This document discusses rethinking the cyber threat and proposes a new framework for crafting effective cyber attack responses. It outlines six reasons why the cyber threat is difficult to assess and mitigate, including many malicious actors with different motives, common attack vectors, an integrated shared Internet domain, unpredictable consequences, and worst-case alarming scenarios. Existing models for addressing crime, espionage and military threats based on threat type do not work well for cyber attacks where the attacker is often unknown. A new framework is needed to create more effective cyber attack responses.

1. Rethinking the Cyber Threat A Framework and Path Forward
SCOTT CHARNEY
Corporate Vice President
Trustworthy Computing Group
Microsoft Corporation

2. The information contained in this document represents the current view of Microsoft Corp. on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.
This white paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording or otherwise), or for any purpose, without the express written permission of Microsoft.
Microsoft may have patents, patent applications, trademarks, copyrights or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights or other intellectual property.
© 2009 Microsoft Corp. All rights reserved.
Microsoft is a registered trademark of Microsoft Corp. in the United States and other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Microsoft Corp. • One Microsoft Way • Redmond, WA 98052-6399 • USA

3. Contents
Introduction .................................................................................................................................................. 5
Understanding the Cyber Threat ................................................................................................................. 5
Rethinking the Cyber Threat ......................................................................................................................... 7
The Problem of Attribution ........................................................................................................................... 8
Categories of Attacks .................................................................................................................................. 10
Conclusion ................................................................................................................................................... 12

5. 5
Introduction
For more than two decades, people have struggled to understand the cyber threat, evaluate the risks to individuals and organizations (including nation-states), and craft appropriate responses. Although many organizations have invested significantly in information assurance, most computer security experts believe that a well-resourced and persistent adversary will more often than not be successful in attacking systems, especially if raising defenses is the only response to an attack. For this reason, increasing attention is being paid to deterring such attacks in the first instance, especially by governments that have the power to investigate criminal activity and use a wide range of tools to respond to other public safety and national security concerns.
Notwithstanding this emerging discussion, it appears to many people that neither governments nor industry are well-positioned to respond to this highly complex threat and that, from a policy and tactical perspective, there is considerable paralysis. The purpose of this document is to better explain the cyber threat, identify the reasons why cyber attacks often confound those responsible for crafting responses, and suggest a new framework for creating more effective cyber attack responses.
Understanding the Cyber Threat
The cyber threat is difficult to assess and mitigate for six reasons:
(1) There are many malicious actors. Low cost computer technology, widespread Internet connectivity, and the ease of creating or obtaining malware means that almost anyone can engage in malicious activity. Indeed, the Internet is a great place to commit crime because it provides global connectivity, anonymity, lack of traceability, and rich targets. Malicious actors include individuals, organized crime groups, terrorist groups, and nation-states, and actions that might serve to deter one group may be less effective against another.
(2) There are as many motives as there are actors. These motives may relate to traditional areas of criminal activity (for example, fraud or the distribution of child pornography), economic espionage, military espionage, or cyber warfare.
(3) There are many different but commonly used attack vectors. Leaving aside supply chain and insider threats, which pose their own challenges, remote attackers might take advantage of product vulnerabilities, system misconfigurations, and social engineering. Because different actors may use similar techniques, the nature of the attack might not yield reliable clues about the identity of the attacker or the attacker’s motives. This fact, combined with anonymity and lack of traceability, means that attributing attacks is very difficult, and punishment for malicious activity is unlikely.

