Events such as the massive attack on Sony Pictures have emphasised yet again how anyone with a grudge and a certain amount of technical knowledge can undermine the digital systems on which modern internet-connected economies rely.
A timely paper, Attributing Cyber Attacks, published by Thomas Rid and Ben Buchanan of the Department of War Studies at King's College London, sets out the problems investigators face when trying to work out exactly who is behind these kinds of cyber attacks. It points out that even now there are no easy answers -- and that it's only going to get harder.
"That process of attribution is not binary, but measured in uneven degrees, it is not black-and-white, yes-or-no, but appears in shades. As a result, it is also a team sport -- successful attribution requires more skills and resources than any single mind can offer," the paper, published in the Journal of Strategic Studies, warns.
As such we shouldn't necessarily expect a 'Colonel Mustard in the library with a lead pipe' type of identification when it comes to these kinds of crimes -- although the paper does note that because of the way hacking is done, by individuals with particular quirks and habits, the way digital forensics work it may sometimes be easier to identify individual perpetrators and then 'zoom back out' to the bigger organisational or military unit involved, rather than the other way around.
Rid and Buchanan highlight a number of areas that analysts can fruitfully investigate.
Cybercrime scene investigation
For example, the target can shed light on the type of breach or the type of intruder: credit card information and other easily monetised targets point to organised criminals; digital attacks aimed at product designs may point to economic espionage; hacks focused on military strategy can point to intelligence agencies.
How the attackers cover their tracks may be an indication of identity, or as the paper notes: "Stealth, ironically, can also be revealing." Anti-forensic activity -- steps designed to evade detection and later investigation -- is tricky and time-consuming, so using it can reveal hackers intentions, their fear of reprisal, and level of sophistication. Similarly, the resources the attacker brought to bear in the effort may be an indicator for how highly the attacker valued the target: the zero-day vulnerabilities used in something like Stuxnet would have been expensive and hard to acquire.
One way attackers can give themselves away is by the hacking infrastructure they use -- relying on one particular botnet, for example, or one command-and-control setup, although as the authors note: "As a result, some shrewd actors are taking steps to try to better hide their infrastructure."
Other factors in identifying attackers can come from language indicators and the broader geopolitical context, and the type of damage they do: "Sabotage, as a rule of thumb, tries to maximise direct costs, either openly or clandestinely, whereas collection tries to avoid direct costs for the victim, in order to avoid detection and enable more collection in the future," say Rid and Buchanan.
The paper also notes that how attackers respond to publicity can be instructive -- some attackers may cease operations immediately, while others may continue regardless (the first response could be that of an intelligence agency that doesn't want to be embarrassed, the second that of a crime gang that doesn't care).
For governments and law enforcement the good news is that it's possible to identify individuals and organisations behind digital crimes.
"Sophisticated adversaries are likely to have elaborate operational security in place to minimise and obfuscate the forensic traces they leave behind. This makes uncovering evidence from multiple sources, and therefore attribution, harder. The silver lining is that adversaries reliably make mistakes. The perfect cyber attack is as elusive as the perfect crime."
The cybersecurity hall of mirrors
Rid and Buchanan have set out a framework for analysing cyber attacks, but that doesn't mean we can expect easy or unambiguous answers.
Trying to apply the theory to the real world is where inevitably it gets messy -- and with the Sony hack the messiness verges on Inception-level ambiguity. The FBI has pointed the finger at North Korea over the Sony hacks, but the publicly available evidence remains extremely limited, which has left a number of security experts unconvinced -- at least for now. And as the agendas and techniques of cybercrime, hacktivism, economic espionage and cybewarfare overlap and merge it's only going to be murkier.
The bad news, as Rid and Buchanan note, is that identifying hackers is getting harder as hackers learn from previous mistakes.
But just because cyber attribution is fraught with difficulty that doesn't mean it shouldn't be attempted: the authors warn of what could happen if there are no meaningful consequences once attackers are identified: "Absent meaningful consequences, states and non-state actors may simply lose their fear of getting caught, as a lax de-facto norm of negligible consequences emerges. Ironically this could mean that non-democratic states become less concerned about getting caught than publicly accountable liberal democracies."
As such the decision by the US to impose sanctions on North Korea following the Sony attack can be seen showing that there are consequences to this kind of attack. But it also reflects how the rules of engagement for these kinds of digital confrontations are still being written.
All of this means that working out who did what, when and why is tough and getting tougher -- but working out how to respond to such attacks is going to be harder still.
ZDNet's Monday Morning Opener is our opening salvo for the week in tech. As a global site, this editorial publishes on Monday at 8am AEST in Sydney, Australia, which is 6pm Eastern Time on Sunday in the US. It is written by a member of ZDNet's global editorial board, which is comprised of our lead editors across Asia, Australia, Europe, and the US.
Previously on Monday Morning Opener: