• Print

Susan Landau explores Internet security and the attribution problem

Susan Landau gave a talk at Harvard today on her latest policy work on
cybersecurity. Landau is a noted privacy advocate whose public
advocacy work goes back to the crypto wars of the 1990s. Together with
the renowned Whitfield Diffie, she wrote

Privacy on the Line: the Politics of Wiretapping and Encryption
,
and she’s about to release a new book,

Surveillance or Security? The Risks Posed by New Wiretapping Technologies
.
She didn’t have far to travel to deliver her talk today, because she’s currently a

Radcliffe fellow
. The audience, mostly of Harvard CS students and
postdocs, was appropriately prepped to follow her through cramped and
twisting paths of tech policy.

You’d expect a researcher of Landau’s experience to tackle
increasingly difficult problems, and her outline of her current
research certainly fits the expectation. The trigger for this research
is the call by many people, ranging from computer scientists working
on core networking protocols to members of Congress, for an Internet
where people can be tracked. This is called attribution, and
it means that I can be found if I place a threatening anonymous
comment on a blog, or download illegal pornographic material, or
release a virus that places identity-stealing software on ten thousand
computer systems.


The parameters of attribution

A lot of attribution can already be done already. A warrant from law
enforcement or a simple request from the RIAA can force ISPs to
surrender information on who used a particular IP address at a
particular time. ISPs keep this information for a period of time, and
even Internet cafes or public libraries could do this too.

People with a bit of sophistication can evade attribution, though. The
virus that’s causing your computer to send out spam or launch a
distributed Denial-of-Service attack may have been placed there
through an unwise visit to a web site years earlier. Security breaches
that pass through multiple systems are called “multi-stage”
attributions problems by Landau. Proxy servers used by people in
countries that block web traffic, and onion routing networks used by
people sending anonymous email, complicate the security picture too.

Attribution, like the whole larger area of cybersecurity, occupies an
ethical hall of mirror where no one’s true position is easy to
determine. Obviously, what I consider a crime that I have to uncover
is considered by my quarry to be a liberating act that calls for
protection. We can’t let the RIAA find copyright infringers or help
the FBI trace terrorist networks without letting China and Saudi
Arabia arrest online protesters.

Landau rhetorically asked why the United States has not proposed a
cybersecurity, anti-hacking treaty, and answered by suggesting that
the NSA has been engaging in its own cyber-break-ins for a couple
decades. The view of international cybersecurity she laid out, and
that I’ve read about elsewhere, is quite a jungle. Numerous actors of
varying intent and with varying relationships to the law move in and
out of favor with various governments. Governments spy on companies
for commercial advantage and help companies spy on foreign companies.
Everybody wants just enough security to keep trust in the Internet
from collapsing, without losing competitive advantage in the hacking
wars.

Attribution lies at many levels. For some attacks, Landau says, we
need to know only which machine has launched it. Other attacks need to
be tied to a person, and still others to entities such as corporations
or governments.

Landau’s recommendations, and reactions

In this kind of fast-shifting environment with so many competing
agendas, no prim and elegant solutions will be found. The insights
Landau presented today are a work in progress, and several aspects
were challenged from the floor.

Her main point is that we don’t need to re-architect the Internet to
make use more attributable, and that we shouldn’t try because it could
remove much of what’s good about the Internet. As I mentioned before,
we have a good deal of attribution already. Landau recommends we
refine and expand our legal regimes to deal with current attribution
techniques justly, and extend them a bit.

Her most far-reaching proposal was to run software on ordinary users’
PCs to log Internet traffic for a limited time (30 days, for
instance). This can benefit users by helping them figure out where
some malware might have come from. But it mostly benefits
investigators. When they ask the ISP for traffic information (which
faces a low legal threshold, such as a subpoena), the ISP can ask an
end-user for log files from a short time period. If the user refuses
to keep logs, the ISP would be legally entitled to log all traffic
coming from and to the user.

The whole point of this technical and policy change is to help trace
multi-stage attacks. I’m not sure this would help reduce the fifteen
percent or more US computers estimated to be infected by malware,
because as I said earlier, the intruders are quite capable of lying
dormant long past the deadline for discarding Internet traffic. Landau
put forward a scenario where an ISP gets a list of infected web sites
that place malware on client systems, and then sends out email to its
customers asking who has visited that web site recently. But its
customers wouldn’t need log files to know whether they had visited the
site.

Landau distinguishes tiers of attribution. The simplest is
single-stage attribution, as when the RIAA identifies a file-sharer or
a blog site identifies a defamatory poster.

Single jurisdiction, multi-stage attribution occurs when a breach has
to be traced across two or more links between computer systems, but
they are both in the same country or in cooperating countries.
Currently, the US works cooperatively with most of Europe and some
Middle Eastern countries to trace illegal traffic. Landau wishes we
could get Russia into the jurisdiction as well. But as she pointed
out, each government has conflicting goals that push and pull it
toward and away from cybersecurity. Diplomacy will be required to
expand cooperation.

The most complex scenario is multiple jurisdiction, multi-stage
attribution. This can be accomplished through treaties and policy
mechanisms.

I wonder whether we should look outside the Internet for solutions to
many security problems, just as e-commerce sites depend on a vast and
sophisticated credit system to protect online transactions. Here’s an
example: spam can be sent anonymously. But if the spammer is also a
scammer, he needs to provide an address where victims send their
money. If your money can find a scammer, so can law enforcement.

Landau took several challenges from the audience, who wondered whether
her solution would be too weak to cover more than a few scenarios or
just, as one person put it, a way to make the RIAA’s work easier. As a
privacy advocate, why is Landau working so hard on technical solutions
to help law enforcement find people?

First, we face many serious cyberthreats that none of us can afford to
ignore, regardless of our love of freedom. Second, Landau wants to
propose low-impact solutions in order to stave off high-impact
ones. She admires the work that organizations such as the
Electronic Privacy Information Center
and the
ACLU
do from a public-interest angle on privacy, and understands that
technology companies can be motivated to oppose bad policies because
of their crimp on innovation. But in Washington, security trumps all
these concerns. Nobody wants to be caught napping in the event of a
major terror attack or other security breach. Landau is asking them to
try on a new and lighter framework for improving attribution.

tags: , , , , , , ,
  • http://www.privacyink.org Susan Landau

    I’d like to correct a few points.

    The first is that I said that in the late 1990s the NSA sought to sharply expand their cyberexploitation effort, which is a slightly
    different statement than the one in your blog.

    Second, you are correct that I said that better legal and policy tools are needed for handling cyberexploitation cases. But you omitted the other half of the point, which is that technical tools — specifically better packet-level attribution — are not. This is very important. Through analyzing the cases of DDoS, spam, cybercrime, and cyberexploitation, it becomes clear that improved packet-level attribution tools would not be particularly useful in the most serious of these cases, which are the multi-jurisdictional, multi-stage exploitations. This removes the strongest rationale for arguing that packet-level attribution be included in future network protocols.

    Finally, yes, I did suggest that users’ routers — not their PCs — might be used to log outgoing packets as a potential way to improve
    security. This proposal is to handle malware and botnets, and was made in the context of considering what techniques for handling malware might be worth investigating once, per above, one rules out developing packet-level attribution methods.

    Thanks for giving me the chance to comment.