6. 6
(4) The Internet is a shared and integrated domain. It is shared by citizens, businesses, and governments in a manner that makes it difficult to segregate one group from another. Moreover, free speech, commercial transactions, espionage activities, and cyber warfare may be occurring in this shared and integrated domain, all at the same time and over the same transport medium. With a limited ability to parse actors and activities, tailored responses to specific threats are extremely hard to craft.
(5) The potential consequences of an attack are very difficult to predict. Certain nefarious activity such as network scans or unauthorized system access may be a prelude to information theft, a data integrity breach, or a disruption of service. Moreover, the complex interrelationships between systems suggest that there may be unanticipated cascading effects, some which may be more severe than even the intended effect. Finally, while some attacks may be obvious (for example, a denial of service attack against a critical infrastructure) and generate a quick response, other attacks may be hard to detect. Much has been written about the exfiltration of data from sensitive systems; a more disconcerting scenario might be a critical alteration of data. Not only can this be difficult to detect, but it may be difficult to discern when the data was changed without authority, thus making it difficult to “roll back” to a known good state.
(6) The worst-case scenarios are alarming. In the popular press, policy space, and think tanks, these scenarios include disrupting critical infrastructure services, impeding key economic functions, or imperiling public safety and national security (thus explaining oft-repeated references to an “electronic Pearl Harbor”). The complexity of these scenarios, which results in part from massive interconnectivity and dependencies between systems that are not always well understood, has made it difficult to develop a consensus regarding the probable consequences of an attack. As for our ability to recover quickly from such an attack, society’s increasing dependence on information technology systems and the data they contain may mean that there is no longer an existing manual process with trained people to fall back on.
In an environment where actors and motives may be unknown and in which the potential consequences may be dire, it is easy to understand why there is great concern. But where there are so many actors with so many motives – and these actors and their activities are commingled with innocuous and even constitutionally protected activities – it is also easy to understand why those responsible for crafting strategic and tactical responses get bogged down.
To complicate matters even more, society is not starting with a blank slate: there are existing methods for dealing with bad actors, methods that have been codified in law and that do not work well in this new environment. For example, in the United States we have a legacy of organizations that use different authorities to address different threats to public safety and national security. To protect citizens against crime, we hire, train and equip law enforcement personnel and, as part of an investigation, we permit them to issue subpoenas, execute search warrants, and obtain wiretap orders under the Electronic Communications Privacy Act (ECPA). To protect us against those who would steal

7. 7
our military secrets or attack other vital state interests, we rely upon the intelligence community to both collect foreign intelligence and engage in counterintelligence; as part of its work, that community may rely upon a different set of authorities, such as National Security Letters and the Foreign Intelligence Surveillance Act (FISA). Finally, to address the military threat posed by another nation-state, we fund a military that relies on yet a different set of authorities in the United States code (for example, Title 50 and Title 10). Other countries have a similar separation of authorities. In short, depending upon the category of threat, countries deploy different resources, and each resource plays by its own set of rules.
This traditional model works well when one can identify the nature of the attack; specifically, “who” is attacking and “why.” This traditional model fails in the Information Age because when computers are under attack, the “who” and “why” are frequently unknown. By way of example, many years ago a Russian military plane shot down a Korean civilian jetliner. For a long time, notwithstanding Russian claims of non-responsibility, it was widely believed that state action, or at least rogue military action, was responsible. Why? Because civilians do not have access to fighter jets. But the notion that only states have access to weapons of war is no longer correct, at least not if information warfare is considered. Simply put, it is not difficult to obtain computer technology and the skills to misuse it; a potentially powerful arsenal has been placed in the public domain. Our traditional vigilance regarding states that support terrorism, political unrest, or are otherwise considered “rogue” (that is, “nations of concern”) must now be supplemented by vigilance regarding “individuals of concern,” a far larger pool, and one that is harder to identify and harder to contain. If one appreciates that an attack upon a defense department may come not only from a foreign nation conducting information warfare, but also from juveniles living within the victim’s country (as it did in Solar Sunrise, the case name for a cyber attack against the U.S. Department of Defense), then one appreciates that launching a military response might not be the right approach. In short, the world is confronted with two problems: (1) a plethora of attacks by a diverse set of individuals with differing motives and (2) security response systems that are contingent on knowing facts that may be unavailable.
Rethinking the Cyber Threat
In a world of such diverse threats and increasing allegations of cyber crime, economic espionage, military espionage, and cyber warfare, it is critically important that governments and cyber security professionals think differently about malicious cyber events and how to respond to them. The starting point is breaking down attacks by attribution and category. With regard to “the who” (and, inferentially perhaps, “the why”), there may be strong attribution, some probability of attribution (high to low), or no attribution. With regard to categories, there are four: cyber crime, military espionage, economic espionage (and other areas where nation-states are in philosophical disagreement on normative behavior) and cyber warfare. Each level of attribution and each category of attack raises unique issues regarding response with one exception. Defensive measures are always appropriate and nothing prevents someone from adopting stronger security measures, such as adopting multi-factor authentication. Strong defenses are not enough, however, as offense almost always beats defense on the Internet. So although stronger defenses might deter some who will seek easier targets (much like

8. 8
locking one’s door encourages a burglar to seek a less-protected house), persistent, well-funded and motivated adversaries are not readily deterred by defenses, especially because defenses have proven insufficient in so many cases.
The Problem of Attribution
The starting point for any new strategy must focus on attribution because, even though the open and unauthenticated nature of the Internet makes attribution difficult, having some idea of who the bad actor might be is certainly helpful. Today, attribution is extremely difficult for both technical and non-technical reasons. Key data relating to source may not exist or be inaccurate, those who have relevant data may be reluctant to share it, and even governments that want to collaborate may find it difficult to do so because of legal constraints, especially if data must be obtained and shared across jurisdictional boundaries. When data is shared, it may still be hard to reach consensus on what the data means.
For example, in the recent attacks against Google, many different “theories” regarding actors and motives were advanced. Without in any way suggesting one theory is more plausible than any other, the recent attacks on Google led people to suggest that these attacks were the work of (1) the Chinese Government (“Chinese Attack on Google Among the Most Sophisticated Cyberattacks Ever, Experts Say,” POPSCI, January 15, 2010),1 (2) Chinese universities (“2 China Schools Said to be Tied to Online Attacks,” The New York Times, February 18, 2010),2 or (3) a Chinese hacker (Steve Ragan, “Was Operation Aurora really just a conventional attack?”, January 27, 2010).3 More recently, researchers have expressed some confusion over whether this incident consisted of one attack or two, and have referenced the existence of a Vietnamese Botnet.4
In light of current realities, it seems that the issue of attribution must be addressed in three ways. First, attribution should be improved where possible. Leaving aside long-term efforts to re- architect the Internet, it is possible to increase attribution through wider application of existing strong authentication technologies (along with appropriate auditing), through more effective technical trace- back mechanisms (when legally permitted), or through more streamlined international assistance (in cases where foreign assistance is practical). For example, even today it is possible to deploy technologies that enforce more robust authentication of hardware and people (for example, TPM to TPM-based authentication, which is multi-factor authentication based upon the issuance of secure digital
1 http://www.popsci.com/technology/article/2010-01/chinese-cyber-attack-google-among-most-sophisticated- ever-experts-say
2 http://www.nytimes.com/2010/02/19/technology/19china.html?partner=rss&emc=rss)
3 http://www.thetechherald.com/article.php/201004/5151/Was-Operation-Aurora-really-just-a-conventional- attack
4 http://blog.damballa.com/?p=652

9. 9
credentials after in-person proofing).5 The benefits of more robust attribution are that some attackers will be deterred, some attackers will be thwarted, and some attackers may be identified. And although more sophisticated adversaries may still be successful, the fact that some attacks have been deterred or prevented permits organizations to refocus some of their existing security resources on more complex and intractable threats.
Second, it will likely be important to focus on probability of accurate attribution, as opposed to certainty of attribution. In many areas, of course, absolute certainty is seldom achievable. For this reason, a range of different standards have developed (for example, proof beyond a reasonable doubt, a preponderance of the evidence) and individuals and organizations often have to rely upon probabilities when making critical decisions (such as when opting for one medical treatment over another). Of course, the greater the certainty, the easier it may be to choose a course of action, but that does not mean certainty is required before reasonable action can be taken.
Third, it will be necessary to decide what actions, if any, are permissible in those cases for which the probability of accurate attribution is low for either technical or non-technical reasons. The “safe” answer is, of course “none,” at least in terms of reducing international tension regarding unilateral action. But the problem with that answer is it leaves too many threats unaddressed and causes victim countries to assume too much risk to public safety and national security. If this is correct – if the status quo is not acceptable – then a different calculus is required. One possible approach is to focus on probability and harm, and whether that harm can be avoided through traditional mechanisms. If, for example, (1) an attacker has successfully penetrated a critical system; (2) the attacker has the capability of causing serious damage; and (3) timely and meaningful foreign assistance is not forthcoming, affirmative action may be warranted even if one cannot assert, with certainty, that the attacker is affiliated with a particular group.
This approach, of course, highlights the many challenges in this area. What is the right “probability” threshold, what is the right tolerance for “harm,” what constitutes “timely and meaningful assistance,” and what type of response will be viewed as proportionate? Although these are all difficult questions, society has tackled them in other areas. For example, in the areas of nuclear proliferation, development of weapons of mass destruction, and harboring terrorists, countries frequently determine whether another country’s assistance is meaningful, whether negotiations represent progress or a stalling tactic, and what repercussions might be appropriate if forward progress is not made.
To be clear, one cannot overstate the challenges in this area. While an attack on a supervisory control and data acquisition (SCADA) system may readily suggest the potential of a dire consequence, the impact of other attacks can be far more difficult to predict. For example, scanning a system and accessing accounts without authority may be a prelude to information exfiltration (which is serious, but perhaps not devastating) or the alteration of critical data that might result in serious physical injury or death. A system scan may be the prelude to an attack on the confidentiality of data or a denial of service
5 For more on authentication, see the “Establishing End-to-End Trust” white paper at http://www.microsoft.com/mscorp/twc/endtoendtrust/vision/.

