Webinar: To Attribute or Not Attribute, Is That the Question?
It is my pleasure to introduce my, colleague Andy, Prado Andy, is the director, of the program on geopolitics, technology, and governance at the Stanford cyber Policy Center he's, also a William J Perry international, security, fellow at the Freeman spogli Institute and, visiting, fellow at the Hoover Institution. Andy. Was formerly, a senior, director for cyber policy on, the National Security Council in both the Obama and the Trump administrations, and before, that served, as a professional, staff member for the Senate Select Committee on Intelligence, Andy. Also leads the cyber specialization. Curriculum, for the Ford Dorsey masters international policy. Program at FSI, where, he teaches the core fundamentals, course on cyber policy his. Research is in the vortex of cyber security national. Security and the economics, of tech and innovation and, he, has had involved involvement, in virtually every major policy, policy, debate over, the last 10 years spamming, his experience, with Congress the executive branch and in academia so. I'm so happy to turn it over to him and jump in to preview this executive education that, we are gonna run in August and we hope you can join us right. Thanks, Danielle welcome, to everyone it's a pleasure to to, join, you. All this morning or, afternoon as the case may be for some of you from. From further. Flung places then. Then. The. Bay area I. Hope, you and your families are safe. And 7yz. Unusual. And trying. Times so. I, wanted, to, goals. For. Our webinar. Today one, is to give for. A short course, overview. For. The executive education program. That we're planning to run in August, and. Then I want to give you kind of an amuse-bouche an, appetizer, on. What. Some of the course content look like in, this case I want to focus in particular on, this. Question of attribution. Which, ends. Up consuming. A lot of media attention a, lot of policy. Focus. And I. Want to, provide. Sort, of an analytic, framework for. Business. Leaders and, leaders, and public organizations for, how to think about attribution, decisions. Before. I get into the. Course overview I know that, you, know there's a lot of questions, still, what. Will won't be open as, far as shelter-in-place goes, our. Assumption. Is that this course will run in August we. Still have spots available so, I, if. You're interested. Our. Plan. So, far is all system you go so, with that let me we jump into the course overview so. You, know there's a saying, among among. Cyber nerds like me that you know there's for two types of organizations, or organizations, that.
In But. Know that they have been hacking organizations. That have been hacked, in other words. Data. Breaches cyber, security incidents, are. Almost. Inevitable. In, this day and age and this. What. You see in front of you is a, the, results of a survey that the UK government did. Business. Is this is in the UK specifically, but I think the results are. Pretty, applicable worldwide. That. In their survey basically. One-third. Of businesses. Experienced. A breach or an attack in the last 12 months and. And. You can see what impact it had on their business operations. You. Know with with. Pending. Staff from carrying out the work functions. Consuming. Resources that, could be spent on, pursuing. Mission, objectives, building. A business and so on. Headlines. I mean if you read a newspaper even this morning there's a New, York Times about a new. Cyber. Attack. Attributed. By, an Israeli, research. Group to. The Chinese military. The. Pandemic, has become, a. Source. Of, exploitation. For malicious actors who. Are using the pandemic both to Spearfish right. Trick people into, opening, up emails. With malicious attachments, related, to Cove in 19 preying on their preying on their fears to. Try to hack their systems there's, also a lot of. Ransomware, attacks its, businesses, and other organizations. Last, Friday President, Trump declared a national emergency, as. Based. On, evidence. That, that. Foreign, hackers. Were. Seeking. To infiltrate the u.s. power grid. And. Then of course you, know the FBI has seen a major spike in cyber crime reports, during this pandemic. This. Is just you know the last you know month or so, you'll. See that that, you, know among, boards. Cyber. Security is top, of mind. The. World Economic Forum, does this survey. Of business leaders every year and. This is the most recent. Report. You'll, see that. The cyber attacks are. You. Know essentially. And. A defect and. Fraud. Or, among the highest impact, and. Highest probability. Risks. That that are top of mind for them. At. The same time this. This is a report from another. Survey that that Marsh and Microsoft did where. You see that that. Across, time cyber, risks outrank, all, other risks by a wide margin and. The question posed to the respondents, was of the following business threats, please. Rank the, top five and the biggest concerns your organization. And you'll see that, percent. Listed cyberattacks, in the, top five with.
Almost A quarter of them identifying. Cyber. Risk as, the. D number one risk. Now. What's worrisome, about this is that even as the. Awareness. Of the threat is. Growing the. Scale, and scope of the threat is, expanding. Leaders. The confidence, in their ability, to manage, this. Set. Of risks is actually declining. And. So. You'll see here, that, you. Know that essentially. There's. One confidence, among. Business. Leaders that. There they are the organizations, are in a position to, understand, assess measure cyber threats to to prevent, cyber threats, or. Manage and respond to cyber threats that to me is really, worrying I think it shows, a real gap between. The. Growing magnitude, of the threat and our. Confidence. In our business leaders policymakers. And. Their ability, to to. Manage this. This new. This growing and complex, risk. Meanwhile. You. Know this were. Only becoming more and more reliant on, on. A. Digital. World for our, daily lives this is a story that's probably. Familiar to most but. You. Know as we move to, a world the, biggest connectivity, sensing, processing, the. Attack service the number of devices on, the, Internet will grow our. Reliance, on. Computers. And networks will, grow, and just, to put that into perspective this, this is some statistics. From. How DC that that shows that by. 2025, just. The sheer volume of. Internet. Of Things connections. Will. Increase, that factor, of about four, or five just. Just you know the next five. Five or so years. Now. Meanwhile. Policymakers. Had, been you know focused, on cyber tickling, the u.s. was, involved in a lot of these debates as Daniel said I drew, my time the government and. The, pace is only quickly and. So I just put up here you know smattering, of recent. Headlines, on. Different. Regulatory and legislative, initiatives. Around the world that are being, trying. To address, cyber. Risks, and. These policy interventions, are. Primarily. Aimed at the private sector and. Have. Potential. For major. Impact, on business operations, and so you. Know and the actors. Involved range from California, a US state to. The. European Union. China. The. US federal government. So. So. Let me now turn directly, to to, the the course with that with that background. The. Overarching goal. The program will be to close that confident status today I. Identified. By. Delivering, foundational. Knowledge on, cyber risk. Cyber. Policy and resilience, to to, our students so.
We'll Cover the, tech basics, and. We'll. Adjust how, deep we go depending, on what the complexion of the, the student. Cadre. Looks like but, we don't assume any technical expertise, on the part of students and, if we happen to get students with deep technical expertise, we'll. Have some room to make adjustments to the curriculum based on what the complexion of the class looks like. We'll, cover the fundamentals of cyber risk management, will. Cover threat actors their motivations, I will cover regulatory, policy, Incident Response and. Statecraft. In, the international aspects of cyber, policy cyber, risk how. We'll cover it, they'll. Be lectures. We're. Assembling I think a pre crack team of instructors. With, experience. Both, with. Practical, experience as well as experience, talking about cyber. Issues in a clear, and intelligible way. We'll. We'll, lean on group work to, get the students, interacting with each other learning from each other and we'll do scenario exercises, and so you'll bring your track suit your Walkman I, love doing exercises I find that that your simulations, are a really, powerful way, to help, bring content. Home. I. Want. To make one point about. About. The content. That. You know so, there's this difference between education, and training right so training. Is about learning, to do a particular task education. Is about building a foundation this this is about education, so, we're not our. Goal is not to provide. Sort of a regimented. Step-by-step. Approach to, if, you. Suffer a cyber incident, or if you. Know the US Congress, is pursuing, a legislative. Initiative upon X here's, what you do that that's not that's, not what we want to do, we. Want to provide the foundation so that students. Can can cover and manage. Teams across, different. All these different cyber. And problems, that that, come up in business in the public policy and. So that end, our. Students we. Have in mind our, executives, and leadership roles or seeking such roles where. Literacy, and cyber risk policy, are essential, to mission success, so. With that let's, jump into. Attribution. Whodunnit you. Know this. Is probably a little bit of a generational, thing I love watching Murder She Wrote I was, an American TV show with, Angela Lansbury, actually. Never been English. Apologies. To any any. UK. Call. But. You know involved you know she was a writer, who who, solved murder mysteries I realize murder mysteries and you know it, speaks to this instinct, that when when something when a crime happens.
Our. Sort. Of collective consciousness, media. Narrative, policymakers. Business. Leaders towards all want to know who did, this. Bad act who. Did it the natural question I. Think. Incur a whole lot for things like holding. Malicious. Actors accountable. For. Deterrence. Imposing, costs on on, perpetrators. But. You know the. Media and, policy, in public discourse on, attribution, tends to frame this. Issue a little too simplistic we for my tastes, as, in, fact a public attribution, in other words there's this binary choice, supposedly. You know in a lot of the the narrative about cyber, risk management, that, organizations. Have a choice between, public. Attribution, and no attribution, and I, I think that's wrong and, and I want to you know leave you with some. Thoughts on. That my, goal is to dispel that notion provide. Leaders. In, business and government with a vocabulary and framework for thinking about how to communicate about cyber incidents, that, affect them or their stakeholders. So. I want to introduce a couple concepts. Two. Overarching concepts, I'm an analytic solution and. Strategic. Attribution. Attribution. You can think of as. Who. Do we think did, it. It's, based on what. Knows or thinks he, or she knows about the identity of a malicious cyber actor it's often based on forensic. And, other technical. Artifacts but. Not necessarily. Limited to that type of technical detail, the. Other day it's a falsifiable, claim who perpetrated, an attack. Strategic. Attribution, is okay so you've got you've, got this theory. Of whodunit, what, now do you do with that and. There, are at least four options that I want to leave you with one is. What. I call private, contribution, you, could keep it you can keep that analytic, judgment. Private. Selective. Attribution, you could disclose. That, judgment, to selected, third parties. Public. Attribution, you could you can make, your. Judgment, about attribution. Public, and. Then of course, this. Is my favorite one the false flag attribution, where you, purposefully. Misattribute, in some strategic, way so you you, may even have a theory of whodunit but you you know pin the blame on someone else for some purpose the, key take away from this this vocabulary and, this way of sort of breaking down this.
Concert With attribution is that decisions. About strategic, attribution, are or should be guided. By political. And economic, factors pertaining, to which mode, of strategic attribution, most, advances. The, decision-makers, interest, and so in, other words a decision. About what. To do with an analytic, attribution, is not, a technical, decision is a management. And leadership decision. I. Don't, rate this point with with with, this a few kind. Of made-up examples, that have some you. May recognize you know some of the characters, in, these then. Yes I'm going to share, with you. But. You know the names have been changed to protect the innocent plus I just need to talk about it so. First. Here we have a company Acme, widget company you. Know publicly, traded company, suffered. Cyber-enabled. Theft of its trade secrets, the. Executive, team assesses, that malicious, cyber actors, located. In the territory, of. To. Korea, acting. On the staff of a state owned company. There we're. Behind this incident the, assessment is based in part on forensic, data. But. Also the. Timing of the event coincide. With negotiations. With. NCC, over a joint venture. To. Court, in troika, so in this case that we had analytically, attributed the attack to NCC it's a lie than it would have judgment about who done, another. Another sort of spin, on that so they're taking this okay so now we have a country, you know a public, organization a malicious. Is a rule of law watching, democracy, and. The anglo-american. Tradition sounds familiar uh Eukarya. Also. Familiar. Is a fledgling democracy. Has. Its unresolved, border dispute with Rosaria, adversary. Of a, Mauritius intelligence. Service in a Mauritius disseminates, a classified, intelligence Usman's. Internally. To a Mauritius, policymakers. That the. Actors behind, this attack are likely affiliated, with a. Rosarian, intelligence unit this. Assessment is based on foreign intelligence collection, and, forensic, data brought. Back to. A mauritius, by a flying team of a marriage I'm Irish government, experts invited by Eukarya, to, support its forensic analysis, of attack this is another case of analytic, attribution, dd these, a malicious government has come to an analytic, judgment. About whodunit so. Let's, let's talk about these in a little more detail so in these examples. Speech. Protagonist, has formulated a judgment, about analytic. Attribution, and for now at least they come back pipe. They've. Drawn on different data sources to. Arrive there analytic attributions, so, ask me is executive team for example based. Its analytic judgment, on. Information, from the company systems, but also their, business instincts. While. The a Mauritius, intelligence service drew. Upon intelligence, sources and methods along. With this trust relationship it's. Hatched with you carry the permitted, its. Experts, to gain some first-hand insights, into the attack in. These examples the, protagonists, confidence, level in their an alert judgment can, be expressed in different ways and. So in the case of an richest. You, know. You. Know assuming you. Know that this is a professional. Intelligence service, right there would there would be really. Expressed, clear language about its confidence level high medium low in, its. Attribution. Assessment, I mean, this this, assessment. This confidence level is. A function, of how specific and, direct the intelligence is right and. So the, extent of course that intelligence. Is, valuable, and potentially, fragile. For, example you, know volved. Sig. N or some other sensitive. Intelligence, an aperture. The. Originators, unban intelligence will have strong incentives to prevent, to. Compartmentalize and limit the, distribution, of that intelligence to only those who need to know. Now. What's, important to note is analytic, attribution, this this this this internal, judgment about whodunit. Can provoke, or inform action, this. Often gets lost to get a lot of the public debate about cyber. Risk management, cyber policy, coming. To a private, judgment about analytic. Attribution, is not necessarily, consequence-free. In. Actors willingness. To take potentially. Costly, actions based on an analytic attribution, speaks. Volumes about confidence, level in the accuracy of the attribution, and, in. Both of these cases you, know this this private, this this analytic, attribution, could. Have a real impact on, on, decision. On their internal decisions so in, the case attacked me it could decide you know what like maybe, we're not going to do business anymore, in scoria, or the minimum maybe we're gonna break, off our negotiations.
With NCC. In. The case of a malicious, you. Know this this could be tit to reprioritize. It's. It's intelligence, collection and. Have. Other impacts on its relationship with both Eukarya and. Sorry. Now. By the same token i think. To note that that. Some. Defensive. Actions, don't. Even require attribution. Right, yeah. So a defender does not in some. Cases necessarily. Mean to know the identity of an adversary. To implement known trendabl influences and. You. Know just despite you know the the interest and whodunit in. Many, many cases defenders. Don't need to know that in order to do their job and. But. Yeah that said of course, there. Are there are times when it does help defenders to know who. Did it because, we. Could help set, learning. The identity of the defense of the attacker and their, motivations, can help the defender. Set, mitigation, priorities, and more effectively assess. Risk. So. Let's, let's, turn now to, a. Couple examples which PG graduation. So. Here, we have acne. Again. It's. CISO decides. To share information about the incident. Along. With the company's analytic. Attribution. To, a. Trusted, circle of fellow scissors, at similarly. Situated companies. To. Help them and also, to reinforce reciprocity, norms, among this. Community of scissors. About sharing. Threat, information within this circle of trust. They. Share the information under this, this this. Information. Sharing, rubric. Called a traffic, light protocol, I'll say a little bit more about that to. Highlight a sensitive, sensitivity. Of information, right traffic. Light protocol red is a way to say this is sensitive information. You know don't don't disclose without getting further. Permission. From from, from the originator and, then the company General Council also shares information about the incident with outside counsel to understand legal risks and. Notifies. A malicious, law enforcement so. In this case ask me has selectively, attributed, the attack to NCC and by. Selective it is not engaged in a public attribution, it is selectively. Shared, it's analytical attribution. With with certainly third parties. Let's. Go back to a Mauritius in, this case a Mauritius, provides. Classified. Threat briefings. To major, a Mauritius. Grid operators, about this attack. And, in, the classified, briefing, the, a Mauritius government described it's, it's classified, oolitic, attribution, of Rosaria. As the perpetrator, this. Context, to reinforce, the severity, of the need for, the operators, to prioritize. These particular, mitigations. The. Briefers, also hope that the quality of the briefing, including. The decision to share sensitive forensic. Attribution. Details will persuade the, operators, to reciprocate, and engage in information sharing with americium, about the threat and what they see on their networks and so in this case the. A malicious government has selectively, attributed, the attack to, Azaria with. Major grid operators, as the recipients, of the. Selective attribution, so. Let's let's talk about these two cases a little more. So. In. This case. So. The ambitious. Briefers. Chip analytic, attribution, with a subset, of critical. Infrastructure. Owners and operators on. A protect public safety they made a judgment, that that in, this case, the. Amer and a nourishes interests, were best served, by, engaging. In selective attribution, short, of public contribution, you know blasts in a press release saying we think that this, or that country did, it now.
What. We've got to think, about is by. Being so selective, in. Its outreach to the private sector a, Mauritius. Has now assumed. New. Risks so. What if Rosaria, or, another malicious actor, was, able to use substantially. Similar tradecraft, to attack sectors, that, hadn't been breached. Of. Course most importantly this would put the. People of, a Mauritius, at risk of harm but it could also jeopardize, the political fortunes of, a Marisa's leadership who in the aftermath, of such. An attack would face the inevitable second, guessing of why they had failed to brief. More. Companies. The. So. What does and, there's a question of okay what does. Eukarya. Think about. A. Mauritius. Actions, and. Emerges there. You. Know I mean after all. Eukarya. Is not likely to learn a foreign government even. A friendly one examine. Infrastructure. That was targeted by a hostile foreign power or without, some guarantee that the fruits of that examination, would make their way back to Acharya and. So one of the issues that the. A Mauritius, and Eukarya, and their respective legal, advisers would. Want to have worked through, in. Advance is calibrating, both sides expectations. About what. Is and it's not shared, by way of intelligence, associated, with, the incident. You. Know what what you know based. Since. A Mauritius head is flying team come in. You know there's now this you, know the attribution. Is tied in some way to this relationship, with Eukarya. Cameras. Could. Share. Its technical findings, with, your Caria but leave it up to Yukari to connect the attribution, the analytic attribution, dots or. If we go a step further and engage acharya. In a more robust, limit exchange and dialogue, it could include judgments, about, analytic, attribution, either way the two parties and we're gonna want to think about this in. Advance. So. Coming. To acne. So. The executives, are trying to get their heads around what happened by seeking external advice assistance, the, scissor recognizing. That, peer InfoSec. Officers. And similar companies might. Be facing similar risks and. The. Contact of TLP so. TLP. Is widely used by, endless tech practitioners, to lay the thread. Information. Relating. To its perceived, sensitivity. And. Essentially. As a request to handle. The. Information. With. That sensitivity, in mind typically. Red is the highest classification, under, the scheme means. That material is not for disclosure and. Restricted, only to, the. Immediate recipients, of that information. That. Kind of exchange. Happens. All, the time in, the corporate InfoSec world and. And. At. Least the anecdotal evidence I've seen, suggests. That these exchanges. Result. In stronger defenses, on, the other hand these. Exchanges, often occur without the knowledge or consent of the company's senior, executives. These. Exchanges. Tend to be informal. Rooted. In personal bonds, of trust and, done, with some level of secrecy, and. So in this case the fact that information, is labeled TLP red means. That that. The information, that, we Acme Suzhou. Shared. Shouldn't. Be, you. Know sure even, you know beyond, the immediate recipient so that, will include other. Parts, of the organization's, who, the recipients, belong, to. Clean. Their senior executives. That's. Important to note that that. The TLP scheme, is not binding. On participants. Putting putting a TLP. Classification. On a document, or, asserting, it in a conversation. Does. Not create any legal. Rights or duties among, the parties to the exchange so. Unless the, recipient, sign, non-disclosure. Agreements. Or some other, agreement. Or specific. Law is broken. We. Would have no recourse under the law to sue, or press charges against recipient, who violates, the. Terms of t.o.p, read, sharing, as. Example, indicates ask, me isn't a witty business and. Assuming it's a conscientious.
Well-managed. Business the company's management team will work closely or. When it says oh and legal counsel you're gonna get to get an accurate handle, on, on. What information within the company was exposed, in the breach and what, courses it must then, pursue by way of mitigation. And resilience, was, it just information. CC. Or was other information, exposed, such. As trade secrets or customer data to, the extent that that customer data was. Exposed, as a company being to notify its. Customers, under the law or. For business reputation reasons. And if so. Does. It disclose, this analytic, attribution. In. Other words engage in selective attribution. As. A publicly traded company, are, there any market disclosures, it, needs to, make under, a Mauritius securities law is. The company's analytic. Attribution, of the incident, to NCC. Materially. Relevant to the market implications of the breach it, could be to the extent that the breach. Affects. The company's plans. In. Korea. So. Less than at least and I wrap up here in just, a few minutes and we'll turn to Q&A is. Take. A music stand these examples, one step further so here, now okay so ask me would you companies not decide to file a lawsuit, never Asia's court against. NCC, for fact trade secrets and, other damages, in its pleadings. Now Acme. Has, publicly. Attributed, the attack to NSYNC. You. Know it's, it's, went. Through this process okay, they, reached an analytic. Judgment. About. Analytic. Attribution, who done it they. Decided to initially to engage in selective, attribution, sharing. It with a select group of third parties now they decided that their interests are best served by. By. Filing a lawsuit against, an scene for theft of trade secrets and other damages they. Have now publicly, attributed, the attack to. NCC. Turning, to a Mauritius. The ministers. Of energy, homeland security and state issued. Joint statement, implicating. Accusing. Azaria for the attack and, the ministers and other law enforcement colleagues, publish, and, a lot of the technical aspects, the public alert with, recommended, mitigation, steps meanwhile, the Ministry of Justice in Deitz three operators, in the, reserve a military, intelligence service, for. Criminal prosecution and the ministries of Commerce and Treasury imposed, sanctions. And. So, on now of course here the a Mauritius government is publicly, attributing, the attack, to. Azaria through through several channels.
The. Key I think point about this, last, you. Know these. Sort of lasts. Yet. Is that. Okay. So we're public attribution, now we, began with an internal assessment, of whodunit, there's, a lot of action that happened between analytic. Attribution. And this. At least acts of public attribution. Business. Leaders an acne. Which accompanied, the a, Mauritius, government had, a range of options, between analytic, judge analytics, attribution, and. Public. Contribution, you. Know they could engage they, can decide to keep their, analytic, judgment, private. They. Could decide to engage, which. Which, they. Might do they. Could. Decide to engage in selective attribution, a decision. To close a dislike and third parties they can gauge and public attribution, taken. We didn't go talk too much about false, flag attribution, yeah just list here completeness, but. They can decide to cue someone else, the. Key point here is that the decisions, in just a rap kind of come full circle. Ultimately. Decisions, about strategic, attribution, should, be guided, by. Political. And economic, factors pertaining to which mode, of, strategic, attribution, most advances. The, decision-makers interest, it is not, simply. Or strictly, a technical. Judgment. About whodunit, and in fact. Judgment. About who done it may. Include. Intelligence. And business. Instincts. That that go beyond. Technical. Artifacts, at, the end of the day strategic. Attribution, is, fundamentally. A decision, for executives. To. Make and shouldn't. Be left to. Shouldn't. Should be treated as such by, by. Senior, management whether. It's a private organization or, or in. Government, I can I can tell, you that that was certainly how. We. Handle, issues. Of this this, question why. Was. At the NSC, and. There. Were many many many many cases where you. Know we the US government, had. An attribution. About who who, done it. But, the. Question, of what, to do with it was always a policy. Decision, and. Guided. By political. And economic factors so I will, stop there I would, like to thank you Andy, so much. Webinar. I think what's really interesting I, don't know if daniel has anything else you would like to add in the end. No. No. Okay, so I think we are all good thank you everybody for joining us today I hope. You will spend, rest from. What's. Today Thursday. And. Have, a nice weekend thank. You take. Everyone be safe.