Attribution in Cyberspace: Challenges for U.S. Law Enforcement

This report discusses criminal attribution in the cyber security realm.

CRS Insights Attribution in Cyberspace: Challenges for U.S. Law Enforcement Kristin Finklea, Specialist in Domestic Security (, 7-6259) April 17, 2015 (IN10259) "Who did it?" Attribution, some may argue, is a challenge "as old as crime and punishment." In the cyber realm too, criminal attribution is a key delineating factor between cybercrime and other threats. When investigating a given incident, law enforcement is challenged with tracing the action to its source and determining whether the actor is a criminal or whether the actor may be a terrorist or state actor posing a potentially greater national security threat. Blurry lines between various types of malicious activity in cyberspace may make it difficult for investigators to attribute an incident to a specific individual or organization. Without knowing the criminal intent or motivation, some activities of cybercriminals and other malicious actors may appear on the surface to be similar, causing confusion as to whether a particular action should be associated with a criminal or other actor. Further, "[t]he speed and anonymity of cyber attacks makes distinguishing among the actions of terrorists, criminals, and nation states difficult, a task which often occurs only after the fact, if at all." Moreover, officials have noted cooperation and blurring of lines between types of actors, including nation states, organizations, and individuals, which can complicate or stymie attribution. Attribution in the Sony Pictures Entertainment Breach The attribution issue is highlighted in the November 2014 revelation of a breach at Sony Pictures Entertainment (SPE) by actors claiming responsibility and calling themselves the "Guardians of Peace." The Federal Bureau of Investigation (FBI), in its investigation of the breach, notes that it "consisted of the deployment of destructive malware and the theft of proprietary information as well as employees' personally identifiable information and confidential communications. The attacks also rendered thousands of SPE's computers inoperable, forced SPE to take its entire computer network offline, and significantly disrupted the company's business operations." Hackers further threatened a September 11, 2001-type of attack on movie theaters that showed "The Interview," a spoof about journalists tasked with killing North Korea's Supreme Leader, Kim Jong-un. There has been debate about the true source of the breach. As of December 2014, the FBI—leading an interagency effort—had attributed the hack to the North Korean government. In its attribution, the FBI cited malware linked "to other malware that the FBI knows North Korean actors previously developed," "significant overlap between the infrastructure used in this attack and other malicious cyberactivity the U.S. government has previously linked directly to North Korea," and tools similar to those used in a 2013 North Korean cyberattack against South Korean banks and media outlets. Nonetheless, experts critical of this attribution note that the evidence linking North Korea to the SPE breach is not definitive. Further fueling concerns that the hack may be mis-attributed, U.S. officials have not revealed specifics surrounding how the attribution was reached. As a response to North Korea's "numerous provocations, particularly the [2014] cyber-attack targeting Sony Pictures Entertainment and the threats against movie theaters and moviegoers," President Obama signed an Executive Order on January 2, 2015, authorizing additional sanctions against certain individuals and entities associated with the North Korean government. Attribution in the Anthem Inc. Breach In February 2015, it was revealed that one of the nation's largest health insurance companies, Anthem Inc., had suffered a data breach involving the personal information—including Social Security numbers—of potentially 80 million individuals. However, Anthem does not believe that banking, credit card, or certain medical information was compromised. Law enforcement has not publicly attributed this attack. Notably, "security experts involved in the ongoing forensics investigation into the breach say the servers and attack tools used in the attack on Anthem bear the hallmark of a state-sponsored Chinese cyberespionage group known by a number of names, including 'Deep Panda,'" as well as a professor at Southeast University in China. Nonetheless, a definitive attribution for the Anthem Inc. breach has not been made. Federal Efforts to Enhance Attribution Determining the actor (and actor's motivation) involved in a cyber incident will in turn help guide how the United States responds. If a criminal—motivated by profit—is the perpetrator, the investigation and response may be led by law enforcement using the tools of the criminal justice system. If the perpetrator is deemed to be a statesponsored actor, the United States may utilize diplomatic or military tools in its response. Notably, the criminal justice system has standards of proof for attributing an incident to an individual. It is less clear in other domains —such as attribution as a basis for war or a response to cyberterrorism—what the standard of attribution or proof may be. A number of issues may pose challenges for accurate, timely attribution. For instance, the anonymizing tools that lie within the Internet through means such as The Onion Router (Tor) can help mask the identities of actors. While such tools can help protect privacy online, they can also help hide malicious, illegal activity. Policymakers may consider how Congress can assist law enforcement and others in enhancing attribution of cyber incidents within the framework of today's rapidly changing technology space. They may question whether law enforcement has sufficient resources—authorities, technological capabilities, and manpower. While attribution remains a challenge, the Director of National Intelligence notes that "[g]overnmental and private sector security professionals have made significant advances in detecting and attributing cyber intrusions." The FBI has reportedly bolstered its efforts to better attribute cyberthreats and attacks. Through the Next Generation Cyber Initiative, the FBI is developing agents to connect with critical infrastructure components and computer scientists to "extract hackers' digital signatures" and determine their identities, all to help concretely attribute a specific actor to a cyber incident. Similarly, the Department of Defense has reportedly "made significant investments in forensics to address this problem of attribution." Congress has already shown interest in understanding whether accurate attribution can help deter cyberattacks as well as in ensuring that investigators have the tools and skills to accurately attribute incidents.