[House Hearing, 111 Congress]
[From the U.S. Government Publishing Office]

                        PLANNING FOR THE FUTURE 
                      OF CYBER ATTACK ATTRIBUTION 



                               BEFORE THE


                        HOUSE OF REPRESENTATIVES


                             SECOND SESSION


                             JULY 15, 2010


                           Serial No. 111-105


     Printed for the use of the Committee on Science and Technology

     Available via the World Wide Web: http://www.science.house.gov

                         U.S. GOVERNMENT PRINTING OFFICE 

57-603 PDF                       WASHINGTON : 2010 

For sale by the Superintendent of Documents, U.S. Government Printing 
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; 
DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, 
Washington, DC 20402-0001 


                   HON. BART GORDON, Tennessee, Chair
JERRY F. COSTELLO, Illinois          RALPH M. HALL, Texas
LYNN C. WOOLSEY, California              Wisconsin
DAVID WU, Oregon                     LAMAR S. SMITH, Texas
BRIAN BAIRD, Washington              DANA ROHRABACHER, California
BRAD MILLER, North Carolina          ROSCOE G. BARTLETT, Maryland
DANIEL LIPINSKI, Illinois            VERNON J. EHLERS, Michigan
GABRIELLE GIFFORDS, Arizona          FRANK D. LUCAS, Oklahoma
DONNA F. EDWARDS, Maryland           JUDY BIGGERT, Illinois
MARCIA L. FUDGE, Ohio                W. TODD AKIN, Missouri
BEN R. LUJAN, New Mexico             RANDY NEUGEBAUER, Texas
PAUL D. TONKO, New York              BOB INGLIS, South Carolina
STEVEN R. ROTHMAN, New Jersey        MICHAEL T. McCAUL, Texas
JIM MATHESON, Utah                   MARIO DIAZ-BALART, Florida
LINCOLN DAVIS, Tennessee             BRIAN P. BILBRAY, California
BEN CHANDLER, Kentucky               ADRIAN SMITH, Nebraska
RUSS CARNAHAN, Missouri              PAUL C. BROUN, Georgia
BARON P. HILL, Indiana               PETE OLSON, Texas
GARY C. PETERS, Michigan

               Subcommittee on Technology and Innovation

                      HON. DAVID WU, Oregon, Chair
DONNA F. EDWARDS, Maryland           ADRIAN SMITH, Nebraska
BEN R. LUJAN, New Mexico             JUDY BIGGERT, Illinois
PAUL D. TONKO, New York              W. TODD AKIN, Missouri
HARRY E. MITCHELL, Arizona           PAUL C. BROUN, Georgia
GARY C. PETERS, Michigan                 
JOHN GARAMENDI, California               
BART GORDON, Tennessee               RALPH M. HALL, Texas
                HILARY CAIN Subcommittee Staff Director
        MEGHAN HOUSEWRIGHT Democratic Professional Staff Member
            TRAVIS HITE Democratic Professional Staff Member
           MELE WILLIAMS Republican Professional Staff Member

                  VICTORIA JOHNSTON Research Assistant

                            C O N T E N T S

                             July 15, 2010

Witness List.....................................................     2

Hearing Charter..................................................     3

                           Opening Statements

Statement by Representative David Wu, Chairman, Subcommittee on 
  Technology and Innovation, Committee on Science and Technology, 
  U.S. House of Representatives..................................     6
    Written Statement............................................     7

Statement by Representative Ralph M. Hall, Ranking Minority 
  Member, Committee on Science and Technology, U.S. House of 
  Representatives................................................     7
    Written Statement by Representative Adrian Smith, Ranking 
      Minority Member, Subcommittee on Technology and Innovation, 
      Committee on Science and Technology, U.S. House of 
      Representatives............................................     8


Dr. David A. Wheeler, Research Staff Member, Information 
  Technology and Systems Division, Institute for Defense Analyses
    Oral Statement...............................................     9
    Written Statement............................................    10
    Biography....................................................    87

Mr. Robert Knake, International Affairs Fellow, Council on 
  Foreign Relations
    Oral Statement...............................................    88
    Written Statement............................................    90
    Biography....................................................    98

Mr. Ed Giorgio, President and Co-Founder, Ponte Technologies
    Oral Statement...............................................    98
    Written Statement............................................   100
    Biography....................................................   108

Mr. Marc Rotenberg, President, Electronic Privacy Information 
    Oral Statement...............................................   108
    Written Statement............................................   110
    Biography....................................................   118

              Appendix: Answers to Post-Hearing Questions

Dr. David A. Wheeler, Research Staff Member, Information 
  Technology and Systems Division, Institute for Defense Analyses   132

Mr. Robert Knake, International Affairs Fellow, Council on 
  Foreign Relations..............................................   135

Mr. Ed Giorgio, President and Co-Founder, Ponte Technologies.....   137

Mr. Marc Rotenberg, President, Electronic Privacy Information 
  Center.........................................................   139



                        THURSDAY, JULY 15, 2010

                  House of Representatives,
         Subcommittee on Technology and Innovation,
                       Committee on Science and Technology,
                                                    Washington, DC.

    The Subcommittee met, pursuant to call, at 10:04 a.m., in 
Room 2318 of the Rayburn House Office Building, Hon. David Wu 
[Chairman of the Subcommittee] presiding.


                            hearing charter



                     U.S. HOUSE OF REPRESENTATIVES

                       Planning for the Future of

                        Cyber Attack Attribution

                        thursday, july 15, 2010
                         10:00 a.m.-12:00 p.m.
                   2318 rayburn house office building

I. Purpose

    On Thursday, July 15, 2010, the Subcommittee on Technology and 
Innovation will hold a hearing to discuss attribution in cyber attacks, 
and how attribution technologies have the potential to affect the 
anonymity and privacy of internet users.

II. Witnesses

    Dr. David Wheeler is a Research Staff Member of the Information 
Technology and Systems Division at the Institute for Defense Analyses.

    Mr. Robert Knake is an International Affairs Fellow at the Council 
on Foreign Relations.

    Mr. Ed Giorgio is the President and Co-Founder of Ponte 

    Mr. Marc Rotenberg is the President of the Electronic Privacy 
Information Center.

III. Background

Cyber Attacks
    Statistics clearly show that cyber attacks are common and costly. 
Following a recent survey of more than 2000 companies worldwide, 
Symantec reported that 42 percent rated cyber risk as their top 
concern, beating out other risks such as natural disasters, terrorism, 
and traditional crime. Symantec also reported that 75 percent of 
companies reported cyber attacks in the past twelve months and that 92 
percent had seen significant monetary costs, averaging $2 million per 
year per company, as a result of those attacks.\1\
    \1\ Symantec. (2010). 2010 State of Enterprise Security Global 
Results. Retrieved from http://www.slideshare.net/symantec/2010-state-
    A 2004 Congressional Research Service report stated that ``the 
stock price impact of cyber-attacks show that identified target firms 
suffer losses of 1%-5% in the days after an attack. For the average New 
York Stock Exchange corporation, price drops of these magnitudes 
translate into shareholder losses of between $50 million and $200 
million''.\2\ According to a Market Wire article published in 2007, the 
economic impact from one comprehensive cyber attack on critical 
infrastructure could exceed $700 billion.\3\
    \2\ Congressional Research Service. (2004, April 1). The Economic 
Impact of Cyber-Attacks. (Order Code RL32331). Washington, D.C.: 
Congressional Research Service. Retrieved from http://www.cisco.com/
    \3\ ``New Research Shows Cyber Attack Could Cost U.S. 50 Times More 
Than Katrina''. Market Wire. FindArticles.com. 09 Jul, 2010. http://

Role of Attribution Technology
    Being able to identify an attacker can be a strong deterrent 
against attack. During the Cold War, the Soviet Union and the United 
States remained in a nuclear standoff because either country would have 
been able to identify its attacker and stage a counter attack. In 
contrast, if a person, company, or government is attacked in 
cyberspace, it is often arduous--if not impossible--to determine the 
perpetrator of the attack.
    Attribution technologies can be a useful tool in identifying and 
locating the assailant in a cyber attack. In terms of cyber attacks, 
attribution can be defined as ``determining the identity or location of 
an attacker or an attacker's intermediary''.\4\ The attacker's identity 
can include a person's name, account information, or an alias. The 
location may include a geographical location or a virtual location, 
such as an IP address or Ethernet address.
    \4\ David A. Wheeler and Gregory N. Larsen, Techniques for Cyber 
Attack Attribution (Institute for Defense Analysis, IDA Paper P-3792. 
October 2003), p.1
    In some cases, attribution technology may simply trace an attack 
back to an intermediary through which the attacker worked. For example, 
an attack can be transmitted via a fleet of `zombies', or computers 
that can both delay and increase the severity of the attack. A 
sophisticated attacker may even be able to hide his or her identity so 
well that those looking for the attacker might falsely attribute the 
attack to an unrelated party. This can be done by an attacker who 
intentionally creates a false trail by sending incorrect data through 
any attribution process. To be effective and useful, new attribution 
technologies will need to have the ability to counter these, and 
future, methods of contravention.
    The December 2009 attack on Google email accounts belonging to 
Chinese human rights activists in the United States, Europe, and China 
demonstrates the need for improvements in attribution technologies. 
Because the attacks showed a new level of sophistication, attributing 
their source has been a particularly difficult process. While the U.S. 
has been successful in tracing the attacks to two technical schools, it 
is still not known who was specifically behind these attacks.
    In addition to helping to gain information about an isolated attack 
on a specific machine or network, successful attribution technologies 
can also be used to increase the security of the internet for people 
accessing personal information online--logging into a personal bank 
account, for example. If an online account required a recognizable IP 
range in addition to a pin code to retrieve account information, the 
ability of a hacker to access the account would be limited.

Anonymity and Privacy
    Complete attribution may have negative ramifications for internet 
anonymity and privacy. For example, dissidents in countries where the 
government censures websites with firewalls may bypass or attack those 
firewalls to access prohibited information. If the government had 
attribution technology that allowed it to completely attribute the 
attack to its firewall, the government might use the information gained 
through attribution to punish dissidents for accessing the information. 
There is also the potential for attribution technologies to be used by 
a government, a company, or individual to identify the source of a 
posting or comment on the internet that is intended to be anonymous.

IV. Issues and Concerns

    As more and more of the Nation's infrastructure becomes dependent 
on the internet, the potential impact of a successful cyber attack 
against the United States increases. Many of the tools we rely upon in 
our daily lives (traffic lights, restocking food supplies, millions of 
office jobs, etc.) have the potential to be rendered non-functional 
through a cyber attack. While attribution technologies may play an 
important role in limiting the effects of such crippling attacks, there 
may need to be clearly defined limits on when such technologies should 
be used. For example, proactively tracing interactions within a system 
may help determine where an attack originated after one occurs, but 
tracing every interaction is impractical and quite likely 
unconstitutional. It may be appropriate, therefore, to limit the use of 
attribution technology in most cases to post-attack.
    A second area of interest is who is, or should be, responsible for 
the development, coordination, and implementation of attribution 
technologies. Even if some critical infrastructure is privately owned, 
the government arguably has a responsibility to its citizens to ensure 
that the infrastructure is protected. Given the interest in ensuring 
that government resources are utilized efficiently, there may be a need 
to strengthen coordination and collaboration between government and 
industry on the development of new attribution technologies in order to 
avoid redundancy and leverage resources.
    There may also be a need to determine the appropriate role of the 
government in responding to cyber attacks on private companies and 
individuals. In general, if a company or individual is physically 
attacked by an outside government, a company, or an individual, it is 
quite likely that the government would step in and defend the attacked 
company or individual. If a company or individual is the victim of a 
cyber attack, it is currently unclear what the government's role is, or 
should be, in responding to the attack.
    Finally, the implications of attribution technologies for the 
anonymity and privacy of internet users should be considered. It may be 
necessary to consider ways to limit the use of attribution technologies 
to identifying the source of cyber attacks and in ways that do not 
suppress the freedom of speech or otherwise implicate the anonymity and 
privacy of people using the internet for legitimate purposes. There may 
also be a need to determine who (government or industry or both) should 
maintain responsibility for ensuring that attribution technologies are 
used consistent with any identified limits.

V. Overarching Questions

    The following questions were asked of each witness:

          As has been stated by many experts, deterrence is a 
        productive way to prevent physical attacks. How can attack 
        attribution play a role in deterring cyber attacks?

          What are the proper roles of both the government and 
        private industry in developing and improving attack attribution 
        capabilities? What R&D is needed to address capability gaps in 
        attack attribution and who should be responsible for completing 
        that R&D?

          What are the distinguishing factors between anonymity 
        and privacy? How should we account for both in the development 
        and use of attribution technologies?

