by criminals in foreign jurisdictions, making it difficult to investigate.
The answer is C: Cybercriminals are generally only interested in social justice concerns.
The activity for this module asks that you find a friend or family member who has been the victim of a phishing attack or other cybercrime.
This could be you. Ask them how the attack occurred, via malware inside an email or ads placed on social media, and how they responded. Were any signs present of who was orchestrating the crime? What would your advice to others be to avoid future attacks or crimes?