Sanctions against cyber attackers and spies may not be that easy

Barack Obama's executive order allowing sanctions against cyber attackers has been welcomed, but it remains to be seen if challenges can be overcome

This article can also be found in the Premium Editorial Download: Computer Weekly: Taking stock of e-commerce systems

US president Barack Obama’s executive order allowing for financial sanctions against malicious foreign hackers and companies that benefit from cyber espionage has been widely welcomed, but the plan is not without its challenges.

The idea is that where traditional diplomatic and law enforcement processes fail, the US can go after cyber attackers and the beneficiaries of cyber espionage by freezing their US assets and preventing them from operating in the US financial system.

The move has been welcomed by global software industry advocacy group and BSA The Software Alliance, as well as other groups and individuals concerned about the theft of intellectual property and cyber security.

However, some representatives of the cyber security industry have pointed out the most obvious challenge to the initiative, which is the long-standing problem of attribution.

Identifying the source of cyber attacks is notoriously difficult because of the relative ease attackers are able to cover their tracks and misdirect investigators by routing attacks through multiple servers.

Attribution was hotly debated earlier in 2015 when the US imposed fresh sanctions on North Korea in response to the November 2014 cyber attack on Sony Pictures Entertainment.

The US was adamant North Korea was behind the attack, but cyber security experts said it is often extremely difficult to say with any certainty who is behind attacks or where they originate.

Industry pundits questioned the US conclusions, saying the attack is more likely to be the work of North Korean sympathisers, hacktivists or disgruntled company insiders.

The problem of foreign attackers operating in the US is very real, according to Tripwire senior security analyst Ken Westin.

“We have seen robocallers from outside the US defraud people claiming to be from the IRS [Internal Revenue Service], successfully scaring people – particularly senior citizens – into giving them credit card number, using VoIP [voice over internet protocol] networks," he said. 

"The perpetrators of these acts have been able to get away with it due to available technologies that make it easy to evade detection.”

Attribution remains a challenge

Westin said that while the executive order will give the US government more power to go after foreign criminal syndicates and fraudsters, attribution remains a challenge.

“Even if you are able to identify from what country an attack is routed through, identifying who is behind the keyboard or phone is a different story altogether. One of the reasons cyber attacks and technology-enabled fraud have been so prevalent is due to the ease of evading detection and relative anonymity that a number of tools available provide,” he said.

Westin added that it will be interesting to see how the Obama administration looks to enforce sanctions and what resources will be applied to support the process.

Tripwire security and IT risk strategist Tim Erlin said the executive order will definitely push the difficulties of accurate attribution to the fore. “The US will have to be very, very sure of the perpetrator before pulling the economic trigger. No doubt, any recipient of financial seizure is likely to protest that they’re being incorrectly targeted,” he said.

However, US officials say they are getting better at tracing the source of cyber attacks, according to the Seattle Times, and some representatives of the cyber security industry have said that while attribution is challenging, investigative technologies are evolving at a rapid rate.

“We should have much more advanced forensics tools in the near future that will allow us to determine with certainty who is responsible for a specific attack, and as challenging as attribution is, there needs to be balance between bringing criminals to justice and protecting a citizen's right to privacy,” said CipherCloud chief trust officer Bob West.

"Protecting information takes a concerted, co-ordinated approach between the private and public sector. Technology vendors need to design their products with security built in and companies need to practice good security hygiene. Finally, the US Congress must do its part to protect the public with sound legislation,” he said.

Executive order framework "pretty reasonable"

Only time will tell whether US sanctions will be successful in penalising and deterring cyber criminal acts that cannot be addressed in other ways, said Corey Thomas, president and chief executive of security firm Rapid7.

But, he said, the framework created by the executive order looks “pretty reasonable” and includes thresholds for the harm that must be caused to pursue this kind of penalty, as well as details on the process for vetting perpetrators.

Security research is essential for understanding how cyber attackers operate, and identifying issues that provide them with opportunities for exploitation

Corey Thomas, Rapid7

“We particularly applaud the thresholds for harm. It’s key that acts must both cause significant negative impact, for example to national security or economic health, and that this must manifest through specifically identified acts, such as the widespread theft of trade secrets, or disruption of the availability of computing systems,” said Thomas.

He added that is also critical the US Treasury Department has stated it does not intend to pursue security researchers under this order. 

“Security research is essential for understanding how cyber attackers operate, and identifying issues that provide them with opportunities for exploitation," Thomas said. "The findings help businesses and consumers protect themselves, yet in order to do this, researchers have to behave like attackers, and this can lead to legal complications and uncertainty. 

"It’s challenging to create policy that protects researchers without providing a backdoor for criminals, so it’s a positive step to see the US government clearly distinguishing between types of actors and committing upfront to not pursue researchers.”

The White House has not announced any new sanctions, but now that the framework has been announced, sanctions are bound to follow. The question remains whether in imposing fresh sanctions the US will offer more proof of attribution than it did in January regarding North Korea’s alleged attack on Sony Pictures.

If US authorities are to use this new power, they will need to do more than just say they are satisfied that their conclusions are accurate.

Read more on Hackers and cybercrime prevention