          Is there a need for standards in the development and 
        implementation of attack attribution technologies? Is there a 
        specific need for privacy standards and if so, what should be 
        the government's role in the development of these standards?
    Chairman Wu. The hearing will come to order.
    Good morning, and thank you very much for being at this 
cyber attribution hearing.
    This cybersecurity hearing is one in a series that this 
Subcommittee has held on ways that we can protect our Nation's 
critical cyber infrastructure. Over the last two years, we have 
held hearings on cybersecurity activities at the National 
Institute of Standards and Technology and the Department of 
Homeland Security, as well as on the Administration's 
Cyberspace Policy Review. Just two weeks ago, we had an 
important hearing on the Smart Grid, and spent a great deal of 
time talking about the necessity of developing strong 
cybersecurity standards for our national energy infrastructure.
    We are well aware of the critical role that IT [Information 
Technology] networks play in managing much of our day-to-day 
activity from online banking to systems that make sure there is 
food on our grocery shelves. This growing reliance on networks 
has made us more vulnerable to cyber attacks and has increased 
the potential for such attacks to have far-reaching and 
crippling effects. Now more than ever, we need to be focused on 
the development of tools and technologies to prevent, detect, 
and respond to cyber attacks.
    History shows that one of the best deterrents to an attack 
is the ability to identify your attacker. The question is 
whether such deterrence methods are still relevant today. 
During the Cold War, the United States and the Soviet Union, 
each with quite expansive offensive capabilities, were held in 
check by the notion that an attack would result in retaliation. 
This was achieved because each country would have been able to 
precisely identify its attacker. This method of deterrence, the 
ability to attribute an attack to a particular person, party or 
system, can be equally vital to defending against cyber attack. 
While they are not the end-all solution to our cybersecurity 
challenges, the development of effective and reliable 
attribution technologies should be an essential part of our 
efforts to secure the Nation's cyberspace.
    Given that the Internet is intended to be open and 
anonymous, the attribution of cyber attacks can be very, very 
difficult to achieve and should not be taken lightly. As co-
chair of the Global Internet Freedom Caucus in the House, I am 
personally very concerned about the potential implications to 
privacy, anonymity and Internet freedom posed by attribution 
technologies. As a result, I believe that it is absolutely 
imperative that we define and implement clear restrictions on 
how attribution technologies are developed and used to ensure 
that they are not misused.
    I look forward to today's discussion on attribution 
technologies and how they may help deter cyber attacks. I am 
interested in discussing the proper roles of the Federal 
Government and private industry in the development of these 
technologies, and the research and development that is needed 
to fill capability gaps. I am sure--and I am particularly eager 
to discuss ways to ensure that attribution technologies are not 
used to infringe upon the safety, privacy or individual 
liberties of Internet users.
    I would like to thank the witnesses for appearing before us 
today, and I look forward to our discussion.
    Now I recognize Mr. Hall, the Ranking Member of the Full 
Committee, for his opening statement.
    [The prepared statement of Chairman Wu follows:]
                Prepared Statement of Chairman David Wu
    Good morning and thank you for coming to today's hearing focused on 
interoperability in public safety communication equipment.
    We've learned an important lesson from September 11th, Hurricane 
Katrina, and other disasters: interoperable communication is critical 
to effective emergency response. When time is of the essence and lives 
are at stake, a clear flow of information is essential. Unfortunately, 
it is not uncommon for police officers and firefighters from a single 
region, or even a single city, to be using incompatible communication 
systems. This lack of interoperability has contributed to the deaths of 
first responders and hindered the ability to rescue people in harm's 
    Enabling interoperable communication systems, where public safety 
personnel can talk with each other in real-time, takes planning and 
cooperation by all levels of government. However, interoperability also 
demands radios that are capable of communicating with one another. 
First responders on digital land mobile radio systems built to 
proprietary specifications cannot communicate. Ad-hoc solutions, like 
patching technologies or sharing radios, are less efficient than the 
seamless interoperability offered by systems based on open 
    The purpose of today's hearing is to examine the status of the 
standards development process for this open architecture. Since 1989, 
the public safety community and industry have been working together on 
Project-25, or P25, a suite of standards that will not only enable 
interoperability, but also promote competition in the marketplace for 
digital land mobile radio systems and provide other benefits. While 
there has been a lot of progress on the P25 standards since 1989, the 
entire set of standards remains incomplete. I would like to understand 
the implications of this for public safety agencies procuring systems 
sold as ``P25 compliant'' and get a better sense of when we 
realistically can expect all of the standards to be completed.
    A second issue that we will discuss today is the lack of a formal 
compliance assessment process for the P25 standards. A compliance 
assessment process signals to the purchaser that a product meets all of 
the requirements of a standard. Any laptop with a Wi-Fi logo, or any 
toaster with an Underwriter's Laboratory sticker, had to go through 
testing and certification to be able to display those marks. P25 does 
not have an equivalent process. The Department of Homeland Security's 
Compliance Assessment Program fills this gap, but we must be sure it 
provides the highest possible level of assurance to the public safety 
community that systems sold as P25-complaint actually meet all of the 
requirements of the standards. It seems to me that there ought to be a 
formal, comprehensive system in place to ensure that it is not caveat 
emptor when first responders spend millions of dollars on complex 
communications technology.
    The most important question for the first responders who rely on 
this equipment is ``does it work?'' In addition to being mission-
critical technology, these systems represent major expenditures for 
government agencies across the country. Particularly at a time of 
uncertain and dwindling budgets, cost-effective procurement enabled by 
an open-architecture is essential.
    I'd like to thank our witnesses for being here today. Project 25 is 
unique in the world of standards development in that the users of the 
technology--in this case, our public safety officials--are integral to, 
and directly involved in, the standards development process. It is 
important that this process move forward, and that the public safety 
community and industry continue to work together to make further 
advances in first responder technology.

    Mr. Hall. Thank you, Mr. Chairman, and since you have made 
an excellent opening statement and covered almost everything, I 
can be brief, and I am filling in for the Ranking Member, Mr. 
Smith, and I thank you for calling the hearing on cyber attack 
attribution technologies. I also want to thank our very 
distinguished panel. We rely on you to tell us what the facts 
are, and from that we glean legislation, and don't be disturbed 
by the empty chairs here because they will all receive copies 
of your testimony, and many have received copies ahead of time. 
I have scanned through your testimony. I want to thank the 
panel for being here and ask you to remember that we are not 
technical experts, so keep it as simple as you possibly can. I 
have read some of your testimony and understood a lot of it. 
Ranking Smith is going to be here shortly. In the event it 
takes him longer than expected, I ask unanimous consent that 
his statement be made a part of the record, Mr. Chairman.
    Otherwise I will yield the remainder of my time to him when 
he arrives. Thank you, sir.
    [The prepared statement of Mr. Smith follows:]
           Prepared Statement of Representative Adrian Smith
    Thank you, Chairman Wu, for calling today's hearing on cyber attack 
attribution. Once again this subcommittee will have the opportunity to 
hear from an outstanding panel of expert witnesses, and I thank them 
for taking the time to be with us today.
    With the integration of computing technology into nearly every 
aspect of our professional and private lives--from growing our food to 
managing our electrical grid to tracking every financial transaction no 
matter how small--the threat of a catastrophic attack on the networks 
which manage every sector of our economic and security infrastructure 
has also grown exponentially.
    As we search for effective ways to prevent such an attack, one 
widely discussed means is deterrence through attribution--ensuring 
would-be attackers know any activities would be traced back to them 
with reciprocal action in return.
    The work of tracing such attacks, particularly in the United States 
where the presumption of innocence is sacrosanct and where privacy for 
the innocent is respected, this is easier said than done. This raises a 
number of questions I hope we can address in today's hearing:

        -  What are the best methods for tracing attacks?

        -  What harriers exist, aside from technological ones, to 
        tracing attacks inside and outside our borders?

        -  If we can trace attacks, what is an effective deterrent to 
        prevent them?

        -  And if we can answer the first three questions effectively, 
        what is the role for standards-setting bodies in assisting 
        government and the private sector in reaching those 

    I hope we can also consider the consequences of traceability on the 
overwhelming majority who use computer systems lawfully and whose 
privacy we should respect.
    Before we move on to hearing from our witness, I would like to 
briefly note it is my understanding a follow-up hearing in which we 
hear from NIST, National Science Foundation, and other applicable 
Federal agencies is under consideration, and I would like to offer my 
support for holding such a hearing.
    Thank you again, Chairman Wu and witnesses. I expect we will learn 
a lot today, and I yield back the balance of my time.

    Chairman Wu. Thank you very much, Mr. Hall.
    If there are Members who wish to submit opening statements, 
your statements will be added to the record at this point. And 
I also want to recognize the Chairman of the Full Committee, 
who is in attendance, and Chairman Gordon--very good. Thank 
    Now it is my pleasure to introduce our witnesses. Dr. David 
A. Wheeler is a Research Staff Member of the Information 
Technology and Systems Division at the Institute for Defense 
Analyses. Mr. Robert Knake is International Affairs Fellow at 
the Council on Foreign Relations. Mr. Ed Giorgio is the 
President and Co-Founder of Ponte Technologies. He also has 
over 30 years of security experience at the National Security 
Agency, or NSA, and is a leading authority on security and 
cryptography, and I want to recognize that Mr. Giorgio is also 
wearing a Distinguished Service Medal awarded by the NSA. And 
our final witness is Mr. Marc Rotenberg, who is the President 
of the Electronic Privacy Information Center, or EPIC, and at 
our prior hearing on grid security, one of your vice presidents 
provided very, very interesting, elucidating comments.
    You will each have five minutes for your spoken testimony, 
and your written testimony will be included in the record of 
this hearing. When you all complete your testimony, we will 
begin with questions, and each Member will have five minutes to 
question the witnesses.
    Dr. Wheeler, please proceed.

                        DEFENSE ANALYSES

    Dr. Wheeler. Mr. Chairman, distinguished Members of the 
House Subcommittee on Technology and Innovation and the 
Committee on Science and Technology, I am delighted to speak 
with you today. As noted, my name is Dr. David A. Wheeler. I 
work at the Institute for Defense Analyses, also known as IDA. 
IDA is, and I quote, ``a nonprofit corporation that operates 
three federally funded research and development centers,'' or 
FFRDCs. These FFRDCs provide objective analyses of national 
security issues, particularly those requiring scientific and 
technical expertise, and they conduct related research on other 
national challenges.
    In 2002 and 2003, I developed a survey of cyber attack 
attribution technologies on behalf of the Department of 
Defense, DoD. This survey has been provided to this 
Subcommittee and is also available to the public from the 
Defense Technical Information Center as IDA paper P-3792, 
Techniques on Cyber Attribution. Attribution in this context is 
determining the identity or location of an attacker or an 
attacker's intermediary. Since writing that paper, I have 
worked on improving the security and assurance of systems, 
lowering supply chain risks, improving open standards and 
eliminating barriers to the use and development of open source 
    It is good that this Subcommittee is examining the 
relationship between attribution, privacy and anonymity. As I 
noted in my paper, we should be concerned if attribution 
technologies developed in democracies are acquired and 
redeployed by governments with abusive human rights records to 
suppress freedom of speech and democracy movements.
    Apart from any concern of abuse by foreign governments, the 
use of these techniques by our government requires 
consideration of the Fourth Amendment's guarantee that people 
must be secure against unreasonable searches and seizures. 
Section 3.13 of my paper specifically discusses the need to 
protect privacy and freedom of speech. With that as context, I 
will address the overarching questions in this hearing's 
    The first question asked about the role of attack 
attribution in deterring cyber attacks. It noted that 
deterrence is a productive way to prevent physical attacks. In 
a similar way, cyber attack attribution can play an important 
role in deterring cyber attacks by enabling many deterrence 
measures. While there is great need to harden U.S. 
infrastructure from cyber attacks, passive computer network 
defenses cannot be and never will be perfect. This means that 
in some cases we may need to be able to respond to an attack. 
Unfortunately, many other countermeasures such as computer 
network counterattack, legal action and kinetic energy 
counterattack can only be deployed if the source of the attack 
can be attributed with high confidence.
    The second question asked what roles that government and 
private industry should play. As of 2003, there was little 
evidence that the commercial sector was willing to shoulder the 
costs to develop attribution capabilities. Most commercial 
companies appear to view identifying attackers as a law 
enforcement or military task, not a commercial one. If the 
government wants the ability to attribute attacks, in many 
cases the government may need to pay for it directly. One 
approach is to fund development and deployment of these 
abilities for widely used applications both proprietary and 
open source software. More than one product in each category 
should be funded, so that the government is not locked into a 
single supplier.
    The third question asked for the distinguishing factors 
between anonymity and privacy and how to account for both in 
the development and use of attribution technologies. As I noted 
in my paper, if the United States is to develop attribution 
technology, it should encourage the development or 
implementation of those attribution technologies that pose less 
danger to privacy. For example, logging systems could store 
message hashes, also known as message fingerprints, instead of 
the messages themselves. Since the data isn't stored, hashing 
only supports attribution of data the requester has already 
seen. A key part of implementing attribution technologies with 
few risks to privacy and anonymity is to ensure that any 
standards development related to attribution should include 
efforts to address these privacy and anonymity concerns.
    This brings me to the issue of standards, the focus of the 
fourth question. Standards are critically necessary for some 
attribution technologies, and the standards development process 
should work to address these privacy and anonymity concerns 
through public development and review. Such standards should be 
open standards to permit competition; in particular, they 
should be publicly defined and held and shouldn't be patent-
encumbered. This suggests that the U.S. government should be 
involved in the development of such standards to ensure that 
its needs and concerns are met, just as the government is 
already involved in the development of standards where there 
are specific government needs and concerns.
    I will be happy to address your questions.
    [The prepared statement of Dr. Wheeler follows:]
                 Prepared Statement of David A. Wheeler
    It is an honor to provide testimony to you. Please consider the 
attached paper, ``Techniques for Cyber Attack Attribution'' (IDA Paper 
P-3792) as my written testimony. This paper discusses techniques for 
cyber attack attribution, including notes about the relationship of 
attribution to privacy.


                     Biography for David A. Wheeler

    Dr. David A. Wheeler has been in the computing field since 
1980, and is an expert on computer security, open source 
software, open standards, and software development approaches. 
He has worked at the Institute for Defense Analyses (IDA) since 
    As part of his work in computer security, Dr. Wheeler led 
the development of ``Key Practices'' guidance to perform supply 
chain risk management in the U.S. Department of Defense. He is 
co-author of the DoD/NDIA document ``Engineering for System 
Assurance.'' He has written a book (``Secure Programming for 
Linux and Unix HOWTO''), written various articles (including 
the ``Secure Programmer'' series), and given many presentations 
on how to develop secure software. His Ph.D. dissertation, 
``Fully Countering Trusting Trust Through Diverse Double-
Compiling,'' proves and demonstrates that the ``Diverse Double-
Compiling'' (DDC) process (a process he named) counters the 
``trusting trust'' attack. The trusting trust attack is a 
computer attack that previously had no effective 
countermeasure. He is also the author of an IDA report 
surveying how to attribute cyber attackers, ``Techniques for 
Cyber Attack Attribution.''
    Dr. Wheeler lectures worldwide as an invited expert on open 
source software and/or security, including in Belgium, Brazil, 
Saudi Arabia, and numerous times in the U.S. As part of his 
work in open source software, he helped develop the official 
DoD memo ``Clarifying Guidance Regarding Open Source Software 
(OSS)'' and was the primary author of the supporting document 
``DoD Open Source Software (OSS) FAQ.''
    Dr. Wheeler has been involved in many efforts related to 
open standards. He represented the Missile Defense Agency (MDA) 
in the development of the DoD Information Technology Standards 
Registry (DISR), formerly named the Joint Technical 
Architecture (JTA). He also initiated and led development of 
OpenFormula, an open standard for the interchange of 
spreadsheet formulas which is planned to be part of the 
OpenDocument standard (ISO/IEC 26300).
    Dr. Wheeler has long been involved in efforts to improve 
software development approaches and technology. For example, he 
led the evaluation of software development processes and 
software development environments across missile defense 
programs. He is the lead editor and co-author of the IEEE 
Computer Society Press book ``Software Inspection: An Industry 
Best Practice'' and is the sole author of Springer-Verlag's 
book ``Ada 95: The Lovelace Tutorial.'' His more recent work 
has focused on how to change software development practices to 
improve the security and assurance of the resulting software.

