Originally published as:

Aucsmith, David. “The Technology and Policy of Attribution.” In #cyberdoc No Borders – No Boundaries, edited by Timothy R. Sample and Michael S. Swetnam, 13-30. Arlington, VA: Potomac Institute Press, 2012.

The Technology and Policy of Attribution

David Aucsmith[1]


It is fitting that a discussion of a national doctrine considering cyberspace should begin with an exploration of attribution.  Attribution is either an explicit or an implicit assumption in the definition and implementation of doctrine.  Deterrence, preemption, retaliation, sanction, and prosecution all depend on knowing who has done what to whom.  The certainty required of attribution depends on the nature of the act and the context of the response.  Responding to criminal actions requires a degree of certainty sufficient for a court of law; those that are acts of war require a degree of certainty consistent with law, policy and public opinion.  Other, such as attributing acts of espionage, may need only satisfy a very select group, but all require some degree of attribution.

Attributing acts in cyberspace to specific countries, organizations, and individuals is fraught with difficulty and, in some cases, is an unsolvable problem.  The difficulty with attribution in cyberspace arises due to two distinct problems.  First, the design of cyberspace itself, the nature of the technology that created the computer and communications network we know as cyberspace, does not support an irrevocable mapping between individuals, addresses, routing and actions.  Second, the implementation of cyberspace does not prevent someone from spoofing the origin, the route, or the accountability for such actions.  These two problems make attribution in the cyber domain difficult, but not necessarily impossible.

We do attribute some actions in cyberspace, with a sufficient degree of certainty, to satisfy the requirements of law, policy, and doctrine.  We do this using technologies and processes that enhance the chance of attribution.  Attribution usually requires access to cyberspace components through cooperative tracing by the owners of those components, through lawful access, or intelligence tradecraft.  As such, they are very dependent on the countries, organization, and people involved.  They are certainly not reliable in the general case.

Cyberspace is an evolving construct.  The fact that cyberspace promotes anonymity over attribution is an artifact of its design.  There have been proposed changes to the design and implementation of cyberspace that would shift that balance[2].  As Lawrence Lessig notes, the architecture – the design – of cyberspace can be changed[3].  Precisely how the design of cyberspace needs to change to enhance attribution and how those changes might be effected, depends on how the need for attribution is perceived.

In the end, general attribution will never be a characteristic of cyberspace.  We must shift our discussion of  doctrine away from attribution and towards accountability.  People, organizations, and states should have an obligation to assist in cyber investigations where their property or jurisdiction is involved.  Noncooperation should be viewed as a sign of culpability.  In particular, states must be held accountable for securing their national infrastructure and must assume an obligation to prevent malevolent systems from harming others.

The Nature of Attribution

Attribution in cyberspace is the ability to describe who did what to whom with the degree of certainty required by the needs of law, policy, or doctrine.  Each part of the definition – who, what, to whom, and certainty – is uniquely difficult in the cyber domain.

Perpetrators “Who”

Who, the perpetrator of a cyber-act, is generally regarded as the focus of attribution.  However, what precisely is the act and who is the target, are equally important and, as discussed later, in some circumstances, may actually be more important.  The perpetrator can be regarded as the responsible party, but even the notion of a responsible party is complex.  Depending on the act and the circumstance, the responsible party could be a person, an organization, or a nation-state.

For example, it is not necessary to identify the individual responsible for acts of war in cyberspace.  The identification of the individual’s state would seem sufficient.  However, even this simple case becomes complicated when the individual is a “rogue actor” not acting under the authority of their state.  Should a state be held accountable for the actions of its citizens in cyberspace?  Was the “rogue actor” operating truly independent of the state or with tacit approval?  In many cases, a true independent actor has committed a crime not an act of war.

There are real world analogies to these scenarios.  In May of 1987, an Iraqi Mirage F1 attacked the USS Stark with two Exocet anti-ship missiles, killing 37 United States sailors and severely damaging the ship.  The United States choose not to view it as an act of war.  Simply identifying the individual responsible for an act is not necessarily sufficient to attribute the action to a responsible party – in this case an Iraqi premeditated act of war.  The nature of attribution is bound to both the act and the policy governing the act.  For example, espionage in cyberspace is frequently a case of knowing the responsible party, but being governed by a policy that dictates no direct, overt response.

