Tracking source of South Korean cyber attack illustrates challenges for U.S.

The ongoing analysis of the crippling if short-lived computer attack last week against South Korean financial institutions and media companies highlights some of the key difficulties facing the United States and other nations trying to establish policies, procedures, and offensive and defensive cyber-security capabilities. Immediate reaction pointed suspiciously to North Korea and China as the most likely perpetrators of the attack, with initial news reports citing Chinese IP addresses identified as the source of the attack. Subsequent analysis resulted in a less clear picture, as security analysts suggested that certain characteristics of the attack made it appear to have come from a well-resourced attacker such as a government-sponsored program but retreated from earlier conclusions attributing the attack to China.Given current tensions between South and North Korea, looking by default to the North is understandable, and concerns over state-sponsored cyber-espionage have intensified in recent weeks, driven in part by the publication in February of a detailed report from security firm Mandiant providing the results of a technical analysis of Chinese government-sponsored spying activities.

The inability to pinpoint the source of a major attack with any great degree of confidence presents a substantial risk to cyber defense operations such as the U.S. Cyber Command (USCYBERCOM), particularly as they shift from largely defensive or retaliatory positioning to a greater emphasis on offensive capabilities. The technical ability to disable an adversary or to impact the computing or critical infrastructure of another nation is less an issue than knowing with some certainty that the targets of such activity is in fact the adversary in question. Anyone with even a rudimentary knowledge of network protocols and behavior understands the relative simplicity of masking an online identity by using a falsified source IP address, to say nothing of the potential that malicious activity accurately traced to a computer or other device in another country may have been compromised to serve as a launching point for attackers in entirely different locations. In the case of the South Korea attack, the IP address originally linked to a Chinese source turned out to belong to a computer at one of the targeted companies. South Korean officials never explicitly blamed China for the attack, suspecting instead that North Korea was responsible for the attack, possibly assisted by the Chinese or at least using infrastructure that belongs to China. It is not yet clear what role, if any, the U.S. government will play in investigating the South Korean attack, although the National Security Agency has long called out China among key foreign governments responsible for such attacks.