    Chairman Wu. Thank you very much, Dr. Wheeler.
    Mr. Knake, please proceed.


    Mr. Knake. Thank you, Chairman Wu and distinguished Members 
of the House Subcommittee on Technology and Innovation for the 
opportunity to discuss the role of attack attribution in 
preventing cyber attacks. My name is Rob Knake. I am an 
international affairs fellow at the Council on Foreign 
Relations where I have spent the last year studying state 
conflict in cyberspace, so I will focus my comments on the 
attribution problem at that level first.
    It is my view that the problem of attribution has been 
largely overstated. For the high-end threats that my work is 
focused on, attribution will almost certainly be possible due 
to the limited number of actors that possess the capability to 
present a national security challenge in cyberspace. While we 
have all heard tales of teenagers with laptops sending viruses 
across the Internet, these sorts of threats do not amount to a 
national security concern and cannot cause the type of havoc 
that many envision a cyber attack can. Estimates vary, but 
analysts who have studied the capabilities of both foreign 
governments and private groups have concluded that no more than 
100 groups and possibly as few as four foreign militaries 
possess the capability to cause real-world harm through cyber 
attacks. Moreover, such an attack would take significant 
investments of both time and money and teams of highly skilled 
specialists. While technical attribution may only provide 
limited evidence of who was behind the attack, traditional 
intelligence and law enforcement investigation can make up the 
difference. I have no doubt that in the event of a so-called 
cyber Pearl Harbor, cyber 9/11 or cyber Katrina, that we will 
be able to amass enough evidence for the President to take 
    For lower-level threats, everything from nuisance behavior 
like spam to cyber criminal activity, many in the cybersecurity 
community have viewed the development of ironclad attribution 
in real time as the Holy Grail. In one widely discussed 
scenario, all packets could be labeled with a unique identifier 
that would tie it to an individual, a so-called license plate 
for the Internet. It is my view that such a concept would be 
far more useful for authoritarian regimes to monitor and 
control Internet use by their citizens than it would be in 
combating cyber warfare, crime and nuisance behavior. Criminals 
would find ways around this tracking mechanism while average 
users would experience a near-total loss of privacy. Moreover, 
such attribution would in no way force noncooperative regimes 
to cooperate in investigating cyber crimes.
    As the title of my written testimony suggests, instead of 
focusing on attribution, we need to move to accountability in 
cyberspace. Noncooperation in investigating international cyber 
attacks should be taken as a sign of culpability. States must 
be held responsible for securing their national cyberspace and 
should have an obligation to assist when their citizens or 
systems within their county are involved in a cyber attack.
    Chinese government officials will often protest and lay the 
blame their country receives in the western press for cyber 
espionage against both government and corporate attacks by 
suggesting that the systems the attacks are traced to are 
simply compromised proxies that have been used to mask the 
identity of the real attackers. They will also suggest that 
systems in their country are used just disproportionately in 
these attacks because of the poor state of cybersecurity due to 
the widespread use of pirated software and low installation 
rates for even the most basic software security. This scenario 
may very well be plausible but even if true, I would argue that 
it is no longer an acceptable excuse. We need to move to a 
situation in which countries not only assist in investigating 
but also have mechanisms in place to shut down systems that are 
controlling attacks or participating in botnets. Failure to 
assist should be treated as complicity.
    Let me conclude with a comment on the issue of deterrence. 
Much ink has been spilled trying to make the Cold War construct 
of deterrence applicable in cyberspace but I believe the 
results of these efforts are unpersuasive. Deterrence during 
the Cold War was predicated on mutual assured destruction. 
While better attribution can let us know who is attacking us, 
most potential adversaries do not have as heavy reliance on 
network technologies in their industries, government or 
militaries. Thus, in order to retaliate in any significant way, 
we would be forced to escalate out of the cyber domain and 
conduct kinetic attacks. That is not a situation we want to be 
in, and the threat to do so may be perceived as incredible, 
this limiting its deterrent factor. Instead, we need to focus 
on improving our defenses and making investments to secure our 
portion of cyberspace.
    Thank you very much.
    [The prepared statement of Mr. Knake follows:]
                 Prepared Statement of Robert K. Knake

Untangling Attribution: Moving to Accountability in Cyberspace

    Chairman Wu, Ranking Member Smith, and distinguished members of the 
House Subcommittee on Technology and Innovation, thank you for the 
opportunity to discuss the role of attack attribution in preventing 
cyber attacks and how attribution technologies can affect the anonymity 
and the privacy of Internet users. In your letter of invitation, you 
asked me to address the following series of questions:

        1.  As has been stated by many experts, deterrence is a 
        productive way to prevent physical attacks. How can attack 
        attribution play a role in deterring cyber attacks?

        2.  What are the proper roles of both the government and 
        private industry in developing and improving attack attribution 
        capabilities? What R&D is needed to address capability gaps in 
        attack attribution and who should be responsible for completing 
        that R&D?

        3.  What are the distinguishing factors between anonymity and 
        privacy? How should we account for both in the development and 
        use of attribution technologies?

        4.  Is there a need for standards in the development and 
        implementation of attack attribution technologies? Is there a 
        specific need for privacy standards and if so, what should be 
        the government's role in the development of these standards?

Attributions Role in Deterring Cyber Attacks
    Let me begin by stating my view that the utility of deterrence in 
cyber security may be limited and that the problem of attribution has 
been over-stated for the high end threats that represent a challenge to 
our national security. In its classic usage, deterrence is the idea of 
using fear of reprisal in order to dissuade an adversary from launching 
an attack. For deterrence to work, it is critically important that we 
know who has carried out the attack and thus attribution is a central 
component of deterrence strategy. I believe it may be too broad to view 
deterrence as a productive way to prevent all kinetic attacks. 
Deterrence was the central concept in preventing a nuclear exchange 
between the United States and the Soviet Union during the Cold War. It 
is not, however, a central part of U.S. strategy to prevent terrorist 
attacks and its importance in preventing conventional military attacks 
is more limited than in the nuclear case. During the Cold War, 
deterrence of the use of nuclear weapons was created through the 
establishment of ``Mutually Assured Destruction'' or MAD, in which both 
the United States and the Soviets understood that any use of nuclear 
weapons would be responded to in kind. The threat of total annihilation 
kept both sides at bay. Radar and other warning systems provided the 
mechanism for attributing any nuclear attack and possession of a second 
strike capability that could provide a nuclear response even after a 
successful Soviet launch kept the threat of retaliation credible. 
Equally important, however, was symmetry.
    The Soviets as rational actors did not want to see the loss of 
their cities, industry, and regime in a retaliatory nuclear strike. As 
long as we had the ability to hold these assets under threat, a Soviet 
strike against us would not be to their advantage. Such parity does not 
exist in cyberspace. Attribution may be a secondary problem to the lack 
of symmetry. Many countries that possess sophisticated offensive 
capabilities do not have extensive societal reliance on the Internet or 
networked systems. If attribution could be achieved, deterrence might 
not follow because a state conducting an attack in cyberspace, may have 
little to lose through retaliation. The logical solution to this 
problem is to threaten retaliation through diplomatic or kinetic means 
outside of cyberspace, responses that could range from the imposition 
of sanctions to airstrikes. Thus far, despite the onslaught of attacks 
in cyberspace, no country has chosen to escalate their response outside 
of cyberspace. Moreover, it may be difficult to achieve proportionality 
in response to a cyber attack through other means. Deterrence may 
simply not be a useful concept to address our current state of cyber 
    If deterrence is to be a central part of our cyber security 
strategy, I believe it is essential that we can answer three questions: 
First, what degree of certainty in attribution is necessary to take 
action? Second, what would that action look like? Third, how will we 
make potential adversaries understand the answers to these questions 
prior to an incident so that they will be deterred? To begin, I think 
it is important to breakdown the attribution problem in cyberspace. 
There are three broad categories of attack that have their own distinct 
attribution problem. The first attribution problem, the one on which 
most attention is focused is the attribution problem for attacks 
carried over the Internet. These attacks are difficult to deter because 
of the underlying architecture of the Internet, the lack of security on 
many hosts, and because the individuals or teams carrying out these 
attacks can do so remotely, from the safe confines of a non-cooperative 
country. The second attribution problem is for cyber attacks that are 
not carried over the Internet. Potentially, many of the most dangerous 
forms of cyber attacks will be carried out against systems that are not 
connected to the internet through other delivery mechanisms including 
attacks using microwave or other radio transmissions, thumb drives, and 
other portable media like CDs and DVDs. For these attacks against well-
defended military and industrial systems, the attribution problem is 
similar to the attribution problem for kinetic attacks and can be 
addressed through real world forensics, investigation, and 
intelligence. Finally, there is the problem of attribution for the 
introduction of malicious code in the supply chain for hardware and 
software. The threat to the supply chain may be the area of most 
concern today, yet the attribution problem for the insertion of 
malicious content into software and hardware is no different from a 
traditional investigative challenge to identify the opportunity and the 
motive for inserting malicious content (see Figure 1 for a visual 
representation of these challenges).


