There are two major roadblocks to international cyber diplomacy, according to former US diplomat turned private sector consultant David An.
These roadblocks are the “problem of attribution” and the “disclosure dilemma”, he told attendees of the DEF CON 23 hacker conference in Las Vegas.
The attribution problem, An said, is where a cyber attack appears to be coming from country A, yet it is only a proxy in country A, and the attack is really coming from country B.
“Or maybe it is several proxies, with the attack coming from country F, but going through proxies in E, D, C and A,” he added.
The issue of attribution was most recently highlighted when the US blamed North Korea for the massive November 2014 cyber attack on Sony Pictures Entertainment.
Security experts, including Bruce Schneier, cast doubt on US claims that North Korea was behind the attack, but Schneier subsequently said he believed the US had enough evidence.
An tackled the issue like a typical diplomat, saying the US has spent a lot of resources trying to solve the attribution problem, according to a new book.
“It is a sensitive topic, so I can’t really get into myself, so I am going to cite journalist Shane Harris’s new book,” he said.
According to Harris’s research on the US National Security Agency (NSA) and cyber security, he said the NSA has spent a lot of money buying software from computer companies and developing its own software in-house to solve the attribution problem.
“So according to his research and interviews with US officials, he is saying the US government is very adept on this,” said An.
Harris’s research, therefore, appears to support the FBI’s confidence in attributing the Sony attack to North Korea.
In January 2015, FBI director James Comey told the International Conference on Cyber Security in New York that “critics do not have access to the same facts as the FBI”.
“We know who hacked Sony. It was the North Koreans. I have very high confidence about this attribution,” he said.
According to An, attribution is a key aspect of diplomacy because if there is no certainty that an attack is coming from a specific country there is no basis for discussion.
“But say you can get attribution right, say you do have a high level of confidence based on certain methods – you are still faced with the disclosure dilemma,” he said.
The disclosure dilemma, said An, is where country A accuses country B of hacking, but country B is demanding proof which gives rise to the dilemma that if country A produces proof, that will alert country B to the methods and sources country A is using.
“If country B finds out what methods are being used, they can take actions to prevent country A from using those methods in future and it could make country B a stronger adversary,” he added.
Most commercial companies, An said, are only interested in how attacks are being carried out so that they can defend against them, but governments are also interested in the who, what, when, where and why.
“For commercial companies it is important to deal with the hacking to stop the bleeding and how to protect networks, but more mature and savvy firms typically go beyond the how to ask the same questions as governments,” he said.
State-to-state hacks are most likely to come up in diplomatic dialogue, assuming the attribution problem has been solved somehow, said An, because the government coming under attack is going to want to find a way of persuading the attacker to stop.
“When a non-state actor hacks another state it will also come up in diplomatic dialogue because the government under attack will look to the state from which the attack is coming to crack down on the hacking group domestically,” he said.
However, when it is a state actor hacking a non-state organisation like a private company, it is not necessarily going to come up in diplomatic dialogue. “Often, private companies do not want to share information about cyber attacks or the government may not even know that a company is being hacked by a foreign state,” said An.
Where dialogue does take place, co-operative countries are likely to use law enforcement to deal with attacks coming from within their borders, and where there is a mutual threat, they are likely share information to work together to build a defence.
“However, countries that are not co-operative will use the attribution problem to stonewall, and you are going to face the attribution dilemma,” said An. “They are likely to say a proxy is being used for an attack by another country and that they too are victims of hacking. But this is all stonewalling so that they do not have to do anything to solve the problem.”
While some countries such as Vietnam are surprisingly co-operative in cyber diplomacy, he said, Eastern European countries tend to be selectively co-operative.
If a country calls on other countries not to carry out cyber attacks, but goes ahead with attacks of its own, it loses the trust of the people David An
According to An, attacks coming from eastern Europe and Russia tend to target financial institutions, attacks from south-east Asia and Vietnam tend to target e-commerce companies, while attacks from north-east Asia usually target intellectual property.
He believes the way forward is to work more at a private company level to get companies more comfortable with sharing information that will help other companies defend against common threats, but also at the government level to work at solving the disclosure dilemma and attribution problem, and to recognise this is a growing field and new norms are being formed.
“If a country calls on other countries not to carry out cyber attacks, but goes ahead with attacks of its own, it loses the trust of the people,” said An.
He called on all those with cyber security expertise to think like cyber diplomats by keeping dialogue in mind and aiming to engage other companies and countries to foster greater global collaboration in countering cyber attacks.