Attack Attribution in Cyberspace

When you're attacked by a missile, you can follow its trajectory back to where it was launched from. When you're attacked in cyberspace, figuring out who did it is much harder. The reality of international aggression in cyberspace will change how we approach defense.

Many of us in the computer-security field are skeptical of the US government's claim that it has positively identified North Korea as the perpetrator of the massive Sony hack in November 2014. The FBI's evidence is circumstantial and not very convincing. The attackers never mentioned the movie that became the centerpiece of the hack until the press did. More likely, the culprits are random hackers who have loved to hate Sony for over a decade, or possibly a disgruntled insider.

On the other hand, most people believe that the FBI would not sound so sure unless it was convinced. And President Obama would not have imposed sanctions against North Korea if he weren't convinced. This implies that there's classified evidence as well. A couple of weeks ago, I wrote for the Atlantic, "The NSA has been trying to eavesdrop on North Korea's government communications since the Korean War, and it's reasonable to assume that its analysts are in pretty deep. The agency might have intelligence on the planning process for the hack. It might, say, have phone calls discussing the project, weekly PowerPoint status reports, or even Kim Jong Un's sign-off on the plan. On the other hand, maybe not. I could have written the same thing about Iraq's weapons-of-mass-destruction program in the run-up to the 2003 invasion of that country, and we all know how wrong the government was about that."

The NSA is extremely reluctant to reveal its intelligence capabilities -- or what it refers to as "sources and methods" -- against North Korea simply to convince all of us of its conclusion, because by revealing them, it tips North Korea off to its insecurities. At the same time, we rightly have reason to be skeptical of the government's unequivocal attribution of the attack without seeing the evidence. Iraq's mythical weapons of mass destruction is only the most recent example of a major intelligence failure. American history is littered with examples of claimed secret intelligence pointing us toward aggression against other countries, only for us to learn later that the evidence was wrong.

Cyberspace exacerbates this in two ways. First, it is very difficult to attribute attacks in cyberspace. Packets don't come with return addresses, and you can never be sure that what you think is the originating computer hasn't itself been hacked. Even worse, it's hard to tell the difference between attacks carried out by a couple of lone hackers and ones where a nation-state military is responsible. When we do know who did it, it's usually because a lone hacker admitted it or because there was a months-long forensic investigation.

Second, in cyberspace, it is much easier to attack than to defend. The primary defense we have against military attacks in cyberspace is counterattack and the threat of counterattack that leads to deterrence.

What this all means is that it's in the US's best interest to claim omniscient powers of attribution. More than anything else, those in charge want to signal to other countries that they cannot get away with attacking the US: If they try something, we will know. And we will retaliate, swiftly and effectively. This is also why the US has been cagey about whether it caused North Korea's Internet outage in late December.

It can be an effective bluff, but only if you get away with it. Otherwise, you lose credibility. The FBI is already starting to equivocate, saying others might have been involved in the attack, possibly hired by North Korea. If the real attackers surface and can demonstrate that they acted independently, it will be obvious that the FBI and NSA were overconfident in their attribution. Already, the FBI has lost significant credibility.

The only way out of this, with respect to the Sony hack and any other incident of cyber-aggression in which we're expected to support retaliatory action, is for the government to be much more forthcoming about its evidence. The secrecy of the NSA's sources and methods is going to have to take a backseat to the public's right to know. And in cyberspace, we're going to have to accept the uncomfortable fact that there's a lot we don't know.

This essay previously appeared in Time.

Posted on January 8, 2015 at 6:34 AM • 42 Comments

Comments

GreenSquirrelJanuary 8, 2015 7:14 AM

"The only way out of this, with respect to the Sony hack and any other incident of cyber-aggression in which we're expected to support retaliatory action, is for the government to be much more forthcoming about its evidence. "

I dont agree.

This might be the only sensible way out, but it isnt the only option.

For example, the FBI may, instead, simply decide to aggressively reassert how confident they are about their attribution skills and how certain they are it was the North Korean super-hackers who simply made stupid mistakes.....

This is frustrating for security professionals, but it really is a way out. It will drown out rational voices and eventually lead the narrative in the public eye (ear?).

RichJanuary 8, 2015 7:33 AM

For the sake of argument, let's say the NSA sees all, knows all, and has MP3s of the briefing to Kim Jong Un and his go ahead.

