Cyber agencies mum on how they try to identify cyberattackers

Members of a Senate subcommittee on Tuesday asked criminal and security agency officials responsible for securing the nation's most sensitive computer systems and networks how they identify who is behind a specific cyberattack, despite the difficulty in doing so.

Tracing cyberattacks back to a specific source can be a difficult process because attacks can be routed through numerous computer networks worldwide, making it nearly impossible to identify the computer network where the attack started. Cyberattacks that took down government Web sites in South Korea and the United States in July, for example, initially were attributed to North Korea, but no hard evidence has emerged identifying systems there as the origin of the disruption.

"When you're in a situation where you don't know if it's a hacker, foreign government, terrorist or criminal group, how do you proceed?" Sen. Ted Kaufman, D-Del., asked witnesses from the Justice and Homeland Security departments and the FBI during a hearing before the subcommittee on Terrorism and Homeland Security.

James Baker, associate deputy attorney general at Justice, said his department turns to its criminal division, which investigates and prosecutes cyber criminals, and to its national security division, which investigates, prosecutes and attempts to stop cyber activities of nation-states and terrorists that pose a threat to U.S. security.

Steven Chabinsky, deputy assistant director of the FBI's cyber division, said the bureau relies on the National Cyber Investigative Joint Task Force to share information related to all domestic cyber threat investigations. He also noted that the FBI employs more than 2,000 special agents with cyber training, and more than 1,000 advanced cyber-trained agents, intelligence analysts and digital forensic examiners.

"Some of the best and brightest minds in the country have joined the FBI, which is uniquely positioned to combine counterterrorism, counterintelligence and criminal domestic investigative authorities to address the cyber threat," Chabinsky said.

Baker and Chabinsky, however, did not discuss specifically how their agencies trace cyberattacks back to the source.

Sen. Sheldon Whitehouse, D-R.I., noted that while identifying the sources of cyberattacks might not be technically possible in all cases, federal agencies can draw conclusions based on motive and the consequences of the attack, particularly in cases where attacks are presumably launched by enemy nation-states.

"Even where attribution through the maze of servers and electronic connections cannot be specifically established, you can connect the dots," he said. "It's a little beyond pure law enforcement, [but] there's a point where you can say, 'OK, you're not [responsible], sure. But if it continues to happen, here are the consequences.' That's something that can only be done at the diplomatic nation-to-nation level."

A separate report released on Tuesday emphasized the need for the federal government to define acts of cyberwar through an analysis of factors, including possible motivations behind an attack and the consequences a disruption can cause. If a cyberattack were politically motivated and caused severe damage, those factors would increase the likelihood that the United States would consider the attack an act of cyberwar.

Philip Reitinger, deputy undersecretary of the National Protection and Programs Directorate at DHS, confirmed that the nation's response to a cyberattack could depend on whether it was launched by individual hackers or organized criminal groups versus terrorist organizations or enemy nation-states. But he added, regardless of the source of a cyberattack the role of DHS would be to defend against it and help the nation recover.

"The defensive measures you would use would depend less on source and more on what the attack looks like," he said. "It's too hard for individual users and even small and medium businesses to secure systems. We need as a nation to continue to make it simpler for people to institute protections, determined if they've been compromised and make sure they stay secure."

Reitinger also emphasized the importance of using identity management tools to ensure only authorized individuals can access specific computer networks and applications. "If you talk about broadly cutting out avenues of attack, there's little that would be more effective than enabling authentication so it's easier to defend your perimeter," he said.

Richard Schaeffer, director of the National Security Agency's Information Assurance Directorate agreed that a good defense is the best offense. "The challenge is how do we get everyone up to a certain level of assurance [and] help people harden the network environment in which they operate," he said. "That's common sense; good network hygiene that actually raises the ante. The harder we can make the general network environment, the easier it will be to detect when something actually does go wrong."

Schaeffer said organizations that properly set computer configurations and consistently monitor their networks should withstand about 80 percent of commonly known cyberattacks.

Subcommittee chairman Sen. Benjamin Cardin, D-Md., however, called 80 percent unacceptable. "We would never prepare a defense budget based upon 80 percent effectiveness," he said.