Just on the heels of the Anonymous takeover of the US Sentencing Commission website, the New York Times is reporting that its network has been subject to persistent hacking over the last four months at the hands of Chinese attackers. The paper hasn’t released precise details on the nature of the attacks. However, this Symantec Threat Report is a nice primer on the makeup of cyber-attacks generally.
This attack is a good illustration of the difficulty of true attribution in cyberspace, especially in real time. The Times is confident enough to assign blame to China as headline news, and actually dedicate four pages of copy to laying out their case. The paper notes that the timing of the attacks coincides with the publication of reports critical of prime minister Wen Jiabao’s family. Additionally, the attacks were only aimed at gaining access to passwords and information related to the Wen family. And while the attacks were routed through US university servers, cyber-security experts traced the attacks to a strain of malware “associated with” previous attacks out of China. No doubt, it’s a mountain of circumstantial evidence. As far as attribution in cyber goes, this is as close to as good as it gets.
But is it proof? Not according to the Chinese:
Asked about evidence that indicated the hacking originated in China, and possibly with the military, China’s Ministry of National Defense said, “Chinese laws prohibit any action including hacking that damages Internet security.” It added that “to accuse the Chinese military of launching cyber-attacks without solid proof is unprofessional and baseless.”
As Herb Lin has argued more generally, the Times might be able to correctly attribute down to the machine used, the human operator, or the political party or force responsible. But it isn't likely to conclusively attribute to all three. The appropriate standard of guilt in this context depends on the goals of cyber attribution. If we hope to deter by criminal conviction, meeting the “beyond a reasonable doubt” could be a long wait. But a lower standard is required when making national security decisions---and editorial ones, apparently. Readers looking to dive deep on the complexities of attribution ought to start with David Clark and Susan Landau’s piece, Untangling Attribution.
Update (9:15): Jack correctly notes that "cyber attack" is a term of art and, from the few available details we have, this looks more like "cyber exploitation." The Times is using the term "attack" and we'll follow their lead until more is forthcoming. In the meantime, the 2009 NRC study Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities nicely spells out the difference.