Monday, December 22, 2014

What Does "Responsibility" Mean for Attribution?

I've written a few posts here about attribution. I'd like to take a look at the word "responsibility," as used in the FBI Update on Sony Investigation posted on 19 December:

As a result of our investigation, and in close collaboration with other U.S. government departments and agencies, the FBI now has enough information to conclude that the North Korean government is responsible for these actions. While the need to protect sensitive sources and methods precludes us from sharing all of this information, our conclusion is based, in part, on the following... (emphasis added)

I'm not in a position to comment on the FBI's basis for its conclusion, which was confirmed by the President in his year-end news conference. I want to comment on the word "responsibility," which was the topic of a February 2012 paper by Jason Healey for The Atlantic Council, titled Beyond Attribution: Seeking National Responsibility in Cyberspace.

In the paper, Jason created the excellent table at left. You can read more about it in the original document.

Using the Spectrum of State Responsibility, in my assessment, the US government's statements include a range of possibilities, from State-encouraged to State-integrated.

(Options such as State-Prohibited, State-prohibited-but-inadequate, and State-ignored, are outside of the US government's "responsibility" statement.)

Given the nature of the DPRK regime and other factors, it is probable to conclude that the FBI's statement indicates State-ordered, State-executed, or State-integrated activity.

For example, if Bureau 121 is responsible, the attack would be State-executed.

If the DPRK contracted with third party criminal hackers, the attack would be State-ordered.

If the DPRK used both Bureau 121 and third party criminal hackers, the attack would be State-integrated.

It is unlikely the attack was State-rogue-conducted, meaning "out-of-control elements" attacked a victim. The incredibly restrictive, authoritarian nature of the DPRK regime and Internet access makes that highly unlikely.

Note that, using the Spectrum, some seemingly contradictory arguments can be resolved. For example, in a State-ordered scenario, the US government could correctly assert DPRK "responsibility," although the attack could have been executed by third party criminal hackers.

I believe the debate about the nature of DPRK activity would be more fruitful if concerned parties placed themselves on the Spectrum.

I do not know which option from the spectrum the FBI or other elements of the US government would place this DPRK incident, but as I said it is probable to conclude that the FBI's statement indicates State-orderedState-executed, or State-integrated activity.

On several related notes, I highly recommend reading Did North Korea Hack Sony? by RAND's Bruce Bennett, a true DPRK expert. Bennett explained his role recently on CNN. Also listen to this interview, read this story citing Korean defector Kim Heung Kwang, and read this paper (PDF) by DPRK expert Dr Alexandre Mansourov. I also agree with the analysis here by Professor Michael Schmitt.

Finally, I suggest that critics of government attribution need to think beyond their current positions, towards the consequences of their beliefs. If they demand higher standards for attribution, they're essentially asking for less anonymity, and more identification on the Internet. That would likely lead to government identity schemes, which the critics would also detest. They should be careful what they ask for, in other words.

2 comments:

Anonymous said...

Very interesting! Is there a spectrum of participation for individuals guiding the action? For example, the CPC as a body may not approve of an individual's or lower committee's actions, but the individual may be a member. How to define that action and relationship?

John Allison said...

Interesting points and thanks for highlighting that chart. As for your final thought, I think many of the critics believe the government has already met their higher standard for attribution in this incident but want more transparency in the government's existing identification of the Internet. I believe based on the information that has been released, especially the recent statements by James Clapper and James Comey that the government has likely accurately attributed this attack to North Korea. However, the publically released information doesn't include enough details for me personally to make that attribution, which I think may be the mindset of a lot of security professionals. In my opinion, having that level of transparency is very unlikely and would almost certainly be a detriment to the intelligence programs gathering that information.