«Untangling Attribution David D. Clark* and Susan Landau** I. Introduction In February 2010, former Director of the National Security Agency Mike ...»
2011 / UntanglingAttribution the levels of the hierarchy. Several commercial services now exist that provide the function of mapping an IP address to an approximate location.3 ' These services are designed to meet a number of customer needs, as their advertising suggests, including customization of Web content to different classes of customers and regulatory compliance. These services compete to provide accurate location information and advertise their precision in their marketing information. Various firms claim that 99-99.9% of IP addresses can be accurately localized to within a country, and that 90can be accurately localized to within a state, city, or other similar region.3 2 These services are used today by commercial Web content providers to localize their content to the presumed location of the user (e.g., to pick the right language), or in some cases, to block access to certain content based on the presumed locus (with respect to a jurisdiction), such as the blocking of Nazi memorabilia auctions to customers in France.3 3 They are designed to work in real-time (as part of processing a Web query), and can provide a rich, if approximate, mapping from IP address to other attributes.
The issue with many of these tools is that since the mapping is approximate, there is some degree of "plausible deniability" to assertions of responsibility. There have been proposals to "harden" the linkage between IP address and other information. For example, several countries put forward a proposal to the International Telecommunications Union (ITU) that as part of the conversion of the Internet from IPv4 to IPv6, 34 addresses should be first allocated to states, which would then allocate them to the relevant private-sector actors. This would mean that the linkage from IP 31 See, e.g., MaxMind GeoIPDatabases, MAXMIND, htt./ wwmaxmind.com/app/cit last visited Feb. 18, 2011); Our Technology, NetAcuiity lPIntelligence:Paving the Way to Deeper Online Connections, DIGITAL ELEMENT, htt.//: vwwdi italelement.com/our technoloev/our technoloov.html (last visited Feb. 18, 2011); Services: We Make High- Volne TransactionSeamless, QUO\A@: KNow WHLRL, http://wwwvquova.com/what/services/ (last visited Feb. 18, 2011).
32 For example, the MaxMind service cited above states that it is "99.8% accurate on a country level., 90% accurate on a state level, 83% accurate for the US within a 25 mile radius." Id.
" For a discussion of the French litigation to block the sale of Nazi memorabilia in their country, see JACK GOLDSMITH & TIM1WU. WHO CONTROLS THL INTLRNLT:: ILLUSIONS OF ABORDLRLLSS WORLDS 1-6 (2006).
34 The addresses currently used in the Internet, called IPv4 addresses, are not sufficiently large to deal with the growing size of the Internet. To deal with all the devices that are anticipated to be attached in the future, a new and larger set of addresses, called IPv6 addresses, have been designed. A transition from IPv4 to IPv6 is now beginning.
HarvardNationalSecurity Journal/ Vol. 2 address to jurisdiction would be robust,3 5 and that it would be possible, for example, for the Chinese government to be certain where downloaded material, whether software stolen from U.S. companies or human-rights information from U.S organizations, was going.
Of course, the transition from IPv4 to IPv6 is only one of the changes that may occur to the Internet over the coming years. A more dramatic change might be the introduction of a virtualized network infrastructure, which would permit multiple simultaneous networks to coexist, each with its own approach to attribution. 36 A future network that provides an information dissemination and retrieval service as part of its core function would imply some sort of binding between user and information that would be visible "in the network." We believe that our general conclusions will apply across a range of possible future network designs the linkage between machine-level attribution and higher-level attribution (e.g. personal) will be a jurisdictional policy matter, not just a technical matter, and mechanisms for attribution must balance a range of policy objectives, not just focus on deterrence.
It turns out that timing - whether one is attempting to protect against a bad situation from developing, stopping an attack in its tracks, or investigating an exploitation after it has occurred - affects the methods one uses in handling the problem. Thus it is useful to consider attribution from these various vantage points.
" There is some disagreement as to whether the original proposal was for some or all IPv6 addresses to be allocated to countries. For a 2004 statement that makes clear that the proposal for only for some addresses to be allocated in this way. see H. ZHAO, INT'L
TLLLCOMM. UNION, WORKING GROUP ON WORLD SUMMIT ON INFORMATION SOCIETY,ITU AND INTERNET GoV LRNANCL 8-9 2004 available at wwwitu.int/ITU-T/tsbdirector/itut-wsis/files/ zhao-netovO2. doc.
"3One way to understand virtualization is to continue the analogy to delivery of letters and postcards. Instead of using separate physical trucks for different delivery services - the postal service., UPS., Fedex, and so on - the various providers could decide to have one physical fleet of trucks that is "virtualized," in other words shared among all the providers.
Each truck would follow only one physical route, but the different services might have different formats for addresses. Of course, to complete the "virtualization," not only would the space inside the truck be shared, but the truck would cleverly change the logo on the side as needed so it always had the correct branding to the customer. Each delivery company would have a "virtual truck" driving down the street.
2011 / UntanglingAttribution
1. Before the Fact: Prevention or Degradation
Actions taken before the attack are the ones most commonly associated with "computer security" - they involve good defenses for computers and the networks themselves, such as by downloading the latest patches or instituting good operating practices. None of these involve the need for attribution, but putting tools in place to implement good authentication and authorization are part of good security. For some classes of attacks, specifically DDoS events, it may be possible to degrade the viability of the bot-net or the potency of the attack by preventive actions that affect infected machines. In this respect, degradation of attacks can involve remote attribution.
