Today, the computer security company McAfee released a report detailing its discovery of a massive cyber attack that went on for as long as five years. The attack hit the governments of the United States, Canada, South Korea, India, Vietnam, and Taiwan; major corporations in a variety of industries; defense contractors; non-profit organizations; the International Olympic Committee; and the United Nations. Though McAfee said it believed the attack was carried out by a nation-state, it declined to name names. But even if McAfee named a suspect, could they ever prove their case?
Unfortunately, there’s good reason for doubt. According to a 2008 paper by three experts supported by a Department of Homeland Security grant, “attribution”—the task of determining a cyber attack’s origins—is “extremely challenging.” In their paper, the experts note that the Internet was designed as an open system with no standard methods of tracing or identifying users, and sophisticated attacks often employ compromised “stepping stones”—computers that have been hacked and are being remotely controlled to carry out attacks. Conclusively determining the origin of attacks, then, goes against the basic structure of the Internet. Besides, even if the latest attack’s origin could be determined, the culprit might still elude identification: Some states, such as Russia, are widely suspected of assisting private citizen hackers to advance their national interests while still maintaining a safe degree of distance (and deniability).