Figure 1: The Attribution Problems

    With the exception of flooding attacks, all other forms of 
Internet-based cyber attack require two way communication between the 
attacking computer and the victim computer. Sophisticated adversaries 
will take steps to obfuscate their true location and identity through 
the use of proxy systems, whether they are compromised computers or 
anonymization services or both. Despite these precautions, trace back 
techniques and digital forensics can provide the technical means to 
allow the attackers to be discovered. The barriers to the use of these 
techniques are more legal than technical, due to international 
boundaries and non-cooperative countries. If we breakdown the various 
threats carried over the Internet, the scope of the attribution problem 
can be brought into focus and different solutions for managing each 
threat begin to emerge.
    Attacks can be divided into the following categories ordered by the 
threat they pose: cyber warfare, cyber espionage, brute force attacks, 
crime, and nuisance. For each of these, both the attribution problem 
and the issue of response are different. For the highest level threat, 
that of cyber warfare, the attribution problem is largely overstated. 
As with other Internet based attacks, technical attribution may be 
difficult and the forensics work will take time, but at present there 
are a limited number of actors that are capable of carrying out such 
attacks. Moreover, the resources, planning, and timeline for such 
attacks would provide many opportunities to identify and disrupt such 
attacks. Estimates vary, but on the low end, many experts believe that 
only four countries possess the capability to carry out a catastrophic 
attack in cyberspace, the so-called Cyber Pearl Harbor, Cyber 9/11, or 
Cyber Katrina. On the high end, up to 100 state actors and private 
groups closely affiliated with state actors may have the capability. No 
matter which estimate is accurate, this is a fairly small list of 
suspects that can be narrowed down through technical means, as well as 
out of band methods that include intelligence, analysis of capabilities 
and analysis of intent. If not already a priority, U.S. intelligence 
agencies should be focused on identifying actors with high-level 
capabilities and understanding their intentions. While it has become a 
truism that hacking tools can be downloaded off the Internet and used 
by an individual with little or no technical skills, these tools do not 
pose the kind of threat that could cause widespread destruction. If the 
operators of critical systems cannot defend against such attacks, they 
are not taking the threat seriously. As the relevant technologies 
continue to evolve, it is important that the difficulty in carrying out 
significant attacks increases. Our critical industries, military and 
government agencies must continue to raise their defense levels in 
order to keep the ability to cause destruction in the hands of a 
limited number of state actors.
    In the event of a catastrophic cyber attack, attribution to at 
least some level will almost always be possible. The question becomes 
to what level of certainty must attribution be demonstrated in order 
for the President to take action? At the lowest level, attribution that 
traces an attack back one hop can provide the foundation for further 
investigations. If that first hop is in a non-cooperative country that 
is unwilling to assist in the investigation, that may be enough 
evidence to hold that country accountable. As with the 9/11 attacks 
when the Taliban refused to turn over Osama Bin Laden, it may be 
appropriate under such circumstances to hold a non-cooperative country 
accountable, a concept I will return to later in this testimony.
    On the issue of espionage, the capability necessary for network 
exploitation is generally lower than that required for destructive 
attacks, particularly in the realm of economic espionage where private 
sector companies are targeted. What we lack is not so much an ability 
to attribute attacks, but international norms that keep espionage 
limited. Espionage is generally recognized to be permissible under 
certain circumstances and many scholars will argue that it has a 
stabilizing effect on the international system by reducing paranoia. As 
has been recently demonstrated by the discovery of a Russian spy ring 
in the United States, engaging in espionage is not necessarily 
considered a hostile act and can be resolved without further 
escalation. The challenge with cyber espionage is that we lack norms 
that limit the extent to which states engage in it. This problem is 
exacerbated by the fact that cyber espionage is not constrained by the 
costs, consequences and limitations of traditional espionage.
    By way of example, consider the case of Robert Hanssen, a former 
FBI agent who spied for the Soviets and then the Russian Federation for 
over two decades. Over that period, Hanssen smuggled several hundred 
pages of classified material to the Russians, who paid him several 
hundred thousand dollars and maintained a network of handlers in order 
run this operation. Hanssen paid a heavy price for his betrayal. Having 
been sentenced to life in prison, he spends 23 hours a day in solitary 
confinement at a Supermax Facility and is addressed by the guards only 
in the third person (``the prisoner will exit the cell.'') The American 
spies he betrayed inside Russia were not so lucky. Most were executed. 
During the Cold War, spying had consequences. Now, according to public 
media reports, foreign intelligence agencies have exfiltrated several 
terabytes of information from U.S. government systems.
    Whatever country or countries are behind this espionage campaign, 
the people who are carrying it out are working safely from within the 
borders of their own country at little risk of being discovered or 
imprisoned. The low cost and low risk of cyber espionage is the 
problem, not the difficulty in attributing the source of the activity. 
If ironclad proof emerged of who was behind an incident of cyber 
espionage, what would the U.S. response be, particularly given the 
likely intelligence advantages that the United States gains from cyber 
espionage? It may be time that we recognize cyber espionage to be a 
different phenomenon from traditional espionage, one that requires a 
different set of norms and responses. I doubt, however, that we lack 
sufficient certainty of who is behind these campaigns that we are 
limited in our response simply because we do not know who is carrying 
them out.
    Brute force attacks, so called distributed denial of service 
attacks or DDOS attacks, do present a specific technical attribution 
challenge. During these attacks, compromised systems formed into a 
botnet flood targets with large numbers of packets that do not require 
the targeted system to respond. The malware behind these attacks will 
provide false information on the source of the packets, so that the 
machines sending the packets cannot be identified. This particular 
problem is due to the trusting nature of the internet protocol which 
does not provide any security mechanism to keep this information from 
being falsified. To deter DDOS attacks, it may be necessary to 
strengthen the Internet Protocol so that attacks can be traced to the 
computers that are part of the attacking botnet, and from their to the 
command and control servers and potentially to the botnet master 
himself. It may be equally productive to simply locate compromised 
computers participating in the attack and shut these down.
    For crime, the goal of attribution is to aid in investigation and 
result in criminal prosecution. Attribution is therefore necessary in 
the first instance to direct where an investigation should be targeted 
and for this first step, attribution needs to rise to the level 
sufficient for `probable cause' to initiate the investigation. This 
first level of attribution may only need to lead to a system, not to an 
individual and an IP address is often times all that is sufficient. In 
turn, the investigation will need to establish attribution to an 
individual or group of individuals for the purpose of prosecution. For 
prosecution to be successful, attribution will need to rise to the 
level of guilt beyond a reasonable doubt. In between, there is the 
potential to pursue criminals through civil litigation, in which case 
the standard for attribution would be lower, and guilt would be 
assigned based upon a preponderance of the evidence. The problem is 
that currently, many countries lack both the legal framework and 
resources to pursue cybercrimes committed by their citizens or that use 
systems within their territory that target victims in another country. 
Even crimes committed by individuals in the United States against 
individuals in the United States will make use of intermediary systems 
in other countries, particularly those that are not likely or able to 
cooperate with an investigation. What is needed to deal with the 
problem of crime is not better attribution but stronger legal 
mechanisms for working across international borders, the ability to 
shutdown attacks as they are taking place, and more investigative 
resources. Ultimately, there must be penalties for states that do not 
cooperate in investigations and do not take steps to secure their 
portion of cyberspace.
    For nuisance attacks, attribution is rarely a problem. The problem 
is that few if any investigative resources are assigned to cyber 
criminal activity that does not have a high monetary value associated 
with it. This is a situation in which the impact of the crimes 
committed is fairly low but the resources necessary to address them are 
high given the volume of the problem. As an example, look at the 
problem of SPAM. The 2003 CAN-SPAM Act requires spammers to provide 
accurate header information and to provide an opt-out method for 
recipients so they can choose not to receive future methods. Yet nearly 
a decade later, SPAM is flourishing as 9 out of 10 emails are SPAM. For 
most of these messages, the organization that sent the message is 
identifiable because they are selling a product. What we lack is an 
enforcement method that fits this problem, one that is focused on 
stopping the nuisance behavior rather than prosecuting those who are 
behind it. Similarly, nuisance level network attacks, the type that can 
be initiated through downloads off the Internet, are rarely 
investigated and prosecuted yet they distract system administrators and 
computer response teams from higher level threats. Investigating and 
prosecuting more of this behavior could deter many of the people who 
engage in it.
    For most of these threats, the challenges are not so much related 
to attribution as they are to resources and international cooperation. 
Focusing on deterrence may simply be the wrong way to think about how 
to handle these problems. The threats are materializing every day, 
making the abstract theorizing that laid the foundation for deterrence 
in a nuclear confrontation unnecessary. They are also, in every 
respect, a lower level concern that in no way threatens the existence 
of the United States. Instead we should focus in two areas. We need to 
reduce the scale of the problem by stopping threats as they unfold and 
by reducing the vulnerabilities that the threat actors make use of in 
their attacks. An investigative and enforcement approach to all 
problems is simply not tenable. Instead of trying to trace every 
incident back to a human user, we need to develop a legal framework for 
stopping attacking systems. We must move beyond treating intermediary 
systems as victims, and start viewing them as accomplices. In the 
United States, such a framework could require ISPs to monitor their 
network for compromised systems that have become parts of botnets and 
quarantine those systems until the problem is resolved. Similarly, we 
need mechanisms that allow companies or individuals that are under 
attack and have traced the attack to a system or systems to request for 
those systems to be shutdown. This process needs to take place quickly 
and mechanisms must be developed to authenticate such requests across 
international borders. Such a framework, if developed in the United 
States, could be promoted as a global model.
    For higher end threats, there are lessons we can learn from the 
last decade of dealing with terrorist threats. The key is to move 
beyond the search for perfect attribution and instead hold states that 
do not cooperate accountable. Currently, the situation can be summed up 
like this. When an attack is traced to another country that is not 
cooperative, the investigation dead ends. If that country is Russia, 
Russian authorities will typically say that the incident was carried 
out either by patriotic hackers or cyber criminal groups that the 
Russian government cannot control. If that country is China, Chinese 
officials will point out that China is often the victim of cybercrime 
and that do to the poor security on many Chinese systems, they are 
often compromised in an effort to cast blame on China. In both cases, 
national sovereignty will be raised to explain why cooperation cannot 
be more forthcoming.
    To move beyond this stalemate, the United States should make public 
a position that treats failure to cooperate in investigating a cyber 
attack as culpability for the attack. Countries should know that they 
can choose to have the incident treated as a law enforcement matter by 
cooperating in the investigation or choose not to cooperate and have 
the incident treated as a hostile attack for which their country will 
be held accountable. Over the last decade the concept of state 
sovereignty has evolved so that sovereignty not only comes with rights 
in the international system but also responsibilities. The evolution of 
this concept is due to events in one of the least wired parts of the 
world: the Hindu Kush.
    In 1999, Michael Sheehan, the U.S. Ambassador at Large for 
Counterterrorism delivered a demarche over the phone to the Taliban's 
foreign secretary. The message was clear: as long as the Taliban 
continued to harbor and support al Qaeda and its leaders, the United 
States would hold the Taliban responsible for any al Qaeda attacks 
against the United States or other countries. To drive home the point, 
Sheehan used an analogy. He told the Taliban's representative: ``If you 
have an arsonist in your basement; and every night he goes out and 
burns down a neighbor's house, and you know this is going on, then you 
can't claim you aren't responsible.'' The United States made good on 
Ambassador Sheehan's word after 9/11, and as the international 
community attempts to address failed states that cannot control their 
borders or police their internal territory, this new concept of 
sovereign responsibility is taking hold.
    Applying this new concept of sovereignty to cyberspace has its 
merits. As with al Qaeda in Afghanistan, failure of a state to prevent 
its territory from being used to stage an international cyber attack 
should not, in and of itself, constitute a violation of state 
responsibility. Indeed, a world in which states monitor and constrain 
citizen activities to prevent crimes before they take place would be a 
very frightening world. What is crucial, however, is how states respond 
when confronted with the use of systems within their territory for 
cyber attack. If the Taliban had responded to requests to turn over bin 
Laden, the invasion of Afghanistan might never have occurred. Based on 
this new paradigm of sovereignty, states should be expected to pass 
laws making international cybercrime illegal and enforce them. They 
should have mechanisms in place to respond to international requests 
for assistance and they should have some ability to oversee the hygiene 
of their national networks. Better attribution through post-incident 
forensic techniques will be a crucial part of this new paradigm, but 
the development of ironclad attribution, will not necessarily lead to 
better security in cyberspace.

The Role of Government and Private Industry in Improving Attack 
    In order to improve attack attribution, there are many things that 
can be done with current technology. The most crucial is for both 
government and private industry to do a better job detecting 
significant threats, mitigating them quickly, and capturing evidence 
that can be used by law enforcement for investigative purposes. 
Forensic techniques are getting better, but there are genuine civil 
liberties concerns with them getting too good.
    The vision of perfect attribution can best be summed up as the idea 
of giving packets license plates. Under such a system, compromised 
systems or other proxies could not be used to hide the identity of 
attackers because each packet would be labeled with a unique 
identifier, possibly an IPv6 address that has been assigned to an 
individual after having that individual's identity authenticated in 
some verifiable way. Access to the network would require 
authentication, and each packet produced by the user would be traceable 
back to that user. The privacy implications of such a system would be 
obvious, turning the Internet into the ultimate tool of state 
surveillance. The security benefits for pursuing criminals and state 
actors, however, would be minimal. Without cooperation from all foreign 
states, criminal activity will simply gravitate to states that do not 
authenticate identity before issuing identification numbers or choose 
not to participate in the system at all. Many states benefit 
tremendously from cybercrime, both directly through the cash it brings 
into economies, and indirectly through the bolstering of technology 
development through the theft of intellectual capital. Moreover, for 
less capable states, cybercrime provides the necessary cover of 
darkness for espionage to take place. By cracking down on cybercriminal 
groups, the activities of state actors would stand out starkly. 
Ultimately, such a system would restrict the freedom and privacy of 
most users, while doing little to curb criminal elements or state 
actors who would find ways around the system.
    As a baseline, of what we should expect from digital forensics, it 
may be instructive to look at the role forensics plays in the real 
world. Many people have become familiar with modern forensics 
techniques through the popular series CSI and its spinoffs, television 
shows about real-world crime scene investigators. Each episode begins 
with a body. The crime scene investigators come in and walk the scene 
collecting forensic evidence and then take it back to the lab and 
process it for clues. This activity takes us to the first commercial 
break in an hour-long drama. The forensics have yielded clues about who 
the victim was, how he or she was killed, and possible attributes of 
the killer. Then the detective work begins. The detectives try and 
establish a motive. They delve into the past of the victim. They ask 
themselves who would have wanted the victim dead? They ask a lot of 
questions of a lot of people. On television, this process is packed 
into an hour. In the real world it can take days to weeks, months and 
    Cyberspace isn't so different from the real world. We have digital 
forensic tools and trace-back techniques that in the latest incident 
with Google, allowed the company to conclude that the attacks emanated 
from China. We can't know more than that without some good old-
fashioned investigative work but we can ascertain motive based on what 
systems were infiltrated and what data was stolen. We can narrow down 
the list of possible suspects by geography. We can further narrow down 
the set by capability. Only so many people in the world have the 
ability to put together the kind of code used in the hack. We also know 
whoever built the exploits wasn't working alone. That's enough leads to 
get an investigation going in the real world, and it is also enough in 
    While the Google case illustrates the attribution ``problem'', it 
also illustrates the need for Internet Freedom, something the Chinese 
government is trying to erode. Our law enforcement community might want 
ironclad attribution on the Internet to combat cyber crime, but the 
Chinese government and other authoritarian states want it to combat 
speech. We may want to know who carried out the hacking of Google but 
we also want to protect the identity of anonymous posters in online 
forums about Chinese human rights.
    Creating the perfect surveillance state online is within our 
technical means. In real-world equivalents, we could label each packet 
with its digital DNA, tying it to a single real-world person, and 
recordings of everything that goes on so we can play back the tape. But 
cyberspace isn't so different from the real world, especially since 
more and more of what we used to do by walking we now do online. If we 
don't want to live in a surveillance society out here, we also do not 
want to live in one in cyberspace. The tools for digital forensics are 
getting better. We don't want them to get too good. What the Google 
incident really demonstrates, isn't a technical problem; it's a legal 
and diplomatic one. We lack norms for acceptable behavior by states in 
conducting espionage online and we lack agreements between states to 
partner in pursuing cross-border cyber criminal activity. Better 
surveillance wouldn't solve that problem.
    In two narrow areas, government and private sector technology 
companies should collaborate to improve two of the basic protocols that 
govern internet transactions. First, government and industry must work 
together to develop a secure version of the basic internet protocol 
that authenticates the ``from'' information contained in packet 
headers. In distributed denial of service or DDOS attacks that do not 
require the return of information, the ability to supply false sender 
information makes it difficult to trace and block such attacks. 
Similarly, the underlying protocols for sending email allow an 
individual to spoof the identity of a sender so that someone with 
malicious intent can send email appearing to be from a bank, a friend, 
or a work colleague. This weakness is typically exploited in social 
engineering attacks in order to get the recipient to click on a link 
that will download malware or send back sensitive information. These 
problems are well known and well documented. After more than two 
decades, I believe it is safe to conclude that the informal, consensus-
based processes used by the Internet Engineering Task Force to develop 
and adopt new protocols will not solve these problems. The Federal 
Government must step in, lay out the challenge, and lead the 
development and adoption of protocols that solve these problems. An 
``X-prize'' strategy might prove useful in this context.

Privacy and Anonymity in Resolving Attack Attribution
    In the early days of the Internet, anonymity was how privacy was 
obtained when online. As a general trend, anonymity on the web is 
eroding for most users due to the interactive nature of current web 
content but new ways of protecting privacy have not developed, at least 
not for the average user. In terms of protecting privacy, anonymity is 
only useful in a ``web 1.0'' context. In the web 1.0 era, users were 
passive recipients of information posted to the web. Anonymity on the 
web is still useful for accessing information that you do not want 
others to know you have accessed, whether it be pornographic material 
or information on democracy if you live under an authoritarian regime. 
Increasingly, however, access to information is not what the Internet 
is being used for. Managing health records and finances and 
communicating online cannot be done anonymously. What is needed is 
privacy, something that does not currently exist on the web that must 
be created through both technical and legal mechanisms.
    Most of the so-called ``free'' web is funded through advertising, 
and advertising is increasingly targeted to individuals based on 
information collected about them from their IP address and from various 
types of cookies placed on their computers when they access sites. By 
the time my homepage at the nytimes.com has loaded, a total of 12 
cookies have been loaded onto my computer, including ``flash cookies'' 
that cannot be deleted through standard browser settings. While some of 
these cookies are used to authenticate my username and password on the 
site, the vast majority are for advertising, meant to track my use of 
the internet in order to target advertising at me. Companies sell geo-
location services that use IP information to determine where you live 
so that advertising can be targeted at you for local services. By 
default, my browser, my computer, and the websites I visit are set to 
allow all this to happen without me knowing it. Advanced users may have 
the skill set and the motivation to set their browser settings and take 
other steps to avoid privacy loss but most users do not.
    At present, only the technically sophisticated, be they law-abiding 
citizens concerned with their civil liberties or criminal actors, can 
obtain anonymity, while the average Internet user experiences a total 
loss of privacy. As the technology develops to improve attribution, we 
need to ensure that our laws develop to protect their use, both by 
government and by the private sector. These points to the need for 
government intervention to require companies that collect information 
online and track users to be explicit about what they are doing. 
Surrendering your privacy online in exchange for ``free'' access to 
information should not be something that happens behind the scenes, but 
an explicit decision that users make. The equivalent of the Surgeon 
General's warning, something short, explicit, prominent and standard 
should be displayed on sites that use privacy compromising methods to 
generate advertising revenue.
    In order to protect private communication online, we need to 
implement both technical solutions and stronger legal protections for 
the content of communication. While law enforcement and intelligence 
agencies are restricted from accessing private information without due 
process, private sector entities and criminals have far fewer barriers. 
The average home users email messages are not secured end-to-end 
through encryption, and the laws that protect the intercept of these 
messages are far weaker than those that protect regular mail.
    Taken together, these steps would replace the loss of anonymity 
that was the foundation of privacy on the early web, with privacy for 
all activities carried out over the Internet, including transactions 
and two-way communication.