Cyber-Attacks “What”

The what, the act or attack, is important in establishing attribution.  It partly defines the applicable law, policy or doctrine, which in turn partly defines the degree of certainty required.  In some cases, simply knowing what occurred is sufficient; additional attribution may not be useful.  For example, if there is no policy that governs any responsive action, attributing the act to a person, organization, or state serves no purpose.  This is the general case of cyber-attacks on commercial organizations.  They are interested in removing the vulnerability or the attack vector and lack any capability or authority for pursuing the attacker.

As the nature of a cyber-attack partly defines the degree of certainty required and the applicable law, policy or doctrine, it is helpful to divide cyber-attacks into three different types, based on their objective and the US legal authorities that apply.

  •  War – (US Title 10) Attacks to deceive, deny, disrupt, degrade or destroy.
  • Espionage – (US Title 50) Spying by a government to discover military and political secrets.
  • Crime – (US Title 18) Theft, fraud, or other criminal acts.

One of the difficulties in defending against cyber-attacks is that the tools, techniques, and procedures used to attack are the same regardless of the type of attack; they differ only in their objective.  The objective may not be discernible until after the attack has succeeded and the damage is done.  Different law, policy, and doctrine govern the certainty of attribution required of different types (objectives) of attacks and which organization has jurisdiction.  A fundamental difficulty arises, such as in the case of espionage, when policy is essentially proactive yet analysis is essentially reactive.

Although in this discussion cyber-attacks are described in terms of United States authorities, it should be obvious that cyber-attacks are international in nature and frequently must be viewed as existing simultaneously in multiple legal frameworks, each framework having its own understanding of attribution.  As attribution is generally across jurisdictional boundaries, the only way to satisfy each legal authority is to attribute at the “greatest common denominator” of the overlapping frameworks.  The burden so placed on lesser-resourced jurisdictions may be large enough to doom international cooperation.

Cyber Weapons “What”

It is possible to derive information from the cyber weapons and techniques used in an attack.  In some cases, this has directly led to the attribution of their maker, such as when attackers have left text strings or compiler serial numbers in their compiled attack code.  It is also the case that tools and techniques have a provenance that may be of forensics value.

Victims “To Whom”

It may seem odd to speak of attributing a victim, but it is also a complicated issue.  Specifically, the legal status and jurisdiction of the victim is sometimes difficult to define.  For example, who is the victim in the theft of personal information belonging to a German citizen from a United States’ company’s database that was physically located in Singapore and the attack came through a network compromise in the company’s Canadian subsidiary?

As a related problem, many cyber-attacks are routed through intermediary sites, or proxies.  These sites may have been attacked simply to gain eventual access of the target system.  These intermediary sites are victims as well, but it may be impossible to discern the nature of the actual attack until the target victim is found and the objective understood.  Thus, attributing the actual victim and the nature of the attack may not be possible by simply having access to an intermediary site.

There is also the less common case in which the victim is not known.  It may be that an attack leaves evidence on an intermediary site, or through communications leakage, without sufficient information to identify the actual victim.  This is particularly the case when the attack is using multi-modal communications channels, for example, having some part of the communications over a wired connection and some part over a wireless connection.  Each channel may not see enough of the attack traffic to identify the victim.

Degrees of Certainty

As noted, the degree of certainty required of attribution is defined by the applicable law, policy, or doctrine, which is itself a function of the type of attack (the act), the perpetrator (who), and the victim (to whom).  In some cases, attribution to the granularity of a state is sufficient, in others to an organization.  Attribution may require identifying the physical location of the perpetrator or may need the identity of the specific individual or individuals, obviously, the greater the granularity of the requirement, the greater the difficulty of the task.  However, as noted earlier, the individual identified as a perpetrator may, in fact, be a victim at an intermediary attack site.