What good is perfect knowledge if you can never, ever reveal you know it... for fear your secret techniques will be known? How big does a plot need to be before you thwart it? I'm not thinking here about financial losses to Sony or embarrassment to Sony bosses. I DO have sympathy to the small-potatoes employees who got doxed.

And if we can never, ever reveal we have this secret knowledge, why are Obama and the FBI now saying we know it's N. Korea?

BardiJanuary 8, 2015 7:45 AM

"I could have written the same thing about Iraq's weapons-of-mass-destruction program in the run-up to the 2003 invasion of that country, and we all know how wrong the government was about that."

The government was not wrong in their knowledge. They knew there was no threat. Watch General Powell in front of the UN. He knew it was wrong.

What was wrong was lying the US into an unnecessary war with Iraq. I am not even certain the "unintended consequence" of ISIS was not considered a plus for certain parts of the US government.

Paul HarperJanuary 8, 2015 7:53 AM

This FBI 'attribution' seems to be related to the hyperbole James Clapper has been spouting at a conference recently. Either James Clapper is an idiot or more likely he is trying to manipulate the electorate because he thinks people are idiots. Can Clapper be serious saying copying some movie scripts and emails is the "most serious attack ever against US interests"? More serious than exfiltrating Terrabytes of data from the Pentagon?

It seems to me this 'attribution' is designed to make the case for maintaining mass surveillance.

"Speaking at the same conference this morning, Director of National Intelligence James Clapper called the Sony hack "the most serious cyberattack ever made against US interests."

http://www.theverge.com/2015/1/7/7507981/fbi-director-comey-reveals-new-details-on-the-sony-hack

wiredogJanuary 8, 2015 9:16 AM

Packets don't come with return addresses
Technically, there is a field in the ip datagram called "source address". Which can be, and often is, changed by various devices along the way. It can obviously be forged, too. But it is there.

Alan WelkJanuary 8, 2015 9:49 AM

This has to be the most amazing cyber attack ever, North Korean secret agents pretending to be a disgruntled employee! very clever indeed.

somebody named davidJanuary 8, 2015 10:05 AM

@Bardi
What was wrong was lying the US into an unnecessary war with Iraq. I am not even certain the "unintended consequence" of ISIS was not considered a plus for certain parts of the US government.

I think the statement made by the President was needed to give an AOK for Cyber command to be mobilized. When it comes to military actions during peace time, some type of official word must be said to give bless to its legitimacy because military action typically involve a whole lot of people.

I think you're also right about the fact that LEOs could have kept their mouths shut about the investigation, if they decide to treat this incident as an internet "crime" instead of a cyber "act of war."


gardnerJanuary 8, 2015 10:43 AM

"How big does a plot need to be before you thwart it?"

Bigger than attacking Sony. If they have a wiretap on KJUs office phone, they are looking for orders to start shelling Seoul or rocketing Tokyo before they would tip their hand. Also, if they do have eyes on NK, they almost certainly do it cooperatively with Japan and South Korea, which have the real interests in the region. And they would have a say on whether their joint project could be blown. Protecting a movie company would not be enough, I am sure.

jaysonJanuary 8, 2015 11:42 AM

@Alan Welk

This has to be the most amazing cyber attack ever, North Korean secret agents pretending to be a disgruntled employee! very clever indeed.

Don't be ridiculous, the North Koreans hired others to pretend to be a disgruntled employee! /s

@Bruce

Stop questioning the official narrative, you'll disrupt the timeline for the North Korean war.

Annonymous CowJanuary 8, 2015 12:32 PM

Technically, there is a field in the ip datagram called "source address". Which can be, and often is, changed by various devices along the way. It can obviously be forged, too. But it is there.


How about a MAC address? An IP address can be for a router or switch that has multiple devices. A MAC address is (or is supposed to be) unique for each network interface. And yes it can be spoofed, but that takes some knowledge.

DanielJanuary 8, 2015 12:53 PM

Green Squirrel writes, "the FBI may, instead, simply decide to aggressively reassert how confident they are about their attribution skills"

This way out is an illusion. George Bush was America's first macho president and to my own great disappointment Obama has continued that trend. The problem with machismo isn't that it always fails, sometimes it works well enough. The problem is that when your enemy recognizes the truth it is easy to manipulate. Some people have suspected the Russians did it. It would be very shrewd of the Russian to fake like North Korea did it...knowing that the USA wants to look tough...and then once the USA has doubled down on its bluff expose the truth to universal scorn and mockery.