Standards Development for Attack Attribution and Privacy
    As stated previously, I believe it is necessary for the U.S. 
government to work with the Internet engineering community to address 
known problems in the current suite of protocols. In my view, these 
problems are both limited and correctable but both funding for 
development and incentives for adoption post-development are necessary. 
The goal should not be to create ironclad attribution that would turn 
the Internet into the ultimate tool of the surveillance state. Rather, 
the end state should be protocols that prevent the spoofing of IP 
addresses and email.
    On privacy standards, I believe that it is government's role to 
protect the privacy of individual users. Government must stop assuming 
that consumers have all the information they need to make informed 
decisions about privacy. The goal of government intervention in this 
area should be to make the decision to surrender privacy in exchange 
for access to information and services a transparent decision. Websites 
should be required to notify users if access requires the installation 
of cookies that will track users for the purpose of targeting 
advertising. Many if not most users may make the decision to surrender 
their privacy for access to so-called ``free content''. Others may 
choose a pay option. Still others may seek out content that neither 
costs privacy or dollars.
    These two issues overlap for Internet Service Providers. The 
activity of ISPs is largely unregulated in the United States. For ISPs, 
attribution on their networks is not a problem: they can see malicious 
activity and trace it back to a customer. When evidence of the next 
jump on a host has been deleted, ISPs are often able to trace the next 
hop of packets. Standards are necessary for what ISPs should and should 
not be required to track, for how long they should store such 
information, and how this information can be shared with law 
enforcement or private parties.
    Finally, we need standards for the operation of anonymity services. 
Services like Hotspot Shield, Tor, and others provide a valuable 
service to many Internet users, particularly those living under 
authoritarian regimes where accessing certain websites may not be 
possible or may be tracked in order to identify dissidents. Yet these 
same systems can be used for criminal purposes. Standards are necessary 
for regulating these services and they must be promoted 
internationally. These services provide anonymity, which, as previously 
discussed, is only useful for accessing information sources and 
anonymous posting activity. These services should therefore restrict 
their users to web-based activity. They should also make it easy for 
companies and government agencies to block the outbound IP addresses to 
prevent users that have gained anonymity from attempting to access 
secure systems. If you are trying to access your own bank account 
online, there is no legitimate reason to use an anonymization service. 
Finally, these services should retain auditable logs for law 
enforcement purposes. Users should understand that this information 
will be kept private, and only released if the service has been used 
for criminal purposes. Ultimately, as with states, anonymization 
services should be held accountable for their users' behavior if they 
do not cooperate with law enforcement.

    As I have expressed throughout this testimony, it is my view that 
the problem of attribution has been largely overstated. Ironclad or 
perfect attribution would not address the problems of cyber warfare, 
espionage, crime or other threats in cyberspace. Such a capability 
would, however, be injurious to freedom of expression and access to 
information for many people around the world. Stronger mechanisms for 
international law enforcement cooperation are necessary, as is the 
ability to stop attacks in progress, and improvements to the general 
hygiene of the Internet ecosystem. More than anything else, we need to 
develop better and stronger options for responding to threats in 
cyberspace and introduce consequences for states that do not cooperate 
in stopping attacks or in investigating them. Finally, we need to move 
beyond anonymity as the guarantor of privacy on the Internet and 
instead work to create privacy through both technical means and legal 
requirements. Thank you for the opportunity to testify on these 
important issues. I would be happy to answer any questions at this 

                     Biography for Robert K. Knake
    Robert K. Knake is an international affairs fellow in residence at 
the Council on Foreign Relations studying cyber war. He is currently 
working on a Council Special Report on internet governance and 
security. Prior to his fellowship, he was a principal at Good Harbor 
Consulting, a security strategy consulting firm with offices in 
Washington, DC; Boston, MA; and Abu Dhabi, UAE, where he served 
domestic and foreign clients on cyber security and homeland security 
projects. Rob joined Good Harbor after earning his MA from Harvard 
University's Kennedy School of Government. He has written extensively 
on cyber security, counterterrorism and homeland security issues. He is 
co-author (with Richard Clarke) of Cyber War: The Next Threat to 
National Security and What To Do About It (HarperCollins, April 2010).

    Chairman Wu. Mr. Giorgio.


    Mr. Giorgio. Good morning. My name is Ed Giorgio and I am 
the President of Ponte Technologies. Let me begin by commending 
Chairman Wu and Committee Members for looking into this 
important matter. Having personally spent a career in science 
and technology and having witnessed numerous R&D innovations 
that improve the quality of our lives, economic livelihoods, 
security and privacy, I am confident that this Committee will 
undertake the proper initiatives to solve long-term and 
extremely difficult problems such as the one we face with cyber 
attack attribution.
    Post-attack attribution today is not effective and the 
protocols we have today are insufficient to provide it. The 
recent attacks on Google are neither new or surprising. What is 
new is the extensive publicity they generated, but despite all 
this publicity, and a convincing that they were perpetrated by 
a state-sponsored actor in China, the rate of such cyber 
attacks coming from China has not decreased. Current 
attribution capabilities are clearly no deterrent.
    We envision transitioning to a multi-protocol Internet 
infrastructure where service is offered over DoD network 
segments and sensitive commercial and financial networks would 
require transmission using new protocols that have 
accountability and attribution built into their design. On such 
networks, attack attribution would meet the requirements for 
legal evidence without giving away sensitive sources and 
methods. Other less-sensitive services might be offered over 
network segments such as Radio Free America, which allow or 
indeed welcome interaction with anonymous entities. This is 
another case where the current protocols are lacking. They have 
little support for anonymity or for real flexibility in how 
much personal information is revealed in a transaction. Each 
citizen should have access to a certificate or other token that 
uniquely identifies the holder along with others that provide 
less or even no identity information. It should be possible to 
acquire as many such identity certificates as are needed to 
support multiple online roles. Some organizations already 
provide physical analogs in the form of prepaid credit cards or 
anonymous pay-as-you-go cell phones.
    As Americans, we fiercely defend our right to privacy and 
security and subsequently create a vision where we achieve both 
simultaneously. But transparency is also important. Indeed, one 
might argue that the history of human social development and 
even evolution was driven by transparency of action, but we 
have witnessed three transformations brought about by 
technology that are having profound impact on human behavior, 
from attributable to anonymous, from discoverable to forever 
hidden, and from understandable to magical. Wherever we lost 
transparency, whether into governments, corporations or 
individuals, bad actors eventually emerged and violated our 
trust and our laws.
    The threat comes from all these actors, many of whom are 
beyond the reach of our American courts, whether it is the 
Chinese stealing our American innovations to produce less-
expensive versions, the Russians engaging in financial crimes, 
the Israelis stealing our political intentions, the French 
dealing our competition sensitive materials, the Nigerians 
conning our elderly and so on. Closer to home, we face the same 
threats from within our borders. In the past, gross violations 
of domestic civil liberties were justified by reference to 
foreign threat. These are very dangerous constitutional grounds 
we tread and the gravity of the legal and constitutional 
dimensions cannot be trivialized.
    So in conclusion, my comments are not focused on promoting 
what the ideal balance between privacy and security should be 
but rather a challenge to those embracing the utopian view that 
both may be simultaneously within our grasp. While we continue 
to insist that private information remains just that and that 
anonymous persona will be supported, the existence of a trusted 
third party may be the only way to ensure that. In my opinion, 
government has not yet earned the necessary trust to perform 
this role and we will require a lot more transparency and 
oversight before giving that trust.
    Thank you very much, and I would be happy to answer any 
    [The prepared statement of Mr. Giorgio follows:]
                Prepared Statement of Edward J. Giorgio

1. Answers to Committee Questions

1.1 Is Attack Attribution a Deterrent?
    Question 1: As has been stated by many experts, deterrence is a 
productive way to prevent physical attacks. How can attack attribution 
play a role in deterring cyber attacks?
    Attack attribution is much easier in physical space, but also 
possible in cyber space. One of our goals is to discover who is 
attacking us, not whose computer systems they are using to launch their 
attack, or where geographically those systems are located. However, 
even this is not enough for a diplomatic or public opinion deterrent. 
Consider for instance the recent attacks on Google. There is little 
doubt that these were perpetrated by a state-sponsored actor in China, 
but has the attendant publicity done anything to reduce the number of 
cyber attacks coming from China?
    Attack attribution is an essential part of our overall situational 
awareness and emergency response measures. For example, we can use 
attribution to shut down or otherwise protect ourselves from attacks in 
progress. We can even stop a DDoS attack without attribution as to the 
initiator of the attack. We just need to stop where it is coming from. 
However if attribution is to have any value as a deterrent then it 
needs to be both irrefutable and able to be revealed to the world 
without compromising privileged information or intelligence assets. In 
some cases you can show China was a transit point for an attack and 
didn't stop it; this has value too.
    Current technologies allow us some level of attribution, most of 
which is plausibly deniable. Attribution can sometimes be made 
irrefutable by combining what is publicly known with the resources 
available to an intelligence agency such as NSA or the FBI, but this is 
rarely releasable beyond government circles--much less to the 
attacker--and thus has little if any value as a deterrent. There is 
also the option of turning it into a U.S. State Department demarche to 
the offending country, but even this has pitfalls (like revealing very 
sensitive sources and methods).
    As with any other form of attack, there are numerous types of 
organizations or individual involved, and some of these may well be 
deterred from pursuing a cyber attack for fear of attribution and the 
legal or economic consequences thereof.
    Entities whose systems are used as the launching point for somebody 
else's attack may also be motivated by attack attribution to secure 
their systems and either stop an attack in progress or prevent such 
abuse in the future. It is often possible to identify the reputable 
private institution who owns the offending computer--if this is made 
public, it can have an adverse impact on the brand of that institution, 
revealing ineffective controls and poor information security practices. 
Corporate executives could be held personally responsible for such 
failures and personally liable if there is damage to shareholder value.
    The same could be true of the ISPs whose networks are used to 
propagate cyber attacks. Where strong competition is present in the 
market, attribution can play a valuable role in motivating ISPs to 
address user education, network monitoring, and endpoint security.
    With attacks from nation states, or state-sponsored actors, the 
potential impact of attribution technologies really depends on the 
nation, and so our response needs to be carefully tailored to that 
nation to have maximum effect. Some nations will act cautiously, 
fearful of the consequences that could come from being exposed as a 
cyber attacker, such as economic damage, sanctions or even war. Other 
countries do not seem to care. For those nations that do care but also 
have a strong offensive cyber presence, masquerading as an organized 
crime entity, or as a country that is well known to be the source of 
cyber attacks, is an easy way to reduce such risks.
    Terrorist groups will not be deterred by attack attribution--they 
may even welcome it. However, if attribution can be used as a means of 
geo-locating members of a terrorist group during an attack, this is 
something that can be used to disrupt their operational tempo.
    For organized crime, attribution may serve as a deterrent if that 
attribution could be used to help build a criminal case against them 
that will stand up in court. Unfortunately, their chosen targets may 
not have the situational awareness to know that they are being 
attacked, or the resources to provide that deterrent. Organized crime 
groups will often target either bank customers or small companies with 
vulnerable credit card databases. When they target the government, they 
will often target individuals rather than organizations--for example to 
discredit police officers by planting incriminating evidence on their 
home computers, or to bribe or blackmail insiders to monitor or affect 
the course of criminal investigations.
    When forensic analysis or other collateral information also permits 
us to identify the actual human offender, criminal charges, 
prosecution, and conviction will serve as strong deterrents. This will 
be somewhat expensive to do here in the U.S., very complicated with 
even close allies, and nearly impossible with the bad foreign actors 
mentioned above. Consider for example the case of Gary McKinnon, who 
after eight years is still awaiting extradition from the UK--a very 
close ally. The legal costs arising from the investigation and long 
extradition process, along with any future trial, could easily exceed 
the actual damage of which he is accused. Once a suspect is convicted, 
their subsequent imprisonment is also expensive. Is this actually a 
good use of taxpayers' money? We simply do not have the resources to 
pursue every hacker out there, or even a significant subset of them, 
much less extradite them to the U.S. and imprison them here.
    The last significant group of attackers is the ``script kiddies''--
typically the easiest attackers to identify, as well as the easiest to 
protect against. While we should take measures to protect our systems 
against such attackers, and take measures to identify and deter them 
where possible, we should keep in mind that many of them really are 
children. Notwithstanding the damage they cause, our goal should be to 
guide them towards a more enlightened path in which they become useful 
and productive members of society, rather than criminalizing them at an 
early age, which could leave them with no job, no vote, and no stake in 
the common good.

