Attribution from Behind the Veil of Ignorance
Unlike your creative writing professor, an entreaty for a suspension of disbelief is not a term of endearment to a cybersecurity practitioner.
In fact, such language in this social clique is downright indecent. But to cyber constructivists like former Director of National Intelligence and the National Security Agency, Mike McConnell, attribution systems prove an exception to the rule.
In a 2010 Washington Post article, McConnell boldly asserted that: “[W]e need to reengineer the Internet to make attribution . . . who did it, from where, why and what was the result – more manageable. The technologies are already available from public and private sources and can be further developed if we have the will to build them into our systems and to work with our allies.” Thus, if a new attribution system could indeed be readily implemented, how might it look from a security culture and social justice standpoint?
Because constructivism focuses on understanding the impact of ideas and how actors define their interests and identities in a social system, the article identifies the archetypal interests of six cyber stakeholders against the backdrop of several attribution frameworks. The utility of this approach, as derived from political constructivist philosopher, John Rawls, is that by first understanding the conflicting attribution preferences at both the individual and state level, and then treating all stakeholders as “rational and mutually disinterested” – behind a veil of ignorance – we can arrive at design principles that are predicated on notions of both justice and security.
So, Which Cyber Stakeholder Are You?
To establish granularity, this article draws on the general interests of the following six cyber stakeholders: (1) journalists and researchers (2) law enforcement and the military, (3) criminal entities, (4) activists and whistleblowers, (5) the government and (6) business entities. Whilst this list is not exhaustive, it is nonetheless grounded in a real-world context, for it is partially modeled after the diverse list of actors that Tor has categorized as users of its services.
Having introduced the cast of characters, our focus shifts to setting the stage with the different attribution frameworks and examining the interplay of those interests and identities. The following attribution frameworks were developed by Matthew Bishop, Carrie Gates, and Jeffrey Hunker in The Sisterhood of the Traveling Packets, and serve as the corpus of this cybersecurity thought experiment.
In a perfect attribution system, the so-called “attribution challenge,” simply does not exist. This is because “attributes of both the sender and recipient are known to both,” such that attribution is always knowable in real-time, and at little financial cost to the investigating party. From the perspective of a business entity, this would be desirable condition for conducting commercial transactions online, for a certain level of authentication is required for both contract formation and payment verification purposes. A surveillance state regime would also be a proponent of this model. This is because it amplifies a state’s ability to monitor the online activities of its citizenry, weed out political dissidents and criminals, and also punish those who accessed censored content, or espoused anti-regime rhetoric.
In contrast, this model would likely be most abhorrent to journalists, researchers, whistleblowers, activists, and criminals, for it would strip them of any sense of security and anonymity in their online activities. In terms of the interests of law enforcement and the military, this would require more nuance to explain. On the one hand, perfect attribution would significantly aid law enforcement in apprehending cyber criminals who engaged in acts of computer fraud and abuse, intellectual property theft, or circulating child pornography. On the other hand, the military and intelligence community would be operating at both a tactical and strategic loss. The reason being, it would significantly impede efforts to conduct covert cyber operations, as well as to safeguard the identities of its operatives and informational assets.