2. During the Fact Mitigation
During an attack/event, the main objective is to stop or mitigate the event. Secondarily, one may want to gather evidence to be used after the fact. What one can do during an attack depends on the nature of the attack, and different approaches to mitigation place different requirements on attribution for the attack. Different approaches will be needed to stop a DDoS attack and data exfiltration while it is happening.
3. After the Fact Retribution
The traditional discussion of deterrence focuses on what would happen after the fact, when some sort of retribution would be exacted. For example, as discussed above, if the event is classed as a crime, this would trigger a police response. Primarily, police investigate crimes, identify the perpetrator, and gather the evidence for prosecution. Attribution is at the center of this role. Unless one can identify the perpetrator, retribution is hard to achieve. However, as we illustrated above in our examples of attacks, the actual situation is more complex in a computer-generated situation than this simple story might imply.
4. Ongoing: Attribution as a Part of NormalActivity
In fact, the "before the fact" phase above defines what should be the normal operating mode of the system. With good preparation, bad events might not occur. However, one should look at the role of identity and attribution in the ongoing operation of a system. The idea of authentication HarvardNationalSecurity Journal/ Vol. 2 is well understood. Several sorts of ongoing activities are made more trustworthy not by trying to prevent misbehavior in real time, but by demanding strong accountability. For example, access to medical records in an emergency room may best be controlled by allowing the access but requiring that the doctor making the request be thoroughly identified so the request can be logged.
There are various sorts of deterrence that might be imagined; these have different implications for the needed quality and precision of the attribution. Different actors - police, intelligence services, and the military will benefit from different sorts of attribution. In the case of attacks that are described as crimes, the usual sort of deterrence is judicial - arrest and prosecution - while in the case of cyberexploitation from military or national security sites, the deterrence may take diplomatic or retaliatory routes.
Judicial response would seem to call for attribution at the level of the individual, and of forensic quality - sufficient to bring into court. However, this model of attribution may be over-simplified. First, the most important role of attribution may be during the course of the investigation, when evidence is being gathered. Having a clue about attribution that is sufficient to guide an ongoing investigation may be critical. One FBI agent put it this way: "I could do packet attribution and let's say it gets me to a physical location. Maybe I get a search warrant and I get back. How I get there is important."3 7 After that point, forensic quality evidence matters. From the investigator's standpoint, "[What's] critically important is that you have evidence. Packet attribution is not beyond a reasonable doubt. The biggest thing in attribution is you're not looking for a computer; you're looking for a person."3 8 Prosecutors look for certain kinds of evidence to bring before a jury. Evidence of on-line identity, however robust technically, may be less compelling than evidence gathered from carrying out search warrants and following the money. Packet-level attribution may aid an investigation, but our world still demands that the real evidence come from the physical world.
Telephone interview by Susan Landau with senior FBI official (Dec. 14, 2009) (notes on file with Landau).
2011 / UntanglingAttribution National security investigators perform a different act than law enforcement investigators when sifting the evidence in a cyberexploitations or cyberattacks. They are seeking intelligence rather than producing court evidence. Where that evidence is produced - the jurisdiction - will play an important role in its veracity. A national security investigation cannot depend on packet-level attribution produced outside a trustworthy domain.
Different parts of the Internet operate within different jurisdictions:
different countries, different legal systems, and (within these jurisdictions) both as public and as private-sector activities. Any discussion of attribution must consider jurisdictional issues.
1. Variation in Enforcement
Some regions may be lax in their enforcement of laws and uninterested in making the investigation of cyber-attack a high priority. This can be an issue in any attack, but becomes of particular importance in attacks that involve cascades of machines: machine A infiltrates machine B to attack machine C, and so on. If the Jurisdiction within which B sits is not responsive, it becomes much harder to gather any evidence (which may be transient) that might link B to A. There is anecdotal evidence that attackers may "venue-shop" for regimes in which aggressive investigation is unlikely.
Evidence suggests that for single-stage events, so long as there are procedures in place within a jurisdiction, mapping from IP address to higher-level attribution is practical. For example, in the United States, the Recording Industry Association of America ("RIAA"), under the provisions of the Digital Millennium Copyright Act, regularly obtains information from ISPs about their customers hosting material covered by copyright for the purpose of bringing lawsuits. 39 The conclusion reached from this example should be the importance of jurisdiction in such a network investigation. To determine traffic origin requires investigating the machines traversed by the communications. If a jurisdiction permits such an investigation, then attribution - and perhaps deterrence - is possible. But if it does not, say because the jurisdiction does not view the activity as criminal, then tracing will not be possible.
* See, e.g, Recording Indus. Ass'n of Am., Inc. v. Verizon Internet Serv., 351 F.2d 1229 (D.C. Cir. 2003).
HarvardNationalSecurity Journal/ Vol. 2 This suggests that even if we were to push for a variant of the Internet that demanded very robust identity credentials to use the network, tracing would remain subject to barriers that would arise from variation in jurisdictions. Unless we imagine that all countries would agree to the election of a single, global identity authority, credentials would be issued by individual countries, where the quality of the process would be highly variable. In view of this, it is worth examining the issue of criminal versus national security investigations more closely.
2. Criminal Versus National Security Investigations
"Follow the money" is surprisingly useful as a guide to investigations.
That adage might seem odd in investigating crimes that are purely virtual, but the fact is that almost all criminal activity (including child pornography) involves money. Thus, for example, although their initial theft was of bits, if the RBSWorldPay40 criminals were to profit, in the end they needed to collect money from bank accounts. Even in child pornography cases, there are producers, organizers, users - and money.