I said it weeks ago and I'll say it again. Anyone who thinks that it is smart for the USA to bluff in this situation is either reckless or stupid. It puts seeming before being and that never, ever, ends well.

AlanSJanuary 8, 2015 12:57 PM

Wheeler on TLAs having their cake and eating it: If IPs Are So Solid, Why Won’t FBI Tell Us How Many Americans Get Sucked Up in Section 702?

Comey: "Several times either because they forgot or because they had a technical problem they connected directly and we could see them. And we could see that the IP addresses being used to post and to send the e-mails were coming from IPs that were exclusively used by the North Koreans."

Wheeler references Carr's post: FBI Director Comey's Single Point Of Failure on Sony on how easy it is to gain access to the NK network from outside NK. So much for Comey's claim about "IPs that were exclusively used by the North Koreans".

Wheeler: "Let me interject here and remind you that NSA and the FBI refuse to count how many US persons get sucked up in Section 702 upstream and PRISM collection because IPs aren’t a reliable indicator of the location of a person. The USA Freedom Act, by law, excluded any consideration of IP (frankly, any consideration of Internet location at all) from its obligation to report on the location of people sucked up in the dragnet. According to the FBI, tracking location based off anything but a (US based) phone number is too onerous for the Bureau."

AlanSJanuary 8, 2015 1:11 PM

From Carr's post linked to in my post above:

I explored the Loxley connection [NK's ISP] as soon as this story broke, knowing that the FBI and the NSA was most likely relying on the myth of a "closed" North Korean Internet to base their attribution findings upon. Loxley is owned by one of Thailand's most well-connected families and just 4 kilometers away is the five star St. Regis hotel where one of the hackers first dumped Sony's files over the hotel's WiFi. It would be a simple matter to gain access to Loxley's or Loxpac's network via an insider or through a spear phishing attack and then browse through NK's intranet with trusted Loxpac credentials. Once there, how hard would it be to compromise a server? According to HP's North Korea Security Briefing (August 2014) it would be like stealing candy from a baby.

Anon.January 8, 2015 2:21 PM

> it's reasonable to assume that its analysts are in pretty deep

Is it? I would agree, except these are the same analysts that apparently missed nuclear testing - which seems like it would require a lot more planning than even a super-sized network intrusion.

Jason IpswitchJanuary 8, 2015 3:06 PM

@Paul Harper
This FBI 'attribution' seems to be related to the hyperbole James Clapper has been spouting at a conference recently. Either James Clapper is an idiot or more likely he is trying to manipulate the electorate because he thinks people are idiots. Can Clapper be serious saying copying some movie scripts and emails is the "most serious attack ever against US interests"? More serious than exfiltrating Terrabytes of data from the Pentagon?

I'm truly confused why an intelligence officer who was caught lying to Congress is still getting attention. I understand that he's not in jail because politics, but surely he ought not be considered credible by anyone.

AnuraJanuary 8, 2015 3:13 PM

@Annonymous Cow

How about a MAC address? An IP address can be for a router or switch that has multiple devices. A MAC address is (or is supposed to be) unique for each network interface. And yes it can be spoofed, but that takes some knowledge.

MAC addresses do not appear in IPv4 addresses, they might appear in IPv6 but don't have to. Either way, anyone knowledgable enough to perform even the most basic of attacks can change their MAC address.

AndrewJanuary 8, 2015 3:17 PM

@AlanS
If compromising NK lines is that easy, so the traffic eavesdropping may be.

"Mister Jong-un, we carried out your cyber attack"January 8, 2015 3:45 PM

The people genuflecting to FBI's capabilities and confidence need to bear in mind that FBI's integrity standards are a couple of notches below NAMBLA's.

http://earthfirstjournal.org/newswire/2014/12/29/fbi-informant-arrested-in-key-west-for-failing-to-register-as-a-sex-offender/

FBI no doubt used their standard operating procedure: get a child molester, give him a script and edit the resulting wiretaps to dupe some judge into an evidence-free terror prosecution.

davidJanuary 8, 2015 5:58 PM

@Jason Ipswitch

one of the benefits of extensive study on lie detecting is that you not only become very good at detecting it but also at perpetrating it; however, I don't think Clapper is lying when he said that if you read his words carefully.

adfaklsdjfJanuary 8, 2015 6:00 PM

>>  Packets don't come with return addresses
> Technically, there is a field in the ip datagram called "source address". Which can be, and often is, changed by various devices along the way. It can obviously be forged, too. But it is there.

