Attributing responsibility for a cyber attack is difficult, but important: the difference between being hacked by a teenager and being hacked by a foreign spy agency could be the difference between public acceptance and a hellish world of lawsuits, fines and shattered reputations.
According to FireEye CEO Kevin Mandia, speaking at a FireEye roundtable event, it is time for governments and law enforcement agencies to take a leadership role in demystifying this world of attribution.
Mandia, who took over FireEye in June 2016 and has worked with the US government in attribution for some time, says that companies need their governments to “stand behind [them]” when a nation hacks them.
Right now, he says that no government does so in a “consistent way”.
Recent hacks have shown how important attribution of an attack is. TalkTalk apparently being hacked by a teenager has not done wonders for its brand reputation. A 17-year-old has now confessed to the hacking charges, but TalkTalk has attracted a fair measure of blame itself. The vulnerability (SQL injection) that was used to hack TalkTalk was an extremely basic and predictable one that TalkTalk should have addressed.
Financial results since the breach was revealed have shown customers abandoning the company.
On the other hand, Yahoo has claimed that its recently revealed 2014 hack was carried out by a state actor, although this may never be confirmed or disproven.
“When you’ve been compromised and you know it and you feel you have to disclose because people are finding out about it, if it’s a fifteen-year-old, the organisation is going to be deemed irresponsible by the public.
“If it’s a nation state you kind of get a hall pass,” says Mandia. “We kind of saw that with Sony Pictures; they were compromised and most of the press said ‘how dare they’.
“Then the President of the United States went on TV and said North Korea had done it. You saw the pendulum of public opinion swing from irresponsible to victim of a military attack.”
Mandia says that the formidable reputation of state-sponsored hackers is deserved.
“[When a state actor is responsible] it’s almost immaterial how the bad guys broke in because the boundaries of their capabilities are such that it would be unreasonable to expect them to prevent the breach.”
According to Mandia, the majority of attacks using zero-day vulnerabilities (vulnerabilities unknown to the vendor when used) that he sees are from nation states. He says that hackers can make more money by selling zero-day exploits to state actors than by using them themselves.
Supporting this, the 2016 Verizon Data Breach Investigations Report showed that hackers still routinely use vulnerabilities published several years ago, and the top 10 vulnerabilities accounted for 85 percent of successful exploit traffic.
Mandia says that when a government knows that a state actor is responsible, it is “frustrating” for companies that the government does not confirm this publicly.
He cites the cases of hacked US healthcare providers including Blue Cross Blue Shield and Anthem which were reportedly hacked by Chinese providers. Mandia says that these companies were compromised by the Chinese government and “not one person in the government said anything”.
“I think it’s going to get to the level of exactitude where a nation state will have to say categorically this was a nation state or it was not,” he says.
“No intelligence agency or government wants to do attribution for the private sector.
“If you’re the CEO of a company you really want the government to do very little when it comes to cyber security. But one of the things that you want them to do is stand behind you when another nation hacks you.”
Mandia provides some ideas for what such a system might look like. Perhaps an anonymous government source will say in a statement that a state actor is believed to be responsible.
“But if you want to make it official, do it through your law enforcement arm. If you do it categorically you don’t need to reveal [how you know].”
He says that this move “would go a long way to helping the victim companies.
“It takes the wind out of the sails of the plaintiff lawsuits.”
However, Mandia accepts that the system is open to ambiguity and potential manipulation.
“There’s no such thing as perfection in this,” he says.
Whether governments will start intervening in such a way is unclear, but there is no doubt that it would be a huge relief to potential victims of state attacks which are taking their cyber security policies seriously.