The identity of an entity in cyberspace is composed of a set of information about that entity’s presence in cyberspace in terms of cyberspace’s processes and protocols, such as IP address, logon time, or domain name.  It is not information about the person himself or herself.  It is not fingerprints or DNA.  Even the most damming of cyberspace evidence must be correlated to real world identities.  Unless provided with audio or video, correlation is still an imprecise process that relies on a preponderance of evidence to establish such a linkage.

The Character of the Technology that Defines the Cyber Domain

Cyberspace is unique in that it is a manmade creation.  It is a virtual space.  Although it occupies geographical space, it is not defined by geographical space.  It is, instead, defined by the properties of the technology that created its existence.  Cyberspace is the virtual environment created by the interconnected network of computing devices, communications channels, and the humans that use them.  The technology that creates cyberspace imbues cyberspace with innate characteristics that define how cyberspace functions and what is and is not possible.  To understand why attribution is particularly difficult in cyberspace, one first has to understand the design principles used in creating cyberspace.

The Short History of Cyberspace

Cyberspace, as we understand it today, had its genesis in the work of the Advanced Research Projects Agency (ARPA) in the early days of network computing.  In 1969, their work, along with ideas contributed by both the Massachusetts Institute of Technology (MIT) and the British National Physical Laboratory, led to linking four computers together that became ARPANET – the progenitor of today’s Internet.

The potential threat of a surprise attack by Soviet nuclear forces simultaneously prompted the U.S. Air Force to fund a research project to investigate how one might build a communications network that could survive such an attack[4].  In 1964, Paul Baran, working for the RAND Corporation, published a series of papers, which addressed this problem[5].  Baran’s idea was to create a network of computers and/or communications devices that would be linked by transmission lines.  This network of computers would have no centralized control centers, which would have been the logical targets of an attack.  The network of interconnected computers would then send messages back and forth through the network by breaking the messages into small “packets,” where each packet could be routed as needed.  He recognized that the distributed network of computers would also need to have an “intelligence,” but to survive a massive attack, the intelligence must be distributed as well.  His idea was that the distributed network would have no preset routing; rather, each computer in the network would use information in the message itself to find the optimal route for the message based on the computers understanding of the network.  Each computer in the network would maintain a “routing table” that would record how much time a recently sent message packet took to reach its destination.  The computers would thus be able to make intelligent decisions as to how to efficiently route their messages based on ever changing historical data.  In effect, what Baran created was a network comprised of a number of unmanned digital switches, each of which possesses a self-learning capacity within a changing environment.

The Structure of Cyberspace

As cyberspace has evolved, it can be thought of as composed of computers (devices performing computation) having some degree of intelligence , which are linked together by a network of communications channels, and used by people to transmit, manipulate, or receive information.

 Computing Devices

The computing devices that create cyberspace come in many forms and perform many tasks.  They share the ability to take information as input, manipulate that information according to an embedded logic or program, and then output information.  Examples of such computing devices in cyberspace include sensors, routers, switches, personal computers, controllers, output devices, or the myriad of other components.  What is important is that the computing devices of cyberspace have “intelligence,” due to their programming, and they respond to input based on that programming.  They may have state.  That is, they may keep a history of prior input or computational results, which they use to inform future outputs.  Different inputs or different histories of inputs may generate different outputs.

 Communications Channels

Communications channels connect computing devices in cyberspace.  They carry information from one component to another component.  All that is required to substantiate a communications channel is the ability to deliver information, regardless of the means.  Examples include fiber optic cable, microwave beams, light, or even mailing a disk drive from one point to another.  Communications channels may be one-to-one, one-to many, or many-to one.  They may be static or dynamic or they may be unidirectional or bidirectional.  All that matters is that they pass information.


People are a component of cyberspace – perhaps the least reliable component.  They generate, manipulate, and consume information according to highly variable “programing.”  Their contribution to the characteristics of cyberspace, which impact attribution, is mostly as a component of Clausewitzian friction.  That is, humans contribute mostly to the unpredictability of attribution.

Implications of Cyberspace Structure

Starting with simple goals and an elegant simplicity, cyberspace has evolved into a domain whose total structure is too complex to be completely understood or analyzed.  The structure of cyberspace, the consequence of its architecture and components, gives cyberspace inherent properties that are important in considering attribution.  Among these are:

  • Self-organization – Components of cyberspace (computing devices, communications channels, and humans) can be added or removed.  They can be moved or modified and cyberspace will autonomously recognize them and reorganize accordingly.  An important concept for attribution is that there is no requirement for cyberspace to keep any information regarding previous organizations.
  • Historical learning – Each node or computing device in cyberspace routes packets based on the aggregate efficiency of the communications channels that were used to route previous packets.  That is, when routing a new packet, a cyberspace computing device routes it through the historically most efficient path to its destination.  The actual efficiency of the newly routed packet’s channel is then used to update the historical understanding for future routing.  For the purposes of attribution, a computing device cannot tell you how a packet was routed, only how it will route a future packet.
  • Scale-free network – Unlike the distributed network that was originally envisioned, cyberspace has organized itself around nodes or hubs of high connectivity.[6]  Any attempt to trace a path back through such high-density nodes may be impossible.
  • Recursive organization – Cyberspace is organizationally recursive.  That is, subsets of cyberspace have the same general features and organization as cyberspace in whole.  One can think of cyberspace as being composed of systems of systems.[7]  The complexity of the overall structure is masked by the abstraction of subsets.  For simplicity, subsets do not necessarily present information up to the next level.  Some information for attribution may not be presented to upper levels.  For example, user names local to a subset (e.g., a company’s network) of cyberspace are not forwarded to the next level (e.g., Internet Service Provider).
  • Local knowledge – Cyberspace operates globally based only on local knowledge.  Each component of cyberspace makes decisions based solely on its own local knowledge.  The overall behavior of any given subset of cyberspace is the aggregated result of the effects of each component’s local decision.
  • Ephemeral knowledge – Knowledge in cyberspace components is local and may be ephemeral.  That is, the information used by a given component of cyberspace to make a local decision may not be available to other components and may not be kept after the decision is made.  For example, the user/address mapping information of protocols like Network Address Translation (NAT) is not generally retained when no longer needed.
  • Good faith effort – The design of cyberspace assumed component failure, but not component duplicity.  Security of cyberspace operations was not a requirement of the design.  Intermediary nodes may manipulate information in unanticipated ways.

The last property is, of course, directly related to the security of cyberspace in general and attribution in particular.

Problems with Attribution in the Cyber Domain

As noted, attribution in cyberspace is the ability to describe who did what to whom with the degree of certainty required by the needs of law, policy, or doctrine.  However, the structure of cyberspace itself has features that make attribution either difficult or impossible.  The impact of these features on attribution can be broken into seven areas.

Identification and Authentication

The fundamental design of cyberspace has no assumption of either identification or authentication.  Cyberspace only requires that messages, that is packets, be addressed so that communications may take place.  Both identification and authentication are properties, layered onto the design of cyberspace to meet the needs of economics or control.  Providers of various components and services of cyberspace have made an investment for which they desire a return.  Users must identify and authenticate themselves to the providers of those components and services to use them.  Thus, a user must log into an account of their Internet Service Provider (ISP) in order to have access to the computing devices and communications channels owned by the ISP.  The technology and rigor required for identification and authentication solely reflect the business needs of the ISP.

Similarly, organizations implement identification and authentication schemes consistent with their operational requirements for the protection of their property, reputation, or legal obligations.  Identity is an assertion of responsibility.  It may be the assertion of a real world person, but may also be a group of real world people, a device, or a software program, depending on the needs of the environment.

Cyberspace has no standards for either identity or authentication.  For many business arrangements, identity to a real person is not required.  Rather, it is the identity of the ability to pay.  Pre-paid phones and calling cards are examples of this.  Even if the identity is a real world person, the rigor in establishing the original claim of identity varies greatly.  What documents were presented and how thoroughly was their authenticity verified?  Very secure identity documents such as the United States military’s Common Access Card (CAC), which support very strong cryptographic authentication and anti-counterfeiting protocols, are based on the initial presentation of forgeable documents (birth certificates and driver’s licenses, which are also based on birth certificates).  Without a thorough background check, all assertions of identity are suspect.

Authentication is a proof of the assertion of identity.  There are only three bases against which assertions of identity can be authenticated: something you are, something you know, or something you possess.  Each has problems for their use in cyberspace.  Something you are, biometrics, relies on the unique biological features of a person, such as fingerprints or iris patterns.  In cyberspace, authentication of biometrics requires a sensor to sample and communicate the trait.  If the sensor, which must be located with the person, is compromised, then the authentication can be compromised.  In addition, no biometric trait is secret.  By definition they are observable and, thus, available for all to record and attempt to spoof.

Basing authentication on something one knows, such as a password, requires that only that person know the information.  Clearly, passwords are the most common authentication mechanism in cyberspace.  This is primarily due to the relatively inexpensive cost of implementing them.  However, there is plenty of data to suggest that they are a poor method of authentication.  Problems with the use of passwords include the fact that easily remembered passwords are frequently also easily guessed passwords, the same password is frequently used by a person on many sites, and there are techniques to observe and record password use.  One’s mother’s maiden name is rarely known only by the person of which it is requested.

Authentication based on something one has is a common method in the real world, such as the key to a lock.  In cyberspace the proof that one has something is more complicated, but can be done using challenge and response cryptographic protocols.  Smart cards and secure tokens are good examples of such systems.  However, they are not widely deployed and there are still risks associated with them.  If the computing device through which the user authenticated is itself compromised, there is no way for the user to know what messages are being authenticated on their behalf by the compromised computer.

Attribution in cyberspace is ultimately limited by the rigor of the identification and authentication process through which the person, organization, or state, asserted their identity to cyberspace.  It is important to note here that even if given perfect trace back of an act to the identity of person, that identity is only as good as the assertion and authentication of that identity in the first place.  It could easily be a case of stolen identity.

IP Addresses and Binding

The basic foundation upon which cyberspace rests is the Open Systems Interconnection (OSI) Transport Layer and Network Layer protocols known as TCP/IP.  The OSI model is a standard reference model for communication between two end users in cyberspace.  Layer 3, the network layer, handles the routing and forwarding of the data.  In cyberspace, this is almost exclusively done with the Internet Protocol (IP).  Layer 4, the transport layer, manages the end-to-end control and error checking.  It ensures complete data transfer.  In cyberspace, this is mostly done through the Transmission Control Protocol (TCP).

In cyberspace, every node has an Internet Protocol address so that the Internet Protocol can route TCP packets from node-to-node, from start to finish.  However, unlike telephone numbers and street addresses, IP addresses are easily changed, or hidden.  There are two mechanisms that do this, Dynamic Host Configuration Protocol (DHCP) and Network Address Translation (NAT).

In the early days of the Internet, IP addresses were allocated to organizations in blocks and the organization would assign addresses, from its block of addresses, to individual components.  These addresses were “statically allocated” to the component and did not change.  Over time, it was realized that this method had many drawbacks, so DHCP was introduced.  With DHCP, when a device joins an organization’s network, the organization’s DHCP server “dynamically allocates” an address, from its pool of addresses, to the component.  The next time the component joins the network, it may be allocated a different address.  This is a common practice of both ISPs and large organizations.

DHCP allows the same computer to attach to networks having different blocks of addresses.  However, from the view of authentication, there is no requirement for the DHCP server to keep track of allocations over time.  Usually the address allocations – the addresses’ leases – are kept for some short period to allow a component to be allocated its previous address after a sudden interruption, but the lease information is not kept for an extended time.  Thus, knowing the IP address of a TCP packet that comprised part of an attack several days ago, may not give you any information as to which component within an organization sent that packet.