I'm very confused as to why Bruce would say "packets don't come with return addresses". They do! He knows that they do! Why would he say that?

The source address can be spoofed and is often altered in transit, but isn't it extremely difficult to spoof an entire TCP connection consisting of many packets without having a "man in the middle" presence?

The victim host's response packets will be routed to the spoofed source IP address unless the attacker has direct access to the wire between victim and spoofed source (man in the middle) to catch and potentially reroute them.

The victim host will drop the connection if it doesn't receive ACKs for each of the packets it sends, so, without being able to capture response packets as a "man in the middle", unless the victim's algorithm for selecting ACK numbers can be predicted by the attacker, the attacker will not be able to acknowledge receipt of response packets and the victim host will drop the connection.

For a transactional TCP connection, it's my understanding that you can't spoof the source IP successfully unless you have man-in-the-middle status, or you can accurately predict ACK sequence numbers that will be generated by the victim host.

Just passin' thruJanuary 8, 2015 8:47 PM

@adfaklsdjf

I'm very confused as to why Bruce would say "packets don't come with return addresses". They do! He knows that they do! Why would he say that?

I thought he meant that the packets don't come with an address in dirt-space, i.e. room nbr, street address, city, state, country, zip, and for THAT reason attribution is difficult.

The rest of your msg looks right technically, but remember there are other tricks, such as using ICMP redirect packets to tell an end-node that its upward connection is elsewhere. (I found this was done to _my_ computer a few years ago by another in my ISP's local subnet.) If any computer were compromised on NK's network (they have only a block of 1024 addresses), a different computer could be made to look like the source for a period of time. With another proxy, it could be made to look like NK is responsible.

I am pretty sure that NK's /22 block and its 2 backup /24 blocks are pretty closely watched by the NSA to the extent they can. As good as they are, I think they (and the FBI) can still be fooled.

So, I think that Bruce's statement scans A-OK.

Mike ChaseJanuary 8, 2015 11:52 PM

more armchair quarterbacking Schneier. Common you're better than that.

"The FBI's evidence is circumstantial and not very convincing."

The arrogance of this statement (not just by you, but my other peers) is astounding. The FBI has repeatedly stated that there is a substantial amount of evidence that they have not released. How anyone can speculate as to the FBI's correctness, while simultaneously admitting to not knowing the totality of evidence (facts) in their totality, isn't even arm chair quarterbacking. It's stupidity.

Gerard van VoorenJanuary 9, 2015 12:31 AM

@ david

one of the benefits of extensive study on lie detecting is that you not only become very good at detecting it but also at perpetrating it; however, I don't think Clapper is lying when he said that if you read his words carefully.

https://www.youtube.com/watch?v=4v7YtTnon90

Look at him scratching and shaking when telling the big lie.

Wesley ParishJanuary 9, 2015 3:43 AM

So according to the US Federal govt, it's tortoises, tortoises, tortoises, all the way down?!?

Not buying that! According to the Discworld Prophet, Terry Pratchett, Great A'Tuin is swimming, not standing, and although its sex and gender orientations are not known, it is a Turtle, not a Tortoise! And furthermore, there are four elephants standing on Great A'Tuin's back, bearing the world!

define SARCASM_FILTER false

I think most people nowadays think that Terry Pratchett is a much more reliable source of information than the US Federal govt. I'm sure the North Koreans would wholeheartedly agree.

Clive RobinsonJanuary 9, 2015 4:48 AM

@ Mike Chase,

How anyone can speculate as to the FBI's correctness, while simultaneously admitting to not knowing the totality of evidence(facts) in their totality, isn't even arm chair quarterbacking. It's stupidity.

Oh dear oh dear oh dear.... you are doing exactly that by claiming that because the FBI says it has "a substantial amount of evidence",

A, That they are telling the truth, and
B, That the evidence actually proves what they say.

This is like you and I sitting around the table playing poker, you've "bet the farm" on the strength of your hand. It gets to the point where it's card show time, are you going to allow me to just say my hand is stronger than yours and take everything? Especially when other cards on the table don't align with my claim...

I sincerly doubt it people would question your sanity.

