From Nadia Short's point of view, cyber identity and attribution on the Internet is "the holy grail." As vice president of strategy and business development at General Dynamics Advanced Information Systems, which supplies products and services to U.S. defense and intelligence agencies, she sees attribution on the Web as critical to fighting cybercrime.
- Nadia Short, Vice president of Strategy and Business Development, General Dynamics Advanced Information Systems
"If we could figure out who is doing harm to us, the deterrent would be much greater," and the number of cyber threats would be reduced, Short said, speaking on a panel at the IT Security Entrepreneurs' Forum at Stanford University Wednesday. "We need to recognize that we need to be putting in place mechanisms to facilitate attribution."
But Jeff Moss, founder and director of the Black Hat security conference, said there's a constitutional right to anonymous political speech in the U.S. He doesn't see any technologies, whether it's DNSSEC or IPV6 that will solve the problem.
"Evading identification is an old game to hackers," Moss said, explaining how they bounce through multiple systems in multiple countries to evade Internet attribution.
Instead of cyber identity, enterprises should focus on applying investigative techniques such as forensic analysis to track down the source of cyberattacks, he said. "You will have to do some hard gumshoe work to figure out who's attacking you," Moss said, adding that investigators can take advantage of the anonymity of the Internet in their work.
Attribution is "probably the number one issue in terms of cyberspace," said Robert Lentz, president of consulting firm Cyber Security Strategies LLC and former CISO for the U.S. Department of Defense. It's a tough, sprawling issue, and privacy advocates are rightly concerned about cyber identity, he said.
"The Internet wasn't built with attribution or non-attribution as a requirement," he noted.
Jerry Archer, CISO at education loan provider Sallie Mae Inc., who jokingly moved to another chair on the stage away from Moss, said the Constitution doesn't provide an express right to privacy. "We might have an express right to freedom of speech, but not privacy," he said.
Innovation in the cyber identity space is needed and is becoming more critical with looming cyber threats, Archer said. He predicted that in the next five to ten years, a nation state or terrorist organization will use the Internet to try to manipulate the U.S. economy. Also, in five to ten years, he added, "we'll have a cyberwar that turns into a shooting war."
Moss suggested that Internet attribution wouldn't be so much of an issue if systems were built to be more resilient. Archer agreed, but Short noted that 100% security is impossible.
"I understand the privacy issues … but we need to recognize that attribution is needed because we need to hold people accountable," she said. "People are trying to break into systems and take things that don't belong to them. We need mechanics to figure out where they came from."
The IT Security Entrepreneurs' Forum is sponsored by San Francisco-based Security Innovation Network (SINET), which aims to increase collaboration between the U.S. private and public sectors. Wednesday's conference was the fourth annual ITSEF.