“How will attribution be verified…”
The European Union can now impose sanctions on hackers and their supporters, freezing their assets and banning their entry to the EU. The new legal regime, live from May, was welcomed by politicians, including Foreign Secretary Jeremy Hunt.
He said: “Hostile actors have been threatening the EU’s security through disrupting critical infrastructure, attempts to undermine democracy and stealing commercial secrets and money running to billions of Euros. We must now look to impose travel bans and asset freezes against those we know have been responsible for this.”
But is it really likely to deliver results? Computer Business Review asked a range of businesses in the sector, drawing decidedly mixed reactions.
EU Cyber Sanctions: Industry Reacts
Anthony Young, director at Bridewell Consulting told us: “This is a really positive step for businesses. In the past there’s been little legislation developed to deal with hackers and there’s been nothing in place to deter them.
“For the cyber security industry, we’ve always maintained that there needs to be strong collaboration between businesses, governments and law enforcement in order to address the escalating threat of cyberattacks.”
Yet with attribution tough at the best of times, is the legislation likely to see much use?
Matt Aldridge, Senior Solutions Architect at Webroot told Computer Business Review that while the initiative has merit there are serious questions that need to be asked: “How will attribution be verified to the point that the EU Council have a high enough degree of certainty to enact the sanctions on an individual or entity.”
He added: “Attribution in any cyber attack is extraordinarily difficult, and serious threat actors take great care to cover their tracks, to hide their locations and even to appear to look like other threat actors.”
Aldridge raised the concern that the EU could potentially be handing threat actors an incentive to set up false flags, or shift the blame to ethical hackers or organisations. Criminals could leave an evidence trail that results in the EU falsely accusing people for the actions of others. There is a concern that the sanctions could become ‘yet another weapon’ that can be used to manipulated situations and people to suit the outcome of the threat actors or nation states.
Laurie Mercer, a security engineer at HackerOne, told us that while most initiatives designed to reduce the threat of malicious agents online should be welcomed, it may run the risk of interfering with white hatsm emphasising the ongoing need to ensure ethical hackers still feel safe to responsibly identify and report vulnerabilities.
State Actors Still Remain Untouchable
Working as a state-sponsored cyber criminal comes with a host of benefits; the most obvious one is financial and infrastructural support; states typically also hoard zero day (previously unexploited) vulnerabilities to attack systems.
Dave Klein, senior director of engineering and architecture at Tel Aviv’s Guardicore was less than impressed with the legislation. He told us: “If the main premise is to protect EU critical infrastructure as this article portends: then no – this will do very little.”
Nation state actors often work with the most sophisticated of tool boxes at hand and are well versed in hiding their trail, and often create false flag operations to put off cybersecurity researchers: while nobody is infallible, the risk of attribution going awry is not inconsiderable. A key part of a threat actor’s tool kit is the manipulation of online infrastructure so that they bounce between multiple networks on their way to their intended target. This may also involve the hijacking of computers to use in botnet attacks. (Recently we saw the hacker group Waterbug actually take over a section of a rival’s compromised network infrastructure to attack a nation state.
Klein concluded that any effort to tackle nation state actors will prove highly difficult: “They use other nation state’s tool kits and even language character sets to hide their origin. Furthermore – they also hire criminal hackers to work for them via proxy to muddy the waters further.”
He added: “Finally, while we’ve seen a few cases individual Russian and Chinese APT hackers being called out recently – the majority of the time – even when a nation state is uncovered, rarely if ever do we know the identity of the individual hackers.”
Names do, periodically, get named of course: the most recent obvious example being a 2018 indictment by special counsel Robert Mueller, which named those responsible for the DNC hack as former GRU officers Viktor Netyksho, Boris Antonov, Dmitriy Badin, Ivan Yermakov, Aleksey Lukashev, Sergey Morgachev, Nikolay Kozachek, Pavel Yershov, Artem Malyshev, Aleksandr Osadchuk, and Aleksey Potemkin.
Whether such periodic examples, along with the EU’s beefed up legislative powers are enough to disincentivise malicious probing of EU infrastructure remains an open question: most agree that it seems unlikely.