NAT is a different problem.  A device that performs NAT modifies the IP address of packets that pass through it.  It may simply substitute one address for another, a one-to-one translation of IP addresses.  It is more common to hide an entire IP address space, usually a private, non-routable IP addresses, behind a single IP address (or in some cases a small group of IP addresses) in another (usually public) address space.  This may be done for a number of reasons.  It may be that an organization does not have enough addresses for all of its devices.  NAT allows many devices to share a smaller number of given addresses.  For example, an ISP may only allocate one address for an organization to use in connecting to the Internet.  A NAT device would allow many different devices in the organization to share the one allocated address.

NAT can also be used to enhance security.  The true IP address of the devices behind a NAT device are not available to an adversary, only the address assigned by the NAT device.  Obviously, the NAT device has to be able to reassign the devices IP address back to inbound packets.  To do this, a NAT device assign different ports to packets from different IP address and maintains a translation table so that return packets can be correctly translated back.  This translation table is generally not maintained past session termination.  In attempting to attribute an IP address, only the IP address assigned by the NAT device is available.  The real IP address of the device behind the NAT device is known only to the NAT device and only known for as long as needed to perform address translation for the session.

IP addresses in cyberspace are mainly IPv4 addresses (IP version 4 style addresses).  IPv4 provides approximately 4.29 billion possible addresses and all addresses have been allocated.  To add new devices to the Internet, one must use NAT.  IPv6 is the successor to IPv4.  IPv6 has a larger address space, approximately 3.4×1038 addresses.  The thought has been that the use of IPv6 addresses would give every possible device in cyberspace (and all future devices) their own address.  Neither DHCP nor NAT would be used in the future.  However, while IPv6 addresses will be used, it is unlikely that either DHCP or NAT will disappear.  DHCP will continue to be used so that devices can move between blocks of addresses and NAT will continue to be used for its security properties.

For the purposes of attributing Internet addresses to real people, cyberspace does not support, nor will it support, irrevocable mapping between people, devices, and their actions.

Ephemeral Data

One of the key assumptions in the design of the Internet is that there is no point of central control.  Each component makes its routing decisions based on the local information that it has.  This information may be the historical latency data for various communications channels, the NAT mapping tables, or user authentication results.  However, nowhere in cyberspace is there a requirement to log and save such information beyond the time for which it is immediately useful, nor would it be feasible to do so.  The pure volume of such data in any given segment of cyberspace would be prohibitive to store for a period of time useful for future forensics.  Most data about the structure of cyberspace is ephemeral; it is transient.

Even if it were kept, how could it be accessed and under whose authority?  The fundamental design of cyberspace did not make provisions for attribution or forensics aside from logging specific data.  However, as one does not know what data will be necessary in the future, it implies logging everything – which is impractical.

Network Access

In the previous discussion, it was shown that the IP address within a network may not actually identify the perpetrator’s actual device.  It is also the case that having the address of the network from which an attack originates, may not be sufficient in identifying the network of the attacker.  The attacker may have gained access to the network surreptitiously, without the knowledge of the network’s owner.  This is particularly a problem with wireless networks.  Many such networks have minimal or nonexistent security.  It is a simple matter for the attacker to simply be in radio range of the network wireless access point and join the network.

There are a number of criminal examples that illustrate this point.  Attribution, in the case of surreptitious use of wireless access, to a network address may provide a valid geographic area and nothing more.

Multi-modal Communications

Multi-modal communications refers to the simultaneous use of multiple access points into cyberspace.  For example, a device may use two different wireless modes to connect to cyberspace to achieve greater aggregate bandwidth.  There are devices capable of both Wi-Fi and 4G wireless network access.  It is reasonable to use both.  The effect on the forensics of an attack is that there would be multiple sets of packets with different addresses associated with a single act, complicating both the analysis and the attribution.

Network Egress

The above cases illustrate the difficulty of associating a network address with the attacker.  It is possible for the attacker to not have a network address associated with the act.  This is best explained with an example.  Suppose that a device has already been compromised, but the attacker now needs to exfiltrate data.  A common way to attribute the attack is to “follow the data,” the cyberspace equivalent of “following the money.”  Suppose the attacker has compromised a second device.  However, the second device can be reached by a wireless communications channel.  The compromised target device then sends the desired data to the second compromised device.  Any attribution will lead to the second device, but the attacker has simply eavesdropped on the wireless communications channel.  The attacker has the data and has not reveled themselves to any cyberspace protocol.  Attribution by following the exfiltrated data in this case is essentially impossible.

