The Attribution Revolution

A five-point plan to cripple foreign cyberattacks on the United States.

The Obama-Xi summit in Sunnylands ended without any Chinese concessions on cyber-espionage. This came as no surprise; cyber spying has been an indispensable accelerant for China's military and economic rise. And though Beijing may someday agree that international law governs cyberspace, that won't help the victims of espionage, which is not regulated by international law. So if negotiation won't work, what will? Not a strategy that relies entirely on defense. That's like trying to end street crime by requiring pedestrians to wear body armor.

The good news is that there has been a revolution in our ability to identify cyberspies. It turns out that the same human flaws that make it nearly impossible to completely secure our networks are at work in our attackers too. And, in the end, those flaws will compromise the anonymity of cyberspies.

Call it Baker's Law: "Our security sucks. But so does theirs."

As numerous recent reports show, attackers are only human. They make mistakes when they're in a hurry or overconfident. They leave bits of code behind on abandoned command-and-control computers. They reuse passwords, email addresses, and physical computers. Their remote access tools are full of vulnerabilities. These are openings that we can exploit to trace cyberattacks first to the command and control computers used to carry them out, then to the homes and offices of the hackers that perpetrate them and then, hopefully someday soon, to the customers that sponsor them.

But attribution is only half the battle if we want to deter cyber-espionage. The other half is retribution. Once we identify the attackers, we need to persuade them to choose another line of work. If we're serious about stopping cyberespionage, there are plenty of tools at our disposal:

1. Expose and isolate nations

Naming and shaming is a commonly used method of deterring bad conduct by other nations. The U.S. may be reticent about releasing hard won intelligence about the activities of foreign governments. But some of the most explosive -- and convincing -- recent allegations against foreign governments have in fact been made by private entities. A report released earlier this year by a company called Mandiant offered extensive evidence of the People's Liberation Army's role in hacking into U.S. companies over a number of years. The report placed an embarrassing spotlight on state-sponsored hacking in China and sparked bitter but unconvincing denials from the Chinese government.

Of course, it's not clear that embarrassment alone will stop countries like China or Iran from supporting cyberattacks against U.S. companies and agencies. But it's a start. It raises the cost of what has been a relatively low-risk, asymmetric strategy. And it sets the stage for further action in the future.

China may seek to do some naming and shaming of its own, of course. It claims to have "mountains of data" about U.S. cyber spying. Perhaps so. But the United States already does a pretty good job of exposing its own secret cyber exploits, so it's unlikely that the world will learn much from the Chinese effort. Perhaps more importantly, neutral exposure is an asymmetric tactic that helps the United States. Our intelligence is focused on government, not commercial targets. The more the world learns about the two nations' approach, the more its concern is likely to center on China, not the United States.

2. Sanctions for spies

The U.S. government may not be able to reach hackers located on the other side of the world. And even if we could catch them, we might not want to risk compromising intelligence sources and methods by taking them to court. But that does not mean the United States cannot punish them. The government already uses classified information to label terrorist supporters and drug kingpins as "specially designated nationals" and to impose sanctions on them -- seizing their bank accounts and assets, for example, and prohibiting U.S. citizens from doing business with them. The United States even has such programs for sanctioning Belarusian kleptocrats and conflict diamond purveyors. Maybe it makes sense for Washington to use sanctions to punish misdeeds in Belarus or West Africa, but shouldn't it first use these measures to punish people who are invading homes and offices in, you know, the United States?

It's unclear why the president hasn't done this already -- he's already got all the authority he needs to impose sanctions on cyber spies and their enablers. Under the International Emergency Economic Powers Act, the president could determine that cyber spying poses "an unusual and extraordinary threat" to the United States and declare it a "national emergency." He could then publish a list of hackers who would be subject to sanctions. In keeping with past practice, he could rely heavily on classified data to make the designations -- without disclosing any of it.

3. Prison break meets prisoner's dilemma

Sometimes carrots work better than sticks, and visas can certainly play that role as well.

The Justice Department is authorized to issue up to 250 "S" visas each year to foreign nationals "in possession of critical reliable information concerning a criminal organization or enterprise." The visa allows family members to enter as well, and it becomes a permanent residency if the witness's "information has substantially contributed to the success of an authorized criminal investigation."

Systematically hacking U.S. companies and agencies surely constitutes a criminal enterprise under domestic law, and even an investigation can be deemed a success without leading to a criminal conviction. If a witness's cooperation helps us to thwart other countries' cyber spying campaigns, that surely counts as a success.

So under current law, the Justice Department could send text messages to all the guys who've already been identified as Chinese hackers, saying: "The first one of you who shows up at a U.S. consulate with a flash drive full of your employer's data will get an S visa and $1 million. The second one will get an S visa and $100,000. The third will get an S visa and $10,000. And the rest of you will be indicted with the evidence supplied by the first three."

4. Deny visas to enablers

On the flip side, the U.S. government has the power to deny visas and other perks to entities that act as enablers to hackers.

For example, late last year Trend Micro released a report that unmasked "Luckycat," a Chinese hacker who had attacked the Dalai Lama, U.S. aerospace firms, and other targets. His real name was Gu Kaiyuan, formerly a student at Sichuan University's Information Security Institute and at least at the time an employee at a major Chinese Internet company. Now it may be that the U.S. government can't do much to reach Mr. Gu in China, but why haven't the officials investigating those intrusions gone to his employer and his alma mater and asked them to cooperate in the investigation? Unlike Mr. Gu, those institutions need to maintain good relations with the United States government. Sooner or later, every Chinese university wants its students and faculty to get visas to work and study in the United States. And every Chinese company that does business here is subject to U.S. investigative authority. They have many reasons to cooperate, particularly if the government has evidence that they may have condoned or enabled cyberspying. At a minimum, taking a hard look at these institutions will make them think twice before they support or turn a blind eye to hackers in their midst.

5. Criminal and civil suits for final customers

But punishing individual hackers is only part of the story. What if the United States applied all of these measures not just to the hackers themselves but to companies that benefit from the data they filch from U.S. networks? There's no difference in criminal responsibility between a thief and the customer he's stealing for. But there could be all the difference in the world between hackers who do their work from the safe environs of a protective government and the hackers' customers, who can't be truly successful in today's world if they aren't part of the global marketplace. And going global means exposing their companies, executives, and assets to the legal systems of the United States, Europe, and a host of other countries that are furious at the wholesale espionage aimed at their companies. If a few big companies in China find that having a cozy relationship with hackers means criminal prosecutions and asset seizures, they're a lot more likely to say "Thanks, but no thanks" to offers of stolen data.

Of course, to bring those cases, the government will have to have those companies dead to rights, and so far it doesn't. U.S. security researchers have done a great job of tracking the thieves back home. But they've had trouble identifying the companies who ultimately benefit from cyberspying.

That too is an attribution problem -- the next one we have to solve if we want to really discourage commercial cyber-espionage. It will be difficult, but no harder than the first attribution problem looked five years ago. Given the stakes, improving cyber-attribution should be at the top of U.S. intelligence priorities. And now that private researchers have demonstrated how much attribution can be accomplished without all the resources and authorities of the CIA and NSA, those agencies should be embarrassed by their poor record to date. And they may not have much time before someone -- Iran, North Korea, Hezbollah -- causes a power outage or other control system failure in the United States. If they can't tell the president who did that, the heads of those agencies will be looking for new jobs. As part of the attribution effort the United States needs for defense, it shouldn't be that hard to identify the customers who benefit from cyber-espionage.

* * *

While the technical challenges remain with U.S. intelligence and law enforcement agencies, there have nonetheless in recent months been hopeful signs from an unexpected place: Congress. Of course, past legislative efforts aimed at improving our passive cyber-defenses (e.g., regulating critical infrastructure security, information sharing) have struggled to take off. Business groups have resisted measures that might result in more regulation, and privacy groups have opposed measures that might weaken protection of personal data. But the political calculus may be different when it comes to imposing pain on the hackers themselves. In recent months, the Hill has been buzzing with new ideas for identifying and punishing cyberspies and the companies that benefit from them.

At a recent hearing before the Senate Judiciary Committee's Subcommittee on Crime and Terrorism, I testified about some of these ideas. Senators Sheldon Whitehouse (D-RI) and Lindsey Graham (R-SC) expressed particular interest in measures to impose sanctions on countries that support hackers as well as potential visa restrictions.

Another example is the Deter Cyber Theft Act (S. 884), which has been sponsored by a bipartisan group of senators, that includes Senators Carl Levin (D-MI), John McCain (R-AZ), Tom Coburn (R-OK), and Jay Rockefeller (D-WV). This bill would require intelligence agencies to annually report to Congress on countries and entities that engage in cyber-espionage as well as to identify intellectual property that has been stolen as a result of hacking. It further permits the president to prevent the importation into the United States of products that are linked to foreign cyber-espionage activities, such as articles that have been manufactured using stolen IP or that have been produced by companies that have benefited from it. In short, the bill would nudge the government towards broader attribution, greater naming and shaming, and some efforts to deny companies the fruits of using stolen information.

If these measures result in the punishment of Chinese companies, there is no doubt but that China will seek to reciprocate. But once again, asymmetry is likely to complicate their task. U.S. intelligence agencies do not steal commercial secrets for U.S. companies so it will be hard for China to mirror these measures without faking the evidence. In short, a focus on the beneficiaries of commercial espionage could cause real pain for cyber spies and their customers. With luck, this may allow us to add a corollary to Baker's Law about cyberspies: Not only does their security suck, but maybe soon it will suck to be them.

Adam Berry/Getty Images

National Security

The Real Reason You're Mad at the NSA

Imagine the civil-military divide -- but much, much bigger.

"What's really going on here?" That's the question I typically ask students to kick-start a discussion about some aspect of American intelligence at the Johns Hopkins School of Advanced International Studies, where I teach a graduate course on the subject.

This same question might fairly be asked about the controversy dominating the news since the leak that revealed the intelligence community's highly classified electronic surveillance program. Why are we so fascinated with this case? Why are some Americans outraged at the government while others are outraged at the leaker? Why do so many of us have such firm and passionate views about all of this?

At one level, the answer is simple: Intelligence is a sexy subject, particularly in the post-9/11 era. And the surveillance program was a secret, so who wouldn't be interested? But this controversy taps into deeper cultural strains that go to the very heart of the intelligence community's role in America, and perhaps our maturation as a nation. The bottom line is that intelligence, as a profession, still does not sit comfortably in our polity. There are a number of reasons for this.

First, the essential qualities of good intelligence inevitably clash with the underlying values of an open, pluralistic, and free society such as ours. The effectiveness of our democracy depends on an informed citizenry; effective intelligence depends on withholding and protecting information deemed sensitive. As citizens, Americans cherish their privacy; intelligence officers, subject to frequent background checks, polygraphs, and intrusive financial disclosure, are accustomed to giving it up. The functioning of our system revolves around the rule of law; the functioning of intelligence, while based in American public law, relies on the willingness of its officers to "get chalk on their cleats" to quote former CIA Director Michael Hayden -- and to actually break the laws of other countries by secretly recruiting foreign nationals as agents. So as the curtain is pulled back on the NSA's surveillance program, many of us instinctively recoil -- and even some supporters wince a little. Meanwhile, prurient interest in the details skyrockets.

Second, we are a "young" intelligence nation, and intelligence is still the most novel tool in our foreign policy kit. The United States was the last major country to organize intelligence at the national level. To be sure, intelligence played a role in the Civil War, and our military services have long had specialized intelligence services. But as late as 1929, the secretary of state, Henry Stimson, could declare in all seriousness that "Gentlemen do not read each other's mail," as he cut his department's funding for America's first cryptanalysis organization -- the so-called Black Chamber. By contrast, the French had had a "cabinet noir" as far back as the 16th century -- an organization within the post office tasked by the king specifically with reading other people's mail. The Chinese have thought systematically about intelligence since strategist Sun Tzu's historic writing in the 6th century BC; the British had an organized spy service under Elizabeth I in the 16th century; the Russians have embraced the profession for centuries, as have most of our European partners. But it was not until 1947 that intelligence really entered the U.S. national conversation with the creation of the Central Intelligence Agency.

In other countries, intelligence still holds plenty of fascination for the public, but many older nations, unlike the United States, have domestic intelligence services and have integrated the profession more comfortably into their cultures. Besides, they do not "leak" intelligence at anywhere near the frequency that we do, so material with the potential to shock or startle is much less plentiful.

Third, modern intelligence controversies are occurring at a moment when surveys by Pew and other polling organizations show that American distrust of government is at an all-time high, ranging between 73 and 80 percent in the last few years. I recall some years ago seeing a Ted Koppel interview with a successful Chinese businessman who, when asked if he liked his government, said: "I don't like it, but I trust it." I wonder if we have not come to think exactly the reverse in the United States. In my lifetime, I have seen us move from broad acceptance of governmental competence and authority in the Eisenhower era through a series of events that have led us to this low point -- the multiple assassinations of the 1960s, bitter division over Vietnam, the Watergate affair, Iran-Contra, the Clinton-era scandals, the Iraq imbroglio, and now the IRS controversy.

This legacy encourages us to always look for the dark side in governmental actions, and when we find a credible instance of wrongdoing -- regrettably not so hard in recent years -- we assume it is symptomatic of the whole. The partisanship everyone comments on today may or may not be a factor in this, but at a minimum it serves to keep the focus on the problems and push off constructive dialogue on solutions.

The surprise and shock provoked by this latest revelation is matched only by one little-appreciated irony: The United States is by far the world's most transparent nation on intelligence matters, and its spy services are without question the most closely and thoroughly overseen. Any adversary studying the frequent open congressional testimonies by intelligence officials, our daily press stories, our declassified intelligence publications, and our endless stream of leaks, would have to be hopelessly dim to not understand our priorities and deduce many of our methods. For example, the annual threat assessment that the director of national intelligence must present publicly to Congress -- I have presented it myself -- is a serious and detailed document that gives away no actual secrets but is certainly a reliable guide to our intelligence priorities and the main lines of our analytic thinking, as are annual unclassified reports to Congress on subjects like the foreign ballistic missile threat. Foreign intelligence officials, who do not have such requirements, endlessly ask me: Why, in heavens name, do you Americans do this?

Most of us who've worked in the field strongly support congressional oversight, which has the virtue of being the only real connection our profession has to the citizenry it serves. But to my knowledge, no other legislature in the world gets intelligence products approaching the scope and magnitude of what our oversight committees receive -- nearly all of the community's analytic assessments and literally hundreds of substantive briefings and special reports a year. Even our closest allies restrict their legislative oversight largely to budgets and only rarely delve into substantive product. In fact, foreign partners frequently object to our inclusion of their reporting in the assessments we send to Congress, because their own legislatures are barred from seeing the reporting they pay to acquire.

Another aspect of American life laid bare by the current controversy is the wide gulf between intelligence professionals and those who ask why a leak like this does damage. To an experienced intelligence officer, it's the ultimate "duh" question -- a bit like asking if a flashlight might be helpful on a dark night. Sure, adversaries assume we do some of this, but they don't know how we do it or how effective we are. The typical intelligence officer asks: Why should we give any detail or confirmation to people trying to kill us when they volunteer nothing and rely on secrecy as their most effective asymmetric tool against our superior power? In the intelligence game, we succeed as much by fostering ambiguity and uncertainty as by our technical ingenuity. 

This gulf may just be symptomatic of that old Washington saying that "where you stand depends on where you sit." For the average citizen, the thought bubble when hearing about an intelligence leak may be "Isn't that fascinating... I've always wondered about that." For the average intelligence officer, often grappling with an adversary employing deception and tight security, the thought bubble is, "Damn -- how hard do you want my job to be?"

So the controversy over surveillance reveals much about us as a nation and about the cultural divide between the intelligence profession and those with a different focus. Where does it go from here? A prediction: The surveillance program will be endlessly and publicly debated, investigated, eviscerated, and digested. In the end, we will all get comfortable with some not-so-very different version of it, perhaps buttressed by a more consensus-based legal foundation. In the process, we will have created a public guidebook to how we do this type of intelligence, and our citizens will be much more educated and sophisticated about our intelligence methods.

But so will those who want to know all of this even more desperately than we do. There is no having it both ways.