FBI director: Forget firewalls, Sabu proves attribution wins domestic cyber war

Defence is good, but old school surveillance is better.
  • Liam Tung (CSO Online)
  • 01 March, 2013 16:56

In a call to arms aimed at the private sector, the FBI’s director of 11 years Robert S. Mueller has declared that war on the new 'terror', cyber, will be won not by improved defence but by attribution.

“For two decades, cyber security has focused principally on reducing vulnerabilities—through more complex firewalls, dual-factor authentication, aggressive password policies, and the like,” said Mueller, addressing private sector delegates at this week’s RSA conference in San Francisco.

Mueller repeated his view that “the cyber threat will equal or even eclipse the terrorist threat” and invited the private sector to join its cause by sharing more information with it and between each other. Investments in defence technologies were “worthwhile” but not enough, he said.

“We must identify and deter the persons behind those computer keyboards. And once we identify them—be they state actors, organized criminal groups, or 18-year-old hackers—we must devise a response that is effective, not just against that specific attack, but for all similar illegal activity.”

Mueller, the FBI’s director since July 2001, said the war on cyber could successfully be waged with the same techniques proven throughout its entire history, including post-September 11: “physical surveillance, forensics, cooperating witnesses, sources, and court-ordered wire intercepts.”

The capture and use of US citizen Hector Xavier Monsegu, aka LulzSec’s Sabu, was proof that old-school techniques still held value in cyber investigations.

“We went to arrest him, and we gave him a choice: Go to jail now, or cooperate,” said Mueller, emphasising that Sabu, once a revered hacker, made human mistakes.

The FBI’s Los Angeles Division had collected the IP addresses linked to Sabu’s previous attacks while its New York Field Office plied human sources with search warrants and surveillance to identify and locate a man “behind the keyboard” “who had failed to anonymise his IP address during this intrusion”.

"Sabu agreed to cooperate, and he became a source, continuing to use his online identity. His cooperation helped us build cases that led to the arrest of six other hackers linked to groups such as Anonymous and LulzSec. It also allowed us to identify hundreds of security vulnerabilities—which helped us to stop future attacks and limit harm from prior intrusions."

Mueller’s comments, presumably limited to domestic turf, come as the US ponders identification and attribution in the context of cyber attacks from outside the US. A central theme in the response to the recent Mandiant report alleging Chinese military links to hacking groups was the difficulty of attribution.

Democrat US Senator Dianne Feinstein has said the report was “essentially correct”, while Taia Global founder and chief Jeffrey Carr has challenged a number of “critical flaws” in the report, notably, the inaccurate mapping of IP addresses. The reliance on IP addresses was the primary reason China’s Defense Ministry rejected the report as baseless.