This morning, the House Committee on Science and Technology’s subcommittee on Technology and Innovation held a hearing entitled “Planning for the Future of Cyber Attack Attribution”. The hearing contained a panel of four witnesses — Dr. David Wheeler, a Research Staff Member of the Information Technology and Systems Division at the Institute for Defense Analyses, Mr. Robert Knake an International Affairs Fellow at the Council on Foreign Relations, Mr. Ed Giorgio, the President and Co-Founder of Ponte Technologies, Mr. Marc Rotenberg, the President of the Electronic Privacy Information Center.
The purpose of the hearing was to “discuss attribution in cyber attacks, and how attribution technologies have the potential to affect the anonymity and privacy of internet users.” Witnesses answered questions ranging from ‘Can attack attribution play a role in deterring cyber attacks?’, to ‘If attribution is futile, what other methods can we use to prevent cyber attacks?’ Witnesses emphasized that while attribution is important, it is not a cure-all, and should only be a part of the security tool box.
They claimed that automatic attack attribution — e.g. having computers automatically determine the origin of an attack — was dangerous because of the possibility for failure and the assignment of wrong identities to attackers. They also, thankfully, mentioned that the internet should not be ‘locked down’, and that different segments should have varying degrees of security and privacy.
The panel stressed that anonymity on the internet conflicts with attribution. A common sentiment was that attribution must not come at the cost of normal legal internet user-privacy. Witnesses went on to posit various methods to create attack attribution without a total loss of privacy.
While the hearing touched on many topics, one of personal interest was the role of the Government in limiting the amount of data that private companies, such as Google, can record on their users. The panel claimed that increased restrictions on private companies would better secure citizens in the face of company breakdown, like the Chinese hack on Google earlier this year.