Well that's the position we are in, US Pres BO has made claims that has painted not just himself, but the US Gov and citizens into a corner. He has created a very large diplomatic incident publicaly that could easily lead to a war, not just with NK but China and Russia. The leaders of both these super powers have made it clear that it is time the US is deposed of it's self appointed global leader status and kicked out of what they regard as their spheres of influence. Previous US Presidents have known that when doing this you have to provide hard evidence to the world, or be accused of being a war monger / criminal. GWB did not have anything remotely like evidence and as many have observed "made it up as he went along". He started a war not of self defence but of greed and aggression which makes him a War Criminal under international law. It appears that US Pres BO likwise want's to prove he's "cock of the walk", for reasons that will end badly or in his humiliation and that of the US Gov and citizens.

Why he has chosen to go out on a limb for the FBI / NSA I don't know, their credability is not nor has it been for some time good.
Let's just say many US judges almost automatical assume the FBI are shall we say " economical with the truth" at the best of times.

At the end of the day the FBI is not what they try to portray themselves as in the media, they are a tax funded political organisation which lobbies the legislators just as hard if not harder than the most venal of IP grabing or environmental polluting corporates.

You only have to look at what they do with NSL's to ruin not just other countries security but that of every US corporation and every US citizen. Having done so they then will not take responsibility when others take advantage of the mess they have made, and will try their best to make worse.

Thus the FBI / NSA do not have credibility, worse the data that is available points more reasonably in other directions.

But the FBI have a history of claiming data as "hard evidence" when it does not even pass the test to be considered hearsay that should rightfully be excluded from any court.

I've given a simple senarior about just how easy it would be for others to "setup or frame" NK.

Thus if US Pres BO wants to set himself up as judge, jury and executioner, it's only right that others he is dragging with him should not just ask but demand the evidence on which their lives or those of their children may be extinguished for in war or reprisals.

If you can not understand this, please feel free to sign up with a military organisation and be first in to the front lines, but don't force others to join you.

SkepticalJanuary 9, 2015 4:02 PM


Okay - I have to say that I find some of the skepticism in the comment threads mildly hilarious after the last year and a half. From "the NSA has compromised everything (almost)" to "the NSA doesn't know basic fundamentals of networks" is quite a trip, but some of the commenters made it without breaking a sweat. Nicely done!

More seriously:

What this all means is that it's in the US's best interest to claim omniscient powers of attribution. ...
It can be an effective bluff, but only if you get away with it. ...
The only way out of this, with respect to the Sony hack and any other incident of cyber-aggression in which we're expected to support retaliatory action, is for the government to be much more forthcoming about its evidence.

No... Bruce, I like a lot of the issues you're raising in general about norms governing how we categorize and respond to cyber attacks, but I really disagree with you as to whether it is in the perceived, or actual, interest of the US to bluff.

The following proposition (among others with similar implications) is likely to be considered true with a probability of more-likely-than-not by the USG:

If North Korea is truly not responsible, then it is probable that China knows it.

From this we can easily infer:

If the US is wrong in its attribution, it is telling China something important about the limits of its capabilities.

Because attribution is a necessary component of deterrence, this would enormously reduce US deterrence in relation to cyber attacks by China.

Is there any value that would justify a bluff which risks US deterrence capability against China?

No. If the US were uncertain, it could wait to develop additional intelligence in the hope of becoming certain, without endangering its deterrence capability. Responding swiftly does not require having the President announce both attribution and promise retaliation within weeks of becoming involved.

So the proposition that the US is bluffing is extremely unlikely to be true.

That leaves the possibility that US is not bluffing, but is mistaken. Certitude and certainty, after all, are not the same thing.

The problem of attribution is obviously a central issue in law enforcement and intelligence. The USG has many years of experience with this problem, as do the private experts and organizations who have assisted the USG in the past. They know, as well as anyone in the world, how hard and complex attribution can be. They'll be cautious in describing what conclusions the evidence supports.

There are additional points of possible error down the line - other analysts, influential policymakers - but they all seem unlikely in this case.

Finally, does the USG ever need to actually show the evidence that it found persuasive? Absolutely not. If the attribution is correct, then China probably knows it. Russia may not be certain, but would probably be more surprised if the USG revealed sources and methods just to placate the public (and wouldn't believe what the USG says anyway) - it will probably conclude that the US is on the mark in its attribution.

And other actors? If they want to take the risk, the USG isn't going to dissuade them - or anyone else - by revealing sources and methods that are immediately rendered useless by the disclosure.

charlesJanuary 9, 2015 5:17 PM

"That leaves the possibility that US is not bluffing, but is mistaken. Certitude and certainty, after all, are not the same thing."


That is deep thinking there...

A more simplistic way to reason this, any further deviant from official conclusion can be explained away by the "hired by" hypothesis. If the initial due process is any indication, any later amendings won't require harder proofs.

Nick PJanuary 9, 2015 7:57 PM

@ Skeptical

"Is there any value that would justify a bluff which risks US deterrence capability against China?"

You mock commenters' opposing views of reality with NSA situation. Which isn't really opposing given hacking is much easier than solving needle in a haystack problems on TB of collected data. But, you then make the same mistake you accused them of in your own post. Lol.

What deterrence capability? The U.S. government has said in numerous reports and statements that Chinese spies stole all kinds of highly classified information. This is TS/SCI type information of many varieties often on isolated networks. That indicates they have human infiltrators in all kinds of classified programs. Further, both private sector (eg Mandiant) and U.S. government keep showing Chinese hackers have been extremely successful against both non-classified government organizations and businesses. Terabytes of information has been stolen. Lastly, they exceed the capabilities necessary to hit all kinds of insecure ICS systems connected to the Internet.

Conclusion: Chinese are hammering us nonstop, the NSA/FBI's SIGINT-enabling policies only make it easier, and we should talk about *response* to the *existing situation* rather than deterrence of... what?

Besides, Chinese don't have an interest in outright destroying us. They believe U.S. will collapse economically under the weight of its own poor financial, military, and diplomatic decision-making. (As do I.) They instead make their currency independent from us, ensure they'll survive economically if we're not there, and continue allowing U.S. companies to use their cheap labor to gain leverage + money + I.P. stealing opportunities. It's a racket that the United States and its businesses willingly participate in for short-term benefits that causes long-term losses and problems. There are also benefits for those merely watching such decisions: the stress reducing and healing power of laughter. ;)

Wesley ParishJanuary 10, 2015 1:20 AM

@Skeptical

If the US is wrong in its attribution, it is telling China something important about the limits of its capabilities.

No bull! I believe I may have made a similar point, if not on this blog, elsewhere on the Net, about the USS Vincennes shooting down Iran Air Flight 655, after its integrated air defense capabilities had been praised to the heavens. At one fell swoop the USSR knew about the limitations of Ray-Gun's SDI, and could safely discount it. As it happened their economy wasn't up to it, but USS Vicennes showed them good how unreliable the Pentagon's accounting systems actually were.

From "the NSA has compromised everything (almost)" to "the NSA doesn't know basic fundamentals of networks" is quite a trip

They are two sides of the one coin. Script Kiddies writ large. One of the benefits of Commercial Off-The-Shelf purchasing is supposed to be the reduced demand on training, since everybody already knows the stuff. If everything COTS is compromised, then in theory all that's needed is a pack of droids running sploits, and No Assembly Needed.

SkepticalJanuary 10, 2015 2:30 AM

@Nick P: What deterrence capability? The U.S. government has said in numerous reports and statements that Chinese spies stole ... Chinese are hammering us nonstop, the NSA/FBI's SIGINT-enabling policies only make it easier, and we should talk about *response* to the *existing situation* rather than deterrence of... what?

There are two types of deterrence.

(1) Deterrence by denial: you dissuade an adversary from taking an action because you have persuaded him that the action will fail, or that the direct costs of doing so are not worth the benefit;

(2) Deterrence by punishment: you dissuade an adversary from taking an action because you will retaliate in such a way as to render his action inadvisable.

We don't seek to deter espionage by retaliating against the nation conducting it, There are rough rules of the road when it comes to how nations treat the spies of other countries. For example, the US spies on Russia; Russia spies on the US. If a foreign intelligence officer is caught spying, he'll be locked up for a few hours, asked some questions, but will generally be treated humanely and then declared PNG and given 24 hours to vacate the country. We don't go to war over espionage, and we don't seek to deter espionage by other nations by punishment - though we certainly seek to deter espionage against us by our own citizens by punishment.

When it comes to nuclear attacks, deterrence by punishment is the primary US strategy. Use nuclear weapons against us, and we'll obliterate you. Period.

What about smaller military incidents? Usually tit-for-tat.

What about cyber attacks? Current US policy is: retaliation will depend on the magnitude of the attack, which will be assessed just like any other attack, and the means of response are not limited to the cyber domain. In other words, if you attack a chemical plant, cause the failure of safety systems and the release of toxic gases that cause casualties, the US will consider it no differently than if you had bombed the chemical plant. At a minimum the response will be calibrated to deter by punishment additional such attacks. If the cyber attack is more akin to a small military incident, then a tit-for-tat response may be called for. And if there's some cyber-equivalent to a nuclear attack (I doubt there is), then an extremely punitive response will be called for, probably in domains outside of cyber.

Deterring cyber attacks, just like deterring nuclear or conventional attacks, requires the ability to attribute responsibility. This is why, for example, when concerns rose about the proliferation of nuclear material from North Korea, the US made it very well known that it had the capability to determine precisely where the nuclear material that composed a bomb was derived from, and that it would use this fact to attribute responsibility.

Besides, Chinese don't have an interest in outright destroying us.

True, just as we do not have an interest in destroying them. However neither nation wants to rely on the good will of the other for its security, so deterrence is an important capability, the loss of which would be viewed as quite serious. To reiterate, deterrence by punishment is not practiced with respect to espionage (except with respect to citizens who betray their own countries, and between certain nations at higher levels of hostility).

They believe U.S. will collapse economically under the weight of its own poor financial, military, and diplomatic decision-making. (As do I.) They instead make their currency independent from us, ensure they'll survive economically if we're not there, and continue allowing U.S. companies to use their cheap labor to gain leverage + money + I.P. stealing opportunities.

Well, okay, but I wouldn't bet much on that view. The US economy is distinguished from the rest of the developed world at the moment by steady growth and stability, a trend expected to continue throughout 2015. China may turn out fine, but has enormous corruption issues, much more serious risks in its financial system, and far more social strains and tensions than the US. I don't think either nation is in danger of collapse, but the US is perhaps one of the nations farthest from such a possibility.

paulJanuary 10, 2015 9:35 AM

Nick P wrote:

They instead make their currency independent from us, ensure they'll survive economically if we're not there,

Why would they ever want to do that? I believe the politically correct term is 'pegging.' Interesting word...

Nick PJanuary 10, 2015 12:08 PM

@ Skeptical

"I don't think either nation is in danger of collapse, but the US is perhaps one of the nations farthest from such a possibility."

It almost collapsed in 2008. Further, we got to see just how broken the system was: core bankers and regulators ruined tons of lives and lost a ton of money; Fed prints around $1 trillion to bail them out with several trillion more in long-term liabilities; criminal immunity for those responsible; more schemes on the way. This alone shows how untrustworthy the U.S. financial system is.

@ Skeptical, paul

Then there's people like Jim Richards arguing issues with the value of the dollar could cause a 25-year Great Depression at any moment. He has some good arguments and was right about 2008. Here's an interview. So, paul, the trick is that some countries already know the U.S. is a long-term liability and they're trying to avoid setting their future on it given its mis-management.

Sancho_PJanuary 10, 2015 1:16 PM

@ Clive Robinson (9, 4:48 AM)

“ Why he [Pres. OB] has chosen to go out on a limb for the FBI / NSA I don't know”

For whom? The FBI / NSA?
Isn’t it for the authoritarian followers that expect him to name an attacker?
To his personal benefit?

As it was done with revealing the Team 6 for the murder of OBL?
Completely unnecessary - besides sacrificing their comrades?
http://en.wikipedia.org/wiki/2011_Chinook_shootdown_in_Afghanistan

Public attribution on “secret” evidence is insane, even your own kids would grill you,
but in America they raise the flag.


@ Skeptical

“When it comes to nuclear attacks, deterrence by punishment is the primary US strategy. Use nuclear weapons against us, and we'll obliterate you. Period.”

Correction: “… and we will obliterate us”.
Baaaaaad typo!

AlanSJanuary 10, 2015 1:43 PM

@Skeptical

"I have to say that I find some of the skepticism in the comment threads mildly hilarious..."

You misunderstood. It's skepticism of the basis on which they are making public attribution. The IP and the Silence of the Lambs stuff is ridiculous.

SkepticalJanuary 10, 2015 3:39 PM


All way off topic:

@Nick P: It almost collapsed in 2008. Further, we got to see just how broken the system was: core bankers and regulators ruined tons of lives and lost a ton of money; Fed prints around $1 trillion to bail them out with several trillion more in long-term liabilities; criminal immunity for those responsible; more schemes on the way. This alone shows how untrustworthy the U.S. financial system is.

2008 actually showed how resilient the US system is, which is why US bonds remain very expensive to buy. The Federal Reserve, and the US Government, contained a financial crisis and recession that could have been much worse (though it's ludicrous to talk of the US almost collapsing in 2008), and they did so via strengths firmly engrained in US institutions. That resiliency is amplified today, with better policy tools in place to prevent the biggest risks faced in 2008.

As to the "bail-outs", the Federal Reserve earned a profit on the loans that were essentially (but rightly) forced upon major financial firms, and continues to earn profits from its operations. This year it paid out 98 billion dollars in profits to the US Treasury. Major financial firms meanwhile have paid somewhere well over $150 billion in fines since the crisis.

You're really rowing against the tide in claiming that the US is on the brink of collapse. The facts line up very differently, and most see them as I do (on this subject, at least).

Then there's people like Jim Richards arguing issues with the value of the dollar could cause a 25-year Great Depression at any moment. He has some good arguments and was right about 2008. Here's an interview. So, paul, the trick is that some countries already know the U.S. is a long-term liability and they're trying to avoid setting their future on it given its mis-management.

I have no idea what issues with the value of the dollar could cause a 25 year Great Depression. The dollar is quite strong at the moment, and most people predict that it will continue to appreciate against other currencies in 2015 as the US economy continues to perform and the Federal Reserve raises interest rates. That may be good news or bad news depending on where you sit, but how it leads to a 25 year Great Depression is beyond me.

Nor do I see any sign that those from other countries share your views in any significant number. Foreign investment has been pouring into the US.

So, I wouldn't put much money on a warning of a 25 year Great Depression. Of course, if you had put money into a fund that tracks a broad index of the US stock market (like the S&P500) at this time last year, you'd have made about 14% on it.

People have been seeing doomsday since we first invented the concept of a day. And over any significant period of time, those who invested on the basis of those doomsday views lost, enormously, relative to those who patiently and steadily invested over time in the continued growth and existence of the system.

Nick PJanuary 10, 2015 6:08 PM

@ Skeptical

It's funny: one of my investor friends said about the same thing to me in a private message. Doomsday or not, Wall St is piling risk on top of risk in a way that doesn't inspire my confidence. That they can cost us $1-6 trillion with a bailout and immunity to criminal prosecution is just asking for more problems. Our democracy should've handled them like Iceland's did as they've put an end to those problems and gotten solid results economically. I'm keeping an eye on them carefully even if most of America won't.

donnieJanuary 10, 2015 8:27 PM

@AlanS:You misunderstood. It's skepticism of the basis on which they are making public attribution. The IP and the Silence of the Lambs stuff is ridiculous.

lolz... Do you think FBI solve murders by presenting circumstantial evidence? I don't think so. Why would they treat this cyber attack differently?

donnieJanuary 10, 2015 8:40 PM

@Skeptical:2008 actually showed how resilient the US system is, which is why US bonds remain very expensive to buy.

bingo!

As to the "bail-outs", the Federal Reserve earned a profit on the loans that were essentially (but rightly) forced upon major financial firms, and continues to earn profits from its operations.

imagine you run a business where every time you over-exerted yourself or even broke-the-law, there comes an invisible hand to lend you a bridge loan that you don't have to pay back until the day your business turn around. that's rather neat, wouldn't you say?

So, I wouldn't put much money on a warning of a 25 year Great Depression.

25 is a bit long, and the consensus seem to be going the other direction, up. off topic: 25 is a nice number tho. I always like that number. :^)

BuckJanuary 10, 2015 9:37 PM

LOL!

A billion dollars here, a trillion dollars there, some twenty years in the future... What difference does it make? While century-old measures and metrics can produce some pretty cool looking charts and graphs about depressions and recessions, a brief lesson in history will show that these concepts are far more related to bankers leaping from balconies, commoners' exposure to the elements & predators, and malnourishment vs. any digital or printed numbers in someone's ledger.

AlanSJanuary 11, 2015 8:32 AM

@Donnie

You missed my point. I'm saying the evidence they have presented to the public so far isn't the least convincing. I think it's just a bone they've thrown out there to feed the media dogs. Whatever is really going on here isn't being talked about in public.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.