Corporations should follow the goverment’s lead on attribution of cyberattacks
Many would argue, and understandably so, that government does not often provide models for corporations to follow to improve their bottom line. However, federal agencies have long taken the leadership position in cyber security on this one key point; recognizing that it’s not enough to know how networks were hacked, but also to know by whom.
Technical versus social attribution
It’s not at all uncommon that the origins of a virus, worm or other computer attack may reside in one continent, but at the behest of an organization or individual located in a far different region of the world. Case in point – a recent report by researchers in Canada noted that a Chinese Network called GhostNet, purported to be sanctioned by the Chinese government to conduct intelligence gathering over the Internet, controls some 1,200 infected computers in more than 100 countries, including North America, Kuwait and India. While the government denies the allegations, the point here is well made; just because a malicious infiltration against an organization comes from one part of the globe doesn’t mean the people behind it are from that area.
Being able to identify the mechanical tactics that were used is important, but may not tell the complete story. That’s why the U.S. State, Justice and Defense Departments spend precious time, money and resources to uncover the true culprits, a process known as “attribution”. Understanding who was behind such attacks is very meaningful when determining a course of action, be it through diplomatic, military or law enforcement channels. Attributing both the technical and social origins also provides valuable intelligence against terrorist, insurgent and criminal activities that can be countered in multiple ways. This can only be done by understanding who was behind the attacks and not just from recognizing when networks are being hacked.
While the Feds embrace this idea, many businesses in Corporate America fail to see the benefits in taking this extra step in their cyber forensic investigations. Most are concerned only with ensuring that such an attack never occurs on their systems again, and pay little – if any – attention to whomever is playing havoc with their network. Anecdotal evidence suggests the reasons are numerous, with the most popular being that it’s not worth the time and effort since there’s most likely no real legal recourse against such organizations anyway. Additionally, some organizations believe that making the suspects known will only encourage future attempts to infiltrate their networks.
A notable exception to this tendency is Google’s recent corporate blog posting regarding suspected hacking of Gmail servers by the Chinese government. Google made the effort to determine the source of the attack on their servers, and more notably, disclose the information that they discovered forensically to the public with the methods and suspected perpetrators of the attack.
Benefits outweigh the costs
More companies should follow Google’s example, if not in the publication of cyber attacks and methods, at the very least in determining the “who” and the “how” of the attack. In fact, companies that don’t try to uncover the people and groups behind the attacks are doing themselves more harm than good, both in long term monetary loss to their shareholders and loss of competitive advantage. Determining who was responsible can shed light on numerous opportunities and unforeseen pitfalls.
For example, a multi-national firm may discover that an overseas competitor was behind a particular attempt to hack into their network because they were looking to gain insight into their technology for use in a developing market. Recognizing that the attack came from a foreign government allows the corporation to bring in U.S. government resources who are interested in criminal activity or espionage threats. Even marketers who measure such things as brand equity can leverage such information about who’s attacking the system to determine the depth and nature of the competitive threat in different geographic areas and market.
Identifying the assailants by groups will not necessarily encourage additional attacks. In many cases the opposite is true- hackers don’t want to be known and will run for cover when the light is shined upon them. Google is betting on just that by publicly threatening to shut down its Chinese operations in the wake of the aforementioned attacks against its networks.
Suffice it to say there are ample reasons why companies should spend time and resources to not just understand the “how” of cyberattacks directed against them, but also the “who”. If knowledge is indeed power, than organizations need to make it a point to seize the opportunity to learn more about their people behind such events in order to learn from them. The dividends can be significant and potentially critical to the company’s future success.