President Donald Trump signed an executive order Sept 12. that allows sanctions on foreign people and states who interfere in U.S. elections, but government reports and industry experts suggest that task may be difficult.
The order covers foreign attempts to interfere with campaign infrastructure, such as the hacking of voting machines, and any attempt to spread disinformation.
The 2018 intelligence community’s threat assessment warns that the “mid-term elections are a potential target for Russian influence operations.” U.S. officials have said that Russia continues to probe election networks, but they have not yet launched a cyber-campaign similar to their 2016 attacks on the U.S. presidential elections.
Under the executive order, the intelligence community will have 45 days to investigate whether election interference took place. But identifying a foreign government’s malicious activity is no easy task in that amount of time, experts told Fifth Domain.
How attribution works
The process the U.S. government takes to attributing cyberattacks and influence campaigns is not clear. The FBI, the Department of Defense, and the intelligence community have all played a role in investigating hacks on U.S. firms in the past.
Attribution should use a variety of sources taken from different agencies and that information should be coordinated, said Herbert Lin, a senior research scholar at the Hoover Institution. But he said it was difficult to tell how well that current process is taking place because of questions regarding leadership from the White House and President Trump’s attacks on the intelligence community.
Current and former defense and intelligence officials have told Fifth Domain that attributing a cyberattack is not a straightforward task that can be complicated by a series of factors. For example, sometimes attackers leave a false trail in their code to confuse targets.
How to attribute cyberattacks
To improve attribution, cybersecurity professionals suggest strengthening network visibility and boosting resources to identify cyberattacks.
“The process of attribution is a cross between ‘activity that I see on my environment’ and ‘activity that others see,’” Tim Erlin, the vice president of product management at Tripwire, told Fifth Domain “The first step is to expand the scope of data that you can review beyond your environment. For the government, that means cooperation with other countries, tapping into the intelligence network and sensors on the commercial network.”
In at least one way, the U.S. government has done that. The Five Eyes alliance, which consists of four of America’s closest intelligence partners, agreed Aug. 29 to work together to attribute cyberattacks and share information to combat foreign interference.
But Sean Sullivan, a security adviser at F-Secure, said the government could boost attribution through better communication.
“It’s a lot about human relationships so my people can call your people and the incident response team can get in,” Sullivan said. He added that by using managed detection response technology, often a customized program that uses experts and computers to monitor and alert of incoming threats, cyber professionals could give federal and state networks a better indication of real-time cyberattacks.
Government eyes network visibility
But to date, the U.S. government has struggled to gain the tools necessary to attribute cyberattacks.
“Federal agencies do not have the visibility into their networks to effectively detect data exfiltration attempts and respond to cybersecurity incidents,” an Office of Management and Budget report from May read. It said that only 27 percent of agencies can detect and investigate attempts to access large volumes of data. Even fewer agencies test these capabilities, according to the report. “Simply put, agencies cannot detect when large amounts of data information leave their networks, which is particularly alarming."
The gap comes as the Department of Homeland Security has attempted to bolster its continuous diagnostics and mitigation program. The third and fourth phases of the network security program call for greater network visibility and better data protection. The programs capabilities expired in August and are being replaced by a new acquisition strategy.
Justin Lynch is the Associate Editor at Fifth Domain. He has written for the New Yorker, the Associated Press, Foreign Policy, the Atlantic, and others. Follow him on Twitter @just1nlynch.