1.2 Roles of Government & Industry in Technology Development
    Question 2: What are the proper roles of both the government and 
private industry in developing and improving attack attribution 
capabilities? What R&D is needed to address capability gaps in attack 
attribution and who should be responsible for completing that R&D?
    While company-to-company and nation-to-nation political dialog may 
well do with less stringent, but plausible, attribution, if attribution 
is to be used in court then it must be irrefutable and presentable as 
evidence in its own right. To achieve this, we will have to move to new 
protocols in the infrastructure which change the very foundation of our 
networks, building in attribution and accountability from the ground 
level. Governments and private enterprises are facing similar threats, 
and trying to solve much the same problems, and so partnerships with 
industry will help to develop the protocols of the future.
    Having built the necessary protocols in collaboration with 
industry, we can begin to require that entities with a legitimate 
presence in DoD networks, or in some civil government or critical 
national infrastructure networks, implement the new protocols as a pre-
condition to network access. Some corporate enterprises (particularly 
in the financial space) will be motivated to do the same for their own 
business reasons. In this way we can add to the security posture of 
those networks at the same time as we demonstrate the viability of the 
    This is not something that any one government can push through for 
broad use in the Internet as a whole. Evidence of this is in the recent 
claims over the ``militarization'' of the internet which is not 
embraced by business, academia, and civil libertarians alike, and even 
debated within government circles. This is somewhat recognizant of the 
crypto wars fought two decades ago which ultimately resulted in 
government conceding the issue. The fact that we may have to make 
concessions on this issue, should not prevent us from pursuing R&D 
which will be necessary if/when some politically viable path emerges.
    In spite of this resistance to militarization, there are strong 
economic drivers in global electronic commerce that are pushing towards 
solving security problems in the infrastructure rather than in the 
application space. Applications can't sit around waiting to do a time 
critical task while depending on an unreliable infrastructure. The 
infrastructure will ultimately enforce stronger authentication for 
users and terminals, stronger integrity, and non-repudiation assurances 
for the transactions. These properties, once built into the 
infrastructure, will serve to decrease gaps in attack attribution 
capabilities. Infrastructure will always move more slowly than 
applications, and we should not ignore how quickly application changes 
can deliver either (and sometimes both) improved privacy and improved 
attack attribution.
    Many credible experts claim the goal, even if deemed reasonable, is 
not technically feasible. That may be the case to a purist, but the 
fact that we can't find perfect security solutions anywhere has not 
deterred us from raising the bar very substantially through many hard 
fought for improvements.
    While government cannot by itself mandate changes in underlying 
infrastructure technologies (Ex. IPv6), DARPA, NSF, and the research 
elements supported by the Comprehensive National Cyber Initiative all 
should be working to research and develop new capabilities. These could 
be researched, designed, implemented, piloted, and ultimately become 
operational on DoD and Intelligence networks, where attack attribution 
is far more important. After all, it was the original ARPANET where 
current internet protocols were developed and incubated before they 
ultimately flourished on today's internet.
    New protocols based on the above research should be introduced 
through the IETF, as this process is the most likely to encourage 
commercial acceptance and deployment into worldwide networks. For 
security standards or algorithms, NIST is the appropriate agency.
    Research in attack attribution would leverage many of the 
capabilities already developed. We have seen frameworks which securely 
embed the user ID, computer ID, process ID, institutional affiliation, 
and geo-location directly into the IP address. One way to do this is 
with cryptography and allows us to bind the above attributes to the IP 
address in a non-forgeable way. Continuous improvements in this area 
could also raise the bar significantly.
    We envision transitioning to a multi-protocol internet 
infrastructure where services offered over DoD network segments would 
require transmission using these protocols, while other government 
services such as ``Radio Free America'' might be offered over network 
segments which allow or indeed welcome interaction with anonymous 
entities. Some incremental improvements in this arena are already being 
made, for example with Trusted Network Connect, which can be used to 
require machine-level attribution before network access is granted. 
Similarly, financial institutions might have far more stringent 
attribution requirements than a news media or marketing agency. Social 
networking sites would be adaptable to the needs of their 
constituencies which, I might add, will likely reflect generational 
differences over the need for privacy.

1.3 Distinguishing Factors between Anonymity and Privacy
    Question 3: What are the distinguishing factors between anonymity 
and privacy? How should we account for both in the development and use 
of attribution technologies?
    Privacy protections are usually given to people who are acting 
under their true identity while anonymity assumes that people are 
acting under an anonymous persona. Under privacy, public and private 
institutions have Personally Identifiable Information (PII) which is 
bound to other information they retain about their customers. This 
might be something as simple as the address of a customer who buys 
firearms. They have policies about protecting such information. Control 
objectives focused on privacy attempt to mitigate loss from:

        a.  Unauthorized Individual--Information systems are 
        inadequately protected resulting in a release of data to 
        unauthorized parties inside (or outside) the institution.

        b.  Authorized Individual--An authorized individual within the 
        institution makes a unilateral decision to overstep their 
        authority and release or sell privacy information.

        c.  Questionable Institutional Practices--Questionable (and 
        generally accepted) institutional practices push the legal 
        envelope too far by broadly interpreting the privacy laws 
        pertaining to their business.

        d.  Systemic Institutional Corruption--Systemic institutional 
        corruption results in the willful and unlawful release of 
        privacy information.

    In all the above cases, the institution has privacy information 
which it did not provide adequate protections for. This is not the case 
with anonymity which would have prevented the institution from knowing 
the identity of or having PII on the individual in the first place. 
This is quite different from well intentioned anonymizers which attempt 
to remove all PII information from data records so they can be used for 
other purposes, such as research, public health, crime statistics, etc. 
There have been some failures of anonymized data bases which revealed 
PII information through ``data leakage'' or ``correlation handles''.
    There is very relevant research on the problem of working with 
Internet router flow records which were anonymized by having random 
substitutions applied to their IP address fields. Researchers were able 
to recover the actual IP addresses from a collection of anonymized 
records and known IP address segments. Since the purpose of attack 
attribution is to identify the attacker, the attacking computer, or the 
geo-location of the computer, this cannot be done successfully without 
unmasking someone or some computer who was attempting to be anonymous. 
Of course, this is not the case if the person was acting under a 
``anonymous persona'' in the first place, in which case there is no 
persona to attribute the attack to.
    Where true anonymity is allowed, attribution is neither desirable 
nor possible. Therefore a risk management decision has to be made as to 
how much anonymity is allowed and in which contexts. A news 
organization may consider it more important to allow anonymity to 
protect journalistic sources, while a DoD organization may see no need 
for others having anonymity but every need for security. Today's 
networks give us a mix between anonymity and security, but no fine-
grained tools for managing the trade-off between them.
    Many of the transactions on the internet are reasonably private but 
not anonymous. The financial institutions develop protocols which 
protect the integrity of the financial transactions, and the merchants 
may make some attempt to protect customer privacy information, but 
existing protocols don't allow anonymity where it may be called for. 
For example, I may wish to research AIDS treatments without letting my 
search agent know that it is me doing this research. I may even want to 
buy such treatment without revealing my identity to the merchant who is 
selling it to me, but I may want the supply chain and the public health 
officials to know what treatments are of interests to this anonymous 
purchaser. All of this is possible with the right protocols. In the 
standards section below we will demonstrate the type of research that 
is needed to develop such protocols.
    In order for online commerce to flourish, there is a strong need 
for trusted entities to issue trustable and non-transferrable identity 
certificates. In this way people can be assured that when they 
communicate with the same online identity twice they are actually 
talking to the same person both times. Governments around the world 
already issue physical identity certificates, but in the online world 
governments came late to the game and private organizations such as 
Verisign have arisen to fill this gap. Any attempt by government to 
take back control of online identification, or even just to provide 
services in this space, will be met with resistance.
    Leaving aside the issue of who is issuing identity certificates, 
and how they are secured so as to be non-transferrable, some of these 
should uniquely identify the holder while others should be able to 
provide less or even no identity information. It should be possible to 
acquire as many such identity certificates as are needed, and unless 
they contain personal information in common between them there should 
be no way to link one anonymous identity to another. Some organizations 
already provide physical analogs, in the form of pre-paid credit cards, 
or pay-as-you-go cell phones, that require little or no personal 
information to activate.

1.4 Need for Privacy and Attack Attribution Standards
    Question 4: Is there a need for standards in the development and 
implementation of attack attribution technologies? Is there a specific 
need for privacy standards and if so, what should be the government's 
role in the development of these standards?
    Technologies that are built into the network architecture need to 
be made in accordance with open standards, as this promotes 
interoperability and encourages broad adoption. Technologies for attack 
sensing and mitigation are more difficult to standardize, and standards 
may actually harm you because they give the attacker something to test 
their strength against before they come after you.
    So, the military will always have to have secret capabilities for 
attack attribution in addition to the infrastructure standards 
discussed in the previous answer. These secret capabilities become 
problematic when the military is asked to apply them to other 
government agencies, critical infrastructure, ISPs, academia, and 
international corporations where transparency is vitally important. 
This is at the heart of the current Einstein debate which is 
considering the deployment of military intrusion detection capabilities 
to protect civil agencies. The only solution I see to this problem is a 
public-private partnership (or standing commission) where technical 
expert members have government security clearances while not required 
for other commissioners who, over time, learn to trust in the 
unclassified explanations given to them by the technical experts.
    In the previous answer, we explained the need for standards 
involving authentication, integrity, confidentiality, non-repudiation, 
geo-location, institutional affiliation, and more at the infrastructure 
level which bind all these attributes to the IP address of the end 
user. We would add an anonymous persona standard as well as new 
standards to protect privacy. The government should invest in the 
development of these standards, but let the open standards groups such 
as IETF, NIST, ISO, WWC, and more run those standards though their 
respective processes. The government should have representation at the 
    There is a specific need for new and improved privacy standards. We 
can best illustrate this by introducing a suggested framework for two 
important areas where privacy is critical: medical records and on-line 
transactions. This framework should make it clear that existing 
protocols for on-line transactions focus on the integrity of the 
financial transaction rather than the privacy of the parties involved. 
The framework appears in the last section.

2. Full Discussion

2.1 Introduction
    If we are to protect the Internet and its users from criminals, 
hostile nation states, and terrorists we will have to both design the 
Internet better and then be vigilant about monitoring it. The former 
will encourage technologies such as strong authentication, while the 
latter will likely force us to balance Security (attribution) & Privacy 
(anonymity) when designing new Internet protocols and host 
technologies. This may appear strange because, at some level, Security 
and Privacy (S&P) have a similar definition: The right to live out 
one's life without interference from others. Indeed we can demonstrate 
many instances of best practices in computer & Internet security which 
result in enhancing both security and privacy simultaneously. The very 
existence of these synergistic outcomes, however, permits arguments 
that can be used to deflect the discussion away from other areas (like 
attack attribution) where we frequently have to make tradeoffs.
    We say frequently above because it depends on the nature of the 
attack. Is it a National Security threat, or a criminal action and thus 
in the law enforcement domain? Attribution techniques sufficient to 
identify a Nation State initiator of an attack for appropriate 
political/military response need not impact personal privacy. If it is 
a criminal attack against banks or persons, ``following the money'' may 
be more effective in gaining forensic-quality evidence for court 
action, as opposed to machine identities used merely as clues as to 
where to start the hunt for physical evidence of crime.
    Privacy and anonymity currently play a critical role to many of us 
here in the U.S. and to freedom fighters, whistle blowers, bloggers, 
and amateur reporters in both democratic and repressive regimes all 
over the globe. It's one of the few mediums where you can be relatively 
anonymous. Unfortunately, the trend line looks ominous for those 
capabilities and I think these traits will largely disappear in the 
Internet in 20 years independent of the best intentions of some 
governments. This prediction is a function of where the Net came from 
and the fact it's grown so fast and that it had to maintain the 
original assumptions which drove Internet plumbing (protocol and router 
development) in the first place and were friendly to anonymity 
interests. That said, the net is maturing, and as new protocols come 
online and a new generation of users grow up, the inevitable 
degradation of privacy is already well underway. In spite of the best 
efforts of civil libertarians, the current privacy issues are largely 
business driven. That is, you could still be anonymous if you wanted, 
but once you jump into the social networking or online commerce pool, 
it goes away quickly. It is highly likely that the next generation of 
internet protocols will have the capability to provide much stronger 
levels of attribution which will, as a byproduct, serve the interests 
of those seeking attack attribution. So our lack of privacy and 
anonymity in portions of the future internet may be inherent in the 
infrastructure, as well as a byproduct of the applications that ride on 
top of it, as is the case today.
    Geo-location is perhaps one of the greatest threats to both privacy 
and anonymity. The trend towards wireless mobility is embedding 
location tags deep in the infrastructure which will be imposed by the 
new protocols that are difficult to circumvent. These protocols may 
also embed attributes such as personal identity, hardware identity, 
physical location, and institutional affiliation right in the internet 
protocol address. This trend will be business driven as national and 
international commerce will benefit from the stronger integrity and 
non-repudiation assurances for the transactions. Strong authentication 
of the person at the other end will be available from the 
infrastructure rather than from some application operating over it.
    These capabilities will serve us well in emergencies caused by 
natural disasters, man-made accidents, or hostile foreign threats; 
tweeters, bloggers, and social media players will get their news and 
pictures from someone at ground zero, rather than having to first sort 
through the political rhetoric emanating from a distant corner of the 
globe. These capabilities will have many other benefits, such as 
providing parents with the real time location of their children. They 
will also be used for nefariously purposes by criminals, rogue nations, 
industrial competitors, and terrorists. Wouldn't the terrorists like to 
turn the tables and know when key U.S. public officials or military 
commanders are dining in a restaurant?
    When balancing the need for anonymity with attack attribution, 
there is no silver bullet, be it technology, policy, economic 
incentives, or cultural change, which will solve the problem. Even in 
cases where attack attribution is deemed more important, we don't 
currently have reliable ways of actually doing it. Furthermore, when we 
can identify the offending computer with high probability we may not 
know who the actual human offender is. This is true because the 
computer owned by the innocent user may have been previously 
commandeered by a malicious and anonymous adversary operating from a 
remote location anywhere in the world. For this reason corrective 
action such as quarantining the offender may actually be depriving the 
real computer owner of vital and even life supporting services 
delivered over the internet.
    For the reasons stated earlier, it seems reasonable that 
individuals should have the right to have an ``anonymous persona''--or 
as many of them as they need--which they can use for online 
interactions. One ought to be able to anonymously check out the prices 
in Amazon and Borders before making a purchase; one ought to be able to 
visit the VA STD site before registering for treatment information; one 
ought to be able to anonymously read about LAPD civil rights 
violations; one ought to be able to communicate privately and 
anonymously with others, while still having some assurance that when we 
talk to the same anonymous ID we are talking to the same person. Many 
information providers may chose to only release information to properly 
authenticated and authorized individuals, but what about sites giving 
guidance to political dissidents, whistle blowers, oppressed groups, 
freedom fighters, etc.? These sites, of course, want to share this 
information privately and without any strings.
    In a world of insecure computers and botnets (commandeered armies 
of innocent computers) we will need attack attribution to point us to 
the offending computer, its owner or institutional affiliation, and its 
geographic location. But as computers become virtualized we will lose 
the ability to attribute action to specific computers and as we move to 
cloud computing we will even lose the ability to geo-locate the 
computer. This doesn't mean that we can't encode the user identity, 
computer ID, process ID, and institutional affiliation into the 
computer's (IP) address, because with the proper R&D we can move to a 
next generation of internet protocols which do precisely that.