10. 10
attack. Such uncertainties can cause inaction and, ultimately, countries will need to discuss what level of risk is tolerable and when certain actions are appropriate. It must also be remembered that national authorities have a wide range of tools at their disposal, from political demarches to economic sanctions to cyber or kinetic counter attacks; as in the physical world, different predicates will justify different responses. But establishing some a priori agreement between nation-states might help define acceptable behaviors and decrease tensions when action is taken.
Categories of Attacks
Of course, in some cases attribution – or at least a high probability of accurate attribution – is possible, even if not disclosed publicly. These attacks fall into four different categories. Once this is understood, it becomes clear where society’s current response mechanisms could be improved, and where new strategies must be adopted.
The first category relates to conventional cyber crimes.6 These crimes include cases in which computers are targeted for traditional criminal purposes, such as fraud, or used as tools to commit traditional offenses (for example, the distribution of child pornography). In this category, existing law enforcement mechanisms generally provide the right framework for response, but much work needs to be done to update and harmonize national legal regimes and increase dramatically the speed of law enforcement execution. Nation-states should be encouraged to pass cyber crime legislation where it is needed, to develop the capability and capacity to fight cyber crime, and to join international efforts (for example, the Council of Europe Convention on Cybercrime). To the extent that other nations refuse to help address this threat, governments should think about the mechanisms they traditionally use to obtain greater international assistance from reluctant countries. Efforts against money laundering and other transnational crimes can provide valuable lessons in this area.
The second category relates to military espionage cases; more specifically, the allegations that some nation-states intrude into and exfiltrate large amounts of sensitive military data from government agencies and/or the military industrial base. Without diminishing the seriousness of these allegations, it is important to recognize that military espionage has been occurring from time immemorial, and that some victims of military espionage may be engaged in such espionage activities themselves. Knowing it is unlikely that such conduct will stop, countries should aggressively raise their cyber defenses, hone their offensive capabilities, and use those traditional elements of national power that are typically used to address espionage concerns.
The third category relates to economic espionage cases and other cyber events where governments clearly have philosophical differences about what constitutes acceptable behavior. For
6 The cyber crime category is by far the broadest as it captures the largest numbers of actors (from juveniles to repeat offenders) and the largest number of motives/actions (from tampering with one’s school grades to committing complex fraud to causing significant damage to an IT system in a non-warfare context). Clearly, international government responses will have to be flexible and proportional.