Duplicity of Nodes

Attribution depends on retrieving protocol and device information from the computing devices in cyberspace.  Though it should be obvious, any compromised device can lie.  It is impossible to create a secure system that will remain secure forever.  Therefore, one must view as suspect any information retrieved from a device that has been attacked or any other device to which the attacked device had access.

The design and implementation of cyberspace is based on technology and protocols that set fundamental limits on the reliability of attribution.

Attribution in the Cyber Domain

The previous section described the aspects of the design and implementation of cyberspace that make attribution difficult.  However, attribution is accomplished in many cases.  With rare exceptions, attribution requires collecting information at the site of the attack, the compromised device, to recreate the actions or the communications of the attacker.  Clues may be found in the attack code (the weapon), the nature of the act (such as information stolen of manipulated), and the communications channels used for both the attack and exfiltration – if any.  This usually simply points to some other node earlier in the attack sequence.  The investigation then starts anew at the next node.  As attacks may cover many different infrastructure providers and jurisdictions, the question is what information is available and how does one get access to it.

Attribution by Cooperative Efforts

Particularly for criminal acts and nuisance behavior such as financial fraud, spam and distributed denial of service attacks (DDoS), the various infrastructure providers cooperate to provide the data they have available and piece together a picture that can support attribution.  Here the limit is the data available.  If the infrastructure providers are sufficiently forewarned, they may be able to log and save ephemeral data.

Attribution by Lawful Access

Failing cooperation, if the act and the jurisdiction warrant, law enforcement may assert their lawful right to access the nodes and collect, or cause to be collected, what data is available.  The advantage that state resources have over completely cooperative efforts is the access to additional, non-cyber information that may be germane to the investigation.  Indeed, many cases of attribution hinge on the additional data used to focus an investigation, such as physical surveillance, wiretap, or criminal histories.  Law enforcement may remove the last vagaries of attribution by the physical seizure of the attacker’s devices or monitoring the attacker’s action in real time.  Obviously, attribution by a state’s law enforcement organization is only relevant to attacks that take place within the state’s jurisdiction or another jurisdiction with which the state has agreements or treaties.

Attribution by Intelligence Tradecraft

Particularly for cyber warfare and espionage, the only way to obtain reliable attribution may be by using “close access“intelligence techniques.  That is, by planting monitoring capabilities on nodes within the attackers network or attack path.  This technique can produce some of the most reliable attribution but is extremely difficult as it involves attacking the attacker’s devices without their knowledge and exfiltrating data supporting attribution.  It is, in essence, an espionage attack in its own right.  It is more effective the closer to the source of the attack it can be.

Looking Forward:  How Might Attribution Be Achieved

As noted earlier, there have been many different proposals for changes in the design or implementation of cyberspace to increase the probability of attributing attacks, war, espionage, or criminal.  None is a “silver bullet,” for the reasons already covered, but all of them can be put into one of three categories.

 Strong Identification and Authentication

There are proposals for requiring or allowing stronger identity and authentication of people, computers, and packets.  As described earlier, this is not a panacea but does provide a level of assurance.  However, one must understand that such a technology is likely to be more useful to authoritarian regimes that wish to monitor their citizens than it would be in combating cyber warfare or cyber espionage, as it would not force noncooperative regimes to utilize it.

Persistent Data

As noted, the design of cyberspace has no requirement to maintain state information, the ephemeral data discussed earlier, beyond the time needed by the protocols.  There are a number of proposals that would require, or allow for, selective parts of this data to be logged and saved for some length of time.  Examples of such information would include routing tables, NAT translation tables, and DHCP leases.  The hope is that this information would be available for forensics examination after an event.