2.2 Anonymity
    As children, many of us watched a program called ``The Invisible 
Man''. Let's suppose that technology makes that a reality where one 
could take a pill and become invisible for the next hour. This 
technology might profitably be used to observe nature without 
disturbing it, visit public places without the fear of recognition and 
unwanted attention, associate with people we don't want to be linked 
to, etc. This technology is needed just as much by government entities 
as it is by citizens. Of course, it is also easy to envision how this 
technology might be used to commit crime, so we could surely expect a 
response which would, for example, make it illegal to enter a 
government building in the invisible state. Banks would respond by 
refusing ATM withdrawals to invisible people. While all of this sounds 
like an absurd policy debate, it is precisely what is being played out 
in cyber space today. Invisible actors from all of the threat groups 
are ever present in our computers, behind our locked doors, not in the 
jurisdiction of our courts, not in range of our guns, and overhearing 
both out thoughts and our private conversations.

2.3 Losing Transparency
    As Americans we fiercely defend our right to privacy and security, 
and subsequently create a vision where we achieve both simultaneously. 
This vision embodies our protection from individuals, corporations, 
governments, cultural and religious institutions, subversive 
organizations, and common criminals. Through our human experience with 
these actors we recognize that we have reason to fear all of them. Our 
lives are played out in part through acts conducted by ``perpetrators'' 
and which have impact on ``victims''. While these words are pejorative, 
it is this concept of becoming a victim that drives our passion for 
achieving privacy and security. The problem with this logic is that the 
laws and tools which give potential victims privacy and security can 
also be used by the threat agents to achieve anonymity. The result is a 
world with very little transparency into what everybody, from criminals 
to nation states, are actually doing. Even when we can see the 
consequence of these actions we may never know who the perpetrators 
are. One might argue that the history of human social development (and 
even evolution) was driven by transparency of action. While human 
nature has remained largely unchanged, we have witnessed three 
transformations brought about by technology that are having a profound 
impact on human behavior:

          Attributable to anonymous

          Discoverable to forever hidden,

          Understandable to magical

    Wherever we lost transparency, whether into governments, 
corporations, or individuals, bad actors eventually emerged and 
violated our trust and laws.

2.4 Who Should We Fear
    In America we have a somewhat unique tendency to fear violation of 
our privacy from government above all. This stems from our beliefs and 
experiences that if we are wronged by an individual or a corporation we 
have recourse from damages in a court, while government has 
historically avoided such accountability. But, let us first explore the 
expanded threat to privacy and be specific about some of the (largely) 
foreign threats. Are we not concerned about the Chinese stealing our 
technology to produce less expensive versions, the Russians engaging in 
financial crimes, the Israelis' stealing our political intentions, the 
French stealing our competition-sensitive materials, the Nigerians 
conning our elderly, and so on? These actors are all foreign threats, 
and they represent official governments, large corporations, 
terrorists, and common criminals. And yet, to most of us, these actors 
are all beyond the reach of our American courts. Our security and 
privacy is threatened by all of them, yet many folks continue to focus 
primarily on government. I would suggest that more balance is needed in 
first identifying the real threat and then establishing the appropriate 
balance between privacy and security.
    Finally, I would be remiss to exclude the fact that while many of 
these threats are foreign, many are domestic, and, in the past, 
violations of domestic civil liberties were justified by reference to 
foreign threat. These are very dangerous constitutional grounds we 
tread and the gravity of the legal and constitutional dimensions cannot 
be trivialized.

2.5 Conclusions
    In conclusion my comments are not focused on promoting what the 
ideal balance between privacy and security should be, but rather a 
challenge to those embracing the utopian view that both may be 
simultaneously within our grasp. We need to put together 
representatives from both sides of the debate, allow them to frame the 
issue, and present the differences in a way our policy and law can 
respond appropriately. While we will continue to insist that private 
information remain just that, and that anonymous persona will be 
supported, the existence of a trusted third party such may be the only 
way to ensure that. So, the debate might eventually come to: can we 
trust government with the information it needs to protect our security 
or do we lose our privacy from a myriad of bad actors (the least of 
which may be government)? In my opinion government has not yet earned 
this trust and we will require a lot more transparency and oversight 
before giving that trust.
    In summary, the privacy & security debate (and hence the anonymity 
and attribution debate) focuses us on only one aspect (albeit very 
important) of the problem and we need several initiatives to correct 
that. In parallel, we should also be using our status as a superpower 
to drive behavior by the Chinese on the internet, the French on 
business-competition practices, the Russians on stamping out financial 
crime, the Israelis on influencing our political system, and 
international crime-fighting organizations on establishing deterrents. 
This will require a U.S. policy with an enlightened international 
agenda which focuses on using what remaining superpower status we have 
to drive behavior. This is essential to balancing security and privacy 
at home while simultaneously promoting a robust ecommerce and human 
rights agenda globally. Once such behavior is agreed upon our policy 
must be ``trust but verify'' and will require some authorized (and 
transparent) monitoring of our information and telecommunications 
systems, while at the same time, embracing really strong mechanisms to 
protect privacy and anonymity. This monitoring will allow authorized 
governments to perform attack attribution with cooperation from the 
private sector. It will also require oversight by a trusted third party 
and considerable transparency on Main Street.

3. Appendix: New Privacy Standards Framework

    We suggest a new framework to evaluate the security of an on-line 
transaction. We do this only to elaborate on the inadequacies of the 
current protocols which focus much more on security than privacy. Our 
transaction involves a buyer (Bob), a search agent (Goliath), a seller 
(Sam), a trusted identity provider (Ida), a bank (Betsy), manufacturers 
(Matt and Martha), the blind anonymity provider (Andy), and finally, 
Bob's roaming service (Robin). Bob wants to purchase specific goods and 
begins with asking Goliath to provide a list of sellers. Bob then 
selects a seller Sam and purchases a product using a credit card he was 
issued by Betsy. Ida provides some real time assurance that Bob and Sam 
are who they claim to be. Andy facilitates the sharing of some 
transaction details with manufacturers Matt and Martha who need to 
restock the shelves. Note that these latter details are not made 
available to Andy who is ``blind'' to the information needed by the 
wholesalers. Robin provides a roaming and/or backup service for Bob's 
secret credentials (Robin herself is blind to these credentials).
    The security complexity of multi-party protocols grows rapidly as 
the number of parties in the transaction increases. Our problem 
potentially has eight distinct roles with some of the roles having 
multiple players within a specific transaction (such as merchants, 
manufacturers, or identity providers). Different parties talk both 
directly and indirectly to each other, security assertions are checked 
and passed along to other parties, and authentication, integrity, 
authorization, privacy, and non-repudiation are potentially important 
to each of the relationships.
    We are now in a position to form a privacy framework based on the 
outcome of several assumptions:

        1.  Bob knows everything about his transactions.

        2.  Where Bob has shared his personal information with the 
        other parties, he should still (legally) own that information 
        and be able to update or revoke it at a later date.

        3.  Ida(s) has provided identity assurance to potentially all 
        parties in the transaction.

        4.  Goliath knows the set of sellers that have the products Sam 
        is interested in, and, may or may not know Bob's identity.

        5.  Sam has sold a product to Bob, and Sam may know Bob's 
        identity and his bank account number (today's situation), or 
        Sam knows Bob's identity and mailing address only, or Sam 
        doesn't know anything about Bob.

        6.  Sam may keep a record of the purchase, but the customer 
        data, and the account information may be kept by Bob only, or 
        by both Bob and Sam.

        7.  Betsy knows that Bob has made a purchase from Sam, has 
        completed the financial transaction, and may or may not know 
        detailed information about the product that was purchased

        8.  Matt and Martha know somebody's ``purchasing interest'' or 
        ``purchasing profile'', and may or may not know their identity.

        9.  Andy has facilitated the transfer of some encrypted data 
        from Bob to Matt and Martha, but doesn't know what it is.

        10.  Robin has encrypted information about Bob, including his 
        secret keys, so she can support his roaming, but knows little 
        more than Bob's identity, and certainly can't decrypt his 
        secret keys.

    The choices in the above framework do not have one-size-fits-all 
answers, so the ultimate protocol selected must be tunable to the 
answers that fit the situation.
    For brevity, we will not demonstrate a similar privacy framework 
for medical purposes, but we will point out that there are even more 
stakeholders in the communications and data retention aspects of any 
medical situation, and enumerate those stakeholders. They include 
patient, attending physician, treatment facility, pharmaceutical 
provider, nurses and other medical care professionals, consulting 
physician, insurance provider, public health officials, pharmaceutical 
and infectious disease research community, accounting and billing 
support staff, and several others. While there are currently many 
places where anonymizers are used today to share medical information, 
we believe those protections are woefully inadequate.


    I would like to acknowledge the contributions by several people who 
made critical comments and constructive ideas during the drafting of 
this testimony. All the views expressed in the preceding text certainly 
do not represent the positions of the names listed below. Indeed, in 
some areas, their views represent alternate positions. Never-the-less, 
their contributions were invaluable.

William Crowell, Consultant, former CEO Cylink, former Deputy Director 

Jerry Dickson, former Director of the National Cyber Security Division 

Kevin R. Fall, Ph.D.

Daniel E. Geer, Jr., Sc.D., CISO, In-Q-Tel

Susan Landau, 2010-2011 Radcliffe Fellow, Harvard

Ronald D. Lee, Attorney

James Lewis, Center for Strategic and International Studies

Mike McConnell, Booz Allen Hamilton, former DNI, former Director NSA

Vin McLellan, Consultant and Publicist in Security & Cryptography

Alan Paller, Director of Research, SANS institute

Bruce Potter, CTO of Ponte Technologies, SHMOO founder

Marcus Ranum, CSO of Tenable Network Security

Brian Snow, Cryptographer and former NSA Senior

    Finally, this testimony would not have been possible without the 
content and editing contributions from Patrick Henry of Ponte 

                    Biography for Edward J. Giorgio
    Ed Giorgio is the co-founder and president of Ponte Technologies, a 
security and technology company. He is on numerous advisory boards, 
including the NSA Advisory Board and the Commission to advise the 44th 
president. He was formerly a principal at Booz Allen Hamilton, where he 
spent ten years working on information security and enterprise 
resilience issues for a variety of commercial clients and Federal 
agencies. Mr. Giorgio also has nearly 30 years of security experience 
with the National Security Agency (NSA). While at NSA, he pioneered 
developments in communications security, national intelligence policy 
and technology, and public key cryptography. Mr. Giorgio is the only 
person to have served as both Chief U.S. codemaker and, subsequently, 
as Chief U.S. codebreaker at NSA where he directly managed 1600 
mathematicians and computer scientists. As a mathematician, he designed 
and delivered the first public key based e-mail privacy and 
authentication system on the worldwide intelligence network. Today he 
provides services which help clients bridge business innovation, 
technology, and security and delivers these services to government and 
commercial clients. He also advises investment bankers and VC's on the 
viability of early-stage security companies. Mr. Giorgio is considered 
a leading authority on cryptology and has extensive experience in 
cryptography, Internet security technology, wireless security, security 
policy, information warfare, privacy, and intelligence sources and 

    Chairman Wu. Thank you very much, Mr. Giorgio.
    Mr. Rotenberg, please proceed.