11. 11
example, many countries believe that businesses should compete on a level playing field, and that legal systems should protect the right of those who develop new ideas to monetize them. By contrast, other countries believe that national security is dependent on economic security and, to achieve economic advantage, it is the government’s role to support indigenous industries by stealing the intellectual property created in other nations (or at least turn a blind eye when a domestic company steals information from foreign competitors). These countries are not deterred by the fact that such an approach is both immoral and nearsighted. It is immoral because the theft of intellectual property is, quite simply, theft, and nearsighted because a country cannot establish a culture of innovation and achieve true economic advantage if intellectual property rights are not respected. Where countries do have such philosophical differences, international diplomacy should focus on establishing appropriate international norms and codifying those norms in international agreements, as has been done in other areas.
Another area of philosophical dispute, and one that is even more challenging than economic espionage, relates to freedom of speech. With regard to economic espionage, the debate is a fairly binary one: either the theft of property for national economic benefit is appropriate or it is not. By contrast, the right of free speech rests along a continuum: some countries are more restrictive than others. In such cases, questions may arise regarding the extent to which speech is restricted (there is, for example, a big difference between criminalizing hate speech and criminalizing religious or political speech) as well as whether the government that restricts speech was democratically elected (thus indicating that any restrictions are sanctioned by the populace). To complicate matters even more, when countries do negotiate international agreements and set normative behavior, it is common to have a treaty provision – essentially a carve out – that reserves to governments the authority to take those actions necessary to protect public order and national security, notwithstanding other provisions of the treaty. Because countries will not waive this sovereign right to protect public safety – and because limitations on speech are often justified as necessary to maintain public order – it is unlikely that negotiations will easily yield new normative behaviors. Still, agreements on the margins may still be achievable. For example, in an age in which user-created content is transmitted across global IT systems and stored in a cloud, ensuring safe harbor for those whose provide the “pipes” or “cloud services” would be warranted, particularly if they are responsive when issues of legality are raised.
The fourth category relates to cyber warfare, a particularly difficult area because, as noted earlier, the Internet is a shared and integrated domain. In the physical world, it is easier to separate troops from hospitals, and there are even rules of war that govern permissible responses when troops launch attacks from hospital rooftops. The Internet does not permit such clean demarcations. But today there is also another problem: society is redefining “warfare.” As is well known, an individual recently attempted to bomb an airliner travelling to Detroit, Michigan. Reported evidence suggested this individual had connections to a known terrorist group and, in the aftermath of that attempted attack, there was a debate about whether this individual was a criminal who should be read his constitutional rights (given his “Miranda” warnings) or an enemy combatant who belonged in military custody. Of course, in future cases, a person sympathetic to an extremist cause might undertake to blow up a plane without any formal connection to any organized terrorist group; the actor might simply be a

12. 12
sympathizer who is acting alone. If this happened, a nation-state might well find itself “at war” with a single individual. Asymmetric warfare has significant implications for cyber attacks, because the Internet permits a potentially anonymous and untraceable individual with virtually no resources to engage a nation-state in cyber warfare. Rules for such asymmetric cyber warfare will need to be considered.
But even if cyber warfare was restricted to nation-state activity, the risk of casualties to critical infrastructures and non-combatant property would be significant, especially when one considers that the unintended consequences of an attack may be hard to predict. Much has been written about this (see, for example, the National Research Council Report, “Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities,”7) and it is not my intention to repeat those lengthy dissertations here. Suffice to say, domestic views and international agreements regarding what constitutes appropriate military activity in this shared and integrated domain will be increasingly important as militaries around the world hone their cyber capabilities, and as Internet growth and cloud computing makes civilians even more dependent on our IT infrastructure. Indeed, if the concern is an electronic Pearl Harbor, perhaps part of the response is an electronic “Geneva Convention” that protects the rights of non-combatants.
The preceding four categories are important not because they eliminate all the hard questions (they do not), but because they do in some cases make it easier to develop preventative and reactive strategies in cases where attribution exists. They also can help reduce the paralysis that may occur when one attempts to design a single strategy for the myriad threats that are similar only in their use of technology.
Conclusion
There is little doubt that the Internet, with its global connectivity, anonymity, and lack of traceability, poses considerable challenges to those in the private and public sectors who are tasked with protecting it. The breadth of criminal activity, the number of actors and motives, and the lack of reliable attribution have all served to make crafting responses to attacks difficult. While there are no easy answers, greater attribution and clearer rules for responding to both non-attributed and attributed attacks would enable the development and implementation of better strategies and tactics for responding to cyber threats.
If this analysis is correct, the course of future action becomes clearer:
 There must be innovation related to attribution. This includes both technological innovation (to permit sources to be found technically) and legal/diplomatic innovation (to allow the data to be shared quickly, even across borders).
7 Available at http://www.nap.edu/catalog.php?record_id=12651.

13. 13
 To deal with cyber crime, it is important for countries to adopt national laws that protect cyber space, build law enforcement capability and capacity, and support international efforts to fight cybercrime.
 To address economic espionage and other areas of philosophical disagreement, there must be international discussions leading to the establishment of norms that are then enforced through national policies and international organizations.
 To address military espionage, nation states must improve the state of their own computer security, build offensive capabilities as appropriate, and rely upon existing diplomatic and political mechanisms to address disputes.
 To address cyber warfare issues, countries must first develop domestic positions on what the rules for this new domain should be, taking due care to recognize the shared and integrated nature of the domain. Then there must be an international dialogue designed to create international norms for cyber space behavior. Creating these norms will be as difficult as it sounds, but it is still both necessary and, ultimately, unavoidable. Absent such an agreement, unilateral and potentially unprincipled actions will lead to consequences that will be unacceptable and regrettable.