Attribution is not the hinge on which cybersecurity rests, a panel of experts told a House committee during a July 15 hearing.

The ability of cyber attackers to hide behind multiple layers of obfuscation has long been seen as a problem in responding to such attacks or in setting up credible deterrence to prevent them from happening in the first place. But the problem of attribution "has been largely overstated," said Rob Knake, an international fellow at the Council on Foreign Relations, while testifying before the House Science and Technology subcommittee on technology and innovation.

Only a limited number of groups have the capability and money to undertake a significant cyber attack, Knake said, and traditional intelligence and law enforcement activities would be able to fill the information gap left by limited technical information. Rather than focus on attribution, Knake added, the United States should emphasize accountability. "Non-cooperation in investigating international cyber attacks should be taken as a sign of culpability. States must be held responsible for securing their national cyberspace," he said.

David Wheeler, a researcher at the Institute for Defense Analysis, placed greater importance on attribution during the hearing than Knake. He said that attribution can only be one method of many. "Computer network defense shouldn't depend on attribution," he said. Attribution technology can be improved without necessarily sacrificing all elements of privacy--for example login systems could store message hashes rather than messages themselves, he said. But the federal government will likely have to pay for attribution technologies itself since the private sector views such capabilities as a law enforcement or military task, he added. Moreover, attribution technology needs to be pre-positioned within a network.  

"To be effective, many attribution techniques require some sort of cooperation by networks along the path from the attacker to the victim. Gaining such trust, unfortunately, can be very difficult," Wheeler said in his prepared testimony.

Ed Giorgio, president of Ponte Technologies of Ellicott City, Md., and a former chief codebreaker at the National Security Agency, said that a system of authentication through a trusted third party would make online transactions more secure while preserving anonymity. But, the U.S. government "has not yet earned the necessary trust to perform this role, and we will require a lot more transparency and oversight before giving that trust," he said.

Efforts to establish a national authenticated online identity could be worse than useless, said Marc Rotenberg, head of the Electronic Privacy Information Center. It "will actually create new opportunities for people to hide, because they will create new false credentials," he said.

"It would be a mistake for practical reasons, in addition to human rights reasons, to place too much emphasis on attribution," he added.

For more:
- go to the House hearing's webpage, complete with prepared testimonies
- watch a webcast of the hearing

Related Articles:
AFCEA panel: Government, private sector dissatisfied with collaboration efforts
SASC would allow DoD to exclude companies over supply chain practices
Lewis: Cold War lessons of limited value for cyber attack deterrence