                       INFORMATION CENTER

    Mr. Rotenberg. Thank you very much, Mr. Chairman, Members 
of the Subcommittee. I appreciate the opportunity to be here 
today. I am President of the Electronic Privacy Information 
Center and I teach privacy law at Georgetown and I have been 
involved in most of the debates about cybersecurity and privacy 
going back 25 years.
    My organization publishes an important report about privacy 
and human rights around the world, and I draw attention to this 
because in our testimony, we talk about the use of attribution 
by governments, not necessarily for the purpose of promoting 
cybersecurity but actually to monitor and track people with 
unpopular political opinions. China has the most advanced means 
of attribution today for Internet users. They require Internet 
users to individually register themselves, to provide their 
true names, their e-mail addresses and the list of news 
services from which they receive information on the Internet. 
They require Internet service providers to keep detailed logs 
on the activities of people who get access to the Internet 
through Chinese licensed ISPs, and they require the cyber 
cafes, which is the main point of access for people in China 
who want to get information on the Internet to track all the 
activity and keep these records for 60 days to make them 
available to the Chinese government, and most interestingly, 
because I also have a background in managing one of the 
Internet domains, the .org domain, when the .cn domain became 
available for website registration, the Chinese government also 
required that businesspeople who wanted to create an Internet 
website using the .cn domain provide their actual name and a 
photograph to the government so that they could also be 
    Now, China, of course, is not alone, and I cite in my 
testimony similar examples involving Burma, Syria, Iran and 
Egypt. The point that I am trying to make here is that there is 
a real risk, which I think was suggested by one of the other 
witnesses, that attribution techniques through this means of 
keeping track of what people do online will be used for 
purposes unrelated to cybersecurity that has a real impact on 
human rights and freedom of expression because of course what 
attribution also does is make people think twice about saying 
things that might be unpopular or controversial.
    Now, fortunately, in the United States, as I also describe 
in my testimony, we have a very strong constitutional right to 
speak anonymously, which is perhaps not surprising because the 
Federalist Papers that provided the basis for our country were 
written by people who made frequent use of pseudonyms. They 
understood that publishing their views in a way that could be 
easily attributable to them might quell their efforts to change 
the form of government that existed in the colonies at the 
time, and our courts have said repeatedly that anonymity is an 
important right that is protected within the First Amendment. 
More recently, we have also been involved in cases involving 
Internet freedom and the famous ACLU [American Civil Liberties 
Union] versus Reno case from 1996 that struck down the 
Communications Decency Act where the Supreme Court affirmed the 
very important role that the First Amendment plays in 
protecting Internet freedom.
    Now, what I did in preparation for this hearing with the 
help of our excellent law clerks who are at EPIC this summer 
was to research the cases involving identification requirements 
for the Internet. We were trying to answer your very specific 
question, would it be possible in the United States to have an 
identification requirement, a mandatory requirement for anyone 
who goes online, which is certainly being talked about, and our 
conclusion is that we don't think it would be possible. In the 
one case where an identification requirement has been upheld, 
and this was in the State of Utah after an earlier effort had 
been struck down, it was permitted only for convicted sex 
offenders where there was narrow collection of personal data 
and used for very narrow purposes. That is the only case that 
we could find.
    Finally, as I also set out in our testimony, looking at 
this problem of attribution turns out to be very difficult, as 
other witnesses have pointed out, primarily because it is so 
easy for people online to evade detection. Bruce Schneider, who 
is a noted security expert, said bluntly, ``It is futile.'' 
What it will do is actually create new opportunities for people 
to hide because they will create new false credentials, and the 
recent report from the National Research Council that also 
looks at the issue of attribution reaches a similar conclusion. 
This is not to say that we aren't aware that there are serious 
network threats which obviously implicate privacy and security 
interests but we think it is very important in this area to 
also consider the harmful impact that a broad attribution 
requirement might have for the freedom of Internet users.
    Thank you again for the opportunity to be here.
    [The prepared statement of Mr. Rotenberg follows:]
                  Prepared Statement of Marc Rotenberg
    Mr. Chairman, Members of the Committee, thank you for the 
opportunity to appear today to discuss the topic of Cyber Security and 
Attribution. We appreciate your interest in this topic.\1\
    \1\ EPIC Counsel Jared Kaprove and EPIC IPIOP clerks Matthew Lijoi, 
Laura Moy, Reuben Rodriguez assisted in the preparation of this 
statement. The views expressed are my own.
    My name is Marc Rotenberg. I am President of the Electronic Privacy 
Information Center (EPIC), a non-partisan public interest research 
organization established in 1994 to focus public attention on emerging 
privacy and civil liberties issues. Since our founding, we have had an 
ongoing interest in computer security, privacy, and identification. In 
fact, EPIC began in response to a proposal from the National Security 
Agency to establish a mandatory key escrow encryption standard that 
could have easily prevented the emergence of the Internet as a powerful 
force for economic growth and political change.
    EPIC was founded in 1994 in part to address concerns about the role 
of the National Security Agency in computer security policy.\2\ Since 
then EPIC has participated in numerous public debates regarding the 
protection of privacy rights on the Internet and elsewhere. EPIC is 
currently engaged in active litigation under the Freedom of Information 
Act with the NSA and National Security Council regarding National 
Security Presidential Directive 54, a secret document that governs the 
NSA's current authority over cyber security policy.\3\ EPIC has also 
been involved recently in seeking information regarding the secret 
cyber security program known as EINSTEIN 3.0, as well as a new secret 
program within the NSA called ``Perfect Citizen.'' \4\ And I have 
participated in scientific workshops on such topics as ``eDNA,'' a 
proposal to tie every user activity to their unique DNA, developed by 
Admiral John Poindexter the architect of Total Information Awareness, 
that was thankfully rejected.\5\
    \2\ See EPIC, The Clipper Chip, http://epic.org/crypto/clipper 
(last visited July 13, 2010).
    \3\ EPIC v. NSA, No. 10-196 (D.D.C. filed Feb. 4, 2010).
    \4\ See generally EPIC, Cybersecurity and Privacy, http://epic.org/
privacy/cybersecurity/ (last visited July 13, 2010).
    \5\ John Markoff, Surveillance Agency Weighed, but Discarded, Plan 
Reconfiguring the Internet, N.Y. TIMES, Nov. 22, 2002, available at 
http://www.nytimes.com/2002/11/22/politics/22TRAC.html. The project 
description of eDNA stated:

      We envisage that all network and client resources will 
      maintain traces of user eDNA so that the user can be 
      uniquely identified as having visited a Web site, having 
      started a process or having sent a packet. This way, the 
      resources and those who use them form a virtual 'crime 
      scene' that contains evidence about the identity of the 
      users, much the same way as a real crime scene contains DNA 
      traces of people.
    In my statement today, I will point to the risks and limitations of 
attempting to establish a mandatory Internet ID that may be favored by 
some as a way to address the risk of cyber attack. Such a proposal has 
significant implication for human rights and freedom online. It is not 
even clear that it would be constitutional to mandate such a 
requirement in the United States.
    To be clear, there are real concerns about network security. 
Network vulnerabilities also have implications for privacy protection. 
But solutions to one problem invariably create new problems. As we 
learned in the early days of the Internet, a proposal to make it easier 
for the government to monitor network traffic will also make 
communications more vulnerable to criminals and other attackers. 
Similarly, proposals to mandate online identification will create new 
risks to privacy and security.

I. Internet attribution requirements have resulted in censorship and 
                    international human rights violations.

    It may be that governments establish attribution requirements to 
address cyber security concerns. But it also clear that governments 
impose these requirements to track the activities of citizens and to 
crack down on controversial political views. We know this from our 
research of identity requirements for Internet use outside of the 
United States.\6\ The risk of mandatory attribution can be seen most 
clearly today in China. If fact, in just the last day, the Associated 
Press reported on efforts in China to crack down on anonymity and 
mandate identification requirements.\7\

    \7\ Anita Chang, China seeks to reduce Internet users' anonymity, 
Associated Press, July 13, 2010, at http://www.google.com/hostednews/
X6GVZyQD9GUI6VO0 (``A leading Chinese Internet regulator has vowed to 
reduce anonymity in China's portion of cyberspace, calling for 
requirements that people use their real names when buying a mobile 
phone or going online, according to a human rights group.'') See also, 
Rebecca MacKinnon, RConversation: China's Internet White Paper: 
networked authoritarianism in action, June 15, 2010, http://
    Currently, China leads the world in Internet use. Over 360 million 
people access the internet in China, an increase of 1,500% since the 
year 2000, accounting for over twenty percent of the world's online 
population.\8\ Despite these numbers, Chinese Internet users must abide 
some of the strictest identification requirements to get online. By 
making user Internet activity appear attributable to the individual, 
China's regulations generate user self-censorship.
    \8\ Internet World Stats, Internet Users--Top 20 Countries--
Internet Use, http://www.internetworldstats.com/top20.htm (last visited 
July 13, 2010).
    The Chinese government identifies users who access to the Internet 
in three ways: (1) mandatory registration requirements, (2) 
requirements on Internet Service Providers, and (3) regulation of 
Internet cafes.\9\
    \9\ See Trina K. Kissel, License to Blog: Internet Regulation in 
the People's Republic of China, 17 IND. INT'L & COMP. L. REV. 229 
    China first began control over individual access to the Internet in 
1996, and has since revised its policies several times;\10\ many of 
these revisions entailed requirements that users provide identification 
when accessing the Internet or using certain Internet services. Chinese 
citizens wishing to access the Internet are required to obtain a 
license for Internet access. They must register with the local police 
by providing their names, the names of their Internet service providers 
(ISPs), their email addresses, and any newsgroups to which they 
subscribe.\11\ In February of 2010, the Chinese government lifted a ban 
on registrations of domain names ending in the ``.cn'' suffix, but also 
imposed strict new requirements for their use.\12\ Now, individuals 
individual wishing to set up personal websites using the suffix must 
verify their identities with regulators and have their photograph 
    \10\ Kristin M. Reed, Comment, From the Great Firewall of China to 
the Berlin Firewall: The Cost of Content Regulation on Internet 
Commerce, 13 TRANSNAT'L LAW. 451, 462 (2000). See also, PRIVACY AND 
HUMAN RIGHTS 349-51 (2006) (``China--Monitoring of Cybercafes'').
    \11\ Id.
    \12\ Reporters Without Borders, Internet Enemies: China, at 3, Dec. 
3, 2010, available at http://en.rsf.org/IMG/article-PDF/
    \13\ David Pierson, China Steps Up Policing of New Websites, L.A. 
TIMES, Feb. 25, 2010.
    Additionally, some local and provincial Chinese authorities 
currently require that individuals use their real names when accessing 
bulletin boards, chat rooms, or IM services.\14\ The requirement also 
extends to university settings,\15\ and in July 2005, all 
administrators and group founders of China's largest instant messaging 
service, QQ were told that they must use their real names to access the 
service.\16\ A notice from the Shenzhen Public Security Bureau 
declared: ``This year, at various internet chat rooms in our city, 
there were chat groups, forums, BBS, internet SMS and various internet 
public information services in which there were illegal assemblies, 
illegal alliances and obscene behaviors being observed. In order to 
protect national security and preserve social stability. . .we will be 
conducting clean-ups on network public information services.'' \17\
    \14\ Radio Free Asia, China Tightens Grip on Cyberspace, Aug. 17, 
2005, http://www.rfa.org/english/news/in-depthJ2005/08/ 17/
    \15\ Id.
    \16\ Nanfang Weekend, Fourteen Departments United to ``Purify'' the 
Internet, Aug. 18, 2005, translated in EastSouthWestNorth, Purifying 
the Chinese Internet, http://www.zonaeuropa.com/
20050821-1.htm (last visited July 9, 2010). QQ has 100 
million active users, including 8 million users who are founders or 
    \17\ Id.
    Chinese state-licensed ISPs are required to track and store user 
activity.\18\ ISPs must retain records on user identification, what 
sites the user visited, the duration of the user's visits, and the 
user's activity on those sites.\19\ Though Chinese laws prohibit 
disclosure of this information generally, they make exceptions for a 
number of government purposes, including national security or criminal 
investigations.\20\ Moreover, there are few formal procedures for 
requesting such data, and most of the time ISPs will disclose to the 
government an individuals internet usage and identification with just 
an informal request.\21\
    \18\ See Open Net Initiative, Internet Filtering in China (2009), 
ONI-China-2009.pdf at 15.
    \19\ Id.
    \20\ Id. at 14.
    \21\ Id. at 14-15.
    Finally, Internet cafes in China abide by strict regulations that 
require them to identify their patrons.\22\ Many Internet users in 
China rely on Internet cafes as a primary means of access.\23\ All 
Internet cafes must install filtering software, ban minors from 
entering, monitor the activity of their patrons, and record patrons' 
identity and complete session logs for up to sixty days.\24\ In many 
cities, Internet cafes are also connected by live video feeds to the 
local police department.\25\
    \22\ See id. at 15. See also, Jill R. Newbold, Note, Aiding the 
Enemy: Imposing Liability on U.S. Corporations for Selling China 
Internet Tools to Restrict Human Rights, 2003 U. ILL. J.L. TECH. & 
POL'Y 503, 504 (2003).
    \23\ See generally, Audra Ang, China Wants Web News `Civilized', 
DESERET MORNING NEWS, Sept. 26, 2005, at A4, available at 2005 WLNR 
    \24\ Open Net Initiative, supra note 18 at 15.
    \25\ Id.
    The identification requirements China placed on Internet access 
cause users to police their own Internet usage. China's Internet users 
(justifiably) believe that all of Internet activity is attributable to 
the individual. Transgressing Chinese Internet policy is often met with 
harsh penalties.\26\ Therefore, without anonymity, many Internet users 
in China steer well clear of any potentially controversial activity 
that might violate China's vague Internet prohibitions.
    \26\ E.g., Kristen Farrell, The Big Mamas are Watching: China's 
Censorship of the Internet and the Strain on Freedom of Expression, 15 
MICH. ST. J. INT'L L. 577, 578-85 (2007) (describing three examples of 
arrests and imprisonment for internet speech).
    China is well known for directly filtering internet content within 
its borders;\27\ however, the practice of attributing Internet activity 
to the specific user through identification requirements is even more 
effective in regulating Internet content than direct filtering.\28\ 
China's identification laws are designed to make the user believe 
``that every bit of [her] activity is tracked.'' \29\ Furthermore, 
China's enforcement of its Internet laws gives users reason to be 
concerned that if they violate the laws, they will be caught and the 
punishment will be severe.\30\ Almost every internet-related 
imprisonment resulted from an accusation of subversion, a guilty 
verdict, and a two to twelve year prison sentence.\31\ In this way, 
``[t]he manhunts for individual internet users, which often mobilize 
dozens of agents from the public security and state security 
ministries, serve as warnings for the recalcitrants and dissidents who 
continue to surf the internet.''\32\
    \27\ See, e.g., Open Net Initiative, supra note 18.
    \28\ See generally, Congressional-Executive Commission on China, 
2005 Annual Report, at III(e), http://www.cecc.gov/pages/annualRpt/
annualRptO5/2005-3e-expression.php (last visited 
July 9, 2010).
    \29\ Tim Johnson, In China, Sophisticated Filters Keep the Internet 
Near Sterile, MCCLATCHY, July 13, 2005, http://www.mcclatchydc.com/
2005/07/13/12100/in-china-sophisticated-filters. html.
    \30\ Congressional-Executive Commission on China, 2005 Annual 
Report, at III(e), supra note 28. See also Farrell, supra note 26; 
Kissel, supra note 9 at 243-46.
    \31\ See Bobson Wong, The Tug-of-War for Control of China's 
Internet, http://www.hrichina.org/fs/downloadables/pdf/downloadable-
(last visited July 9, 2010) (describing Chinese citizens who were 
imprisoned for posting information on the internet).
    \32\ Reporters Without Borders, Living Dangerously on the Net: 
Censorship and Surveillance of internet Forums, May 12, 2003, http://
    Given that individual users, content providers, and ISPs can all be 
held liable for illegal content,\33\ each of these entities acts as a 
self-censor, avoiding, monitoring, or deleting content that might be 
illegal. Removing Internet anonymity and requiring identification to 
access the Internet means that China's ``best censorship is self-
censorship.'' \34\
    \33\ See Open Net Initiative, supra note 18 at 15.
    \34\ Matthew Forney, China's Web Watchers, TIME, Oct. 3, 2005, 
available at http://www.time.com/time/magazine/article/
    In addition to China, several other countries have used Internet 
identification requirements to limit or control their citizens' speech. 
In Burma, internet cafes are required to take screenshots of their 
patrons' screens every five minutes, and must be able to provide every 
users ID number, telephone number, and address if the police request 
them.\35\ In Egypt, Internet cafes must be licensed by the government, 
although what the requirements and stipulations of obtaining a license 
are unclear.\36\ Additionally, