Untangling attribution

Abstract

In February 2010, former NSA Director Mike McConnell wrote that, “We need to develop an early- warning system to monitor cyberspace, identify intrusions and locate the source of attacks with a trail of evidence that can support diplomatic, military and legal options—and we must be able to do this in milliseconds. More specifically, we need to reengineer the Internet to make attribution, geolocation, intelligence analysis and impact assessment—who did it, from where, why and what was the result—more manageable.”2 This statement is part of a recurring theme that a secure Internet must provide better attribution for actions occurring on the network. Although attribution generally means assigning a cause to an action, this meaning refers to identifying the agent responsible for the action (specifically, “determining the identity or location of an attacker or an attacker’s intermediary”3). This links the word to the more general idea of identity, in its various meanings. Attribution is central to deterrence, the idea that one can dissuade attackers from acting through fear of some sort of retaliation. Retaliation requires knowing with full certainty who the attackers are. The Internet was not designed with the goal of deterrence in mind, and perhaps a future Internet should be designed differently. In particular, there have been calls for a stronger form of personal identification that can be observed in the network. A non-technical version of this view was put forward as: “Why don’t packets have license plates?” This is called the attribution problem. There are many types of attribution, and different types are useful in different contexts. We believe that what has been described as the attribution problem is actually a number of problems rolled together. Attribution is certainly not one size fits all.