The most useful data for attribution is data collected close to the attacker.  There are proposals for monitoring the characteristics of data entering network segments and analyzing some portion of the data.  For example, it is possible to spoof the source IP address in a TCP packet.  This is a technique used in DDoS attacks.  The egress verification of source addresses would eliminate such techniques.  The same could apply to spoofing email addresses.  The out-bound mail server could verify that the address was legitimate.

Doctrinal Ramifications of Attribution

From the forgoing, it should be obvious that complete and reliable attribution will never be accomplished.  The design and implementation of cyberspace do not support reliable attribution in the general case.  Although we cannot necessarily attribute actions, we can hold people, organization, and states accountable for the actions of those over which they have authority.  If attribution points to the attack having originated within a nation state, then the information supporting attribution should be given to that state.  That state should have the responsibility to investigate and produce its findings.  Noncooperation in investigating cyber-attacks (cyber warfare, espionage, or crime) should be taken as a sign of culpability.  States must take the responsibility of policing their national infrastructure and they must assume an obligation to investigate and stop attacks originating in their jurisdiction.

Lastly, there is a curious property of attribution and the asymmetric nature of cyber-attacks.  In the balance between cyber-attacks and cyber defense, it is frequently asserted, correctly, that cyber offense is far easier than cyber defense.  Cyber-attacks are highly asymmetrical.  That is, one can attack anywhere from anywhere.  This creates an asymmetry between offense and defense.  Offense is free to attack anywhere and defense must defend everywhere.  This naturally leads to a quotation from Frederick the Great, “He who defends everything, defends nothing.”  Defense in cyberspace is inferior to offense.  However, attribution is also highly asymmetric, but in the other direction.  Those who wish to remain anonymous must do so everywhere, while those wishing to identify them need do so only once.

[1] David Aucsmith is the Senior Director of Microsoft’s Institute for Advanced Technology in Governments. He is responsible for technical relationships with agencies of the United States and other Governments, as well as on select special projects. Before joining Microsoft in August 2002, Aucsmith was the chief security architect for the Intel Corporation from 1994 to 2002. He has worked in a variety of security technology areas including secure computer systems, secure communications systems, random number generation, cryptography, steganography and network intrusion detection. Aucsmith is a former officer in the U.S. Navy and has been heavily involved in computer security and cybercrime issues for more than 30 years. He has been an industry representative to numerous international, government and academic organizations including the technical advisory boards of the National Security Agency, the National Reconnaissance Office, the National Academy advisory board on Survivability and Lethality Analysis and the Directorate Advisory Council for the National Security Directorate of Pacific Northwest National Labs. He is co-chairman of the FBI’s Information Technology Study Group, a member of the Secret Service Task Force on Computer Aided Counterfeiting, a member of the President’s Task Force on National Defense and Computer Technology and a member of the Department of Defense’s Global Information Grid Senior Industry Review Group. Aucsmith was also U.S. industry representative to the G8 Committee on Organized, Transnational, and Technological Crime where he participated directly in the G8 summits in Paris, Berlin and Tokyo. Aucsmith holds 33 patents for digital security.

[2] United States Congress House Committee on Science and Technology, Planning For the Future of Cyber Attack Attribution: Hearing Before the Subcommittee On Technology and Innovation, Committee On Science and Technology, Congress, Second Session, July 15, 2010 (Washington, DC: U.S. Government Printing Office, 2010).

[3] Lawrence Lessig, Code and Other Laws of Cyberspace (New York: Basic Books, 1999), 20.

[4] Manabrata Guha, Reimagining War in the 21st Century: from Clausewitz to Network-Centric Warfare (New York: Routledge, 2011), 102.

[5] Paul Baran, On Distributed Communications: I. Introduction to Distributed Communications Networks (Santa Monica, CA: Rand Corporation, August, 1964), (accessed June 3, 2012).

[6] Albert-Laszlo Barabasi and Eric Bonabeau, “Scale-Free Networks,” Scientific American 288, no. 5 (May, 2003): 50-59.

[7] William A. Owens, Lifting the Fog of War (Baltimore: The Johns Hopkins University Press, 2001), 98-102.

Leave a Comment ↓

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: