Several news items of late have addressed the thorny issue of cyber attribution; that is, the ability to identify the sources of Web and network attacks. For cyber companies and some government agencies, attribution is the Holy Grail. Without attribution, there can be no real retribution for cyber attacks. If you don’t know (with certainty) who did it, you cannot respond. If you cannot respond, even if you have the means to do so, you become an impotent giant and therefore have no deterrence.
The counter augment, made last week by several experts before Congress, is that if we develop a means of attribution (technology that attributes cyber attacks to the criminals who conducted them), soon bad governments will get it too. They will surely use it against dissident elements inside their own countries to suppress free speech and abridge other civil rights of all sorts. Some folks in the United States worry that our own government will use technology of this sort for similarly nefarious purposes.
So, should we consciously forgo the possibility of deterring bad guys from cyber crime, cyber terror and cyber war because the technology could be used badly? I think the answer is clearly “no.”
Even if the United States and our democratic allies chose not to pursue the sort of technology needed to attribute cyber attacks, repressive countries will still eventually develop their own and use it against their people. We should be as vigorous as possible in discouraging the repression of civil rights, but we cannot give up the possibility of adding to our own protection.
This is one of those situations where national interests trump our idealist desires. If we could keep the attribution technology away forever, you might have an argument, but that is a pipe dream. We should develop it as soon as possible, keep it as closely held as we can for as long as we can, and then use diplomacy to mitigate its improper use. In some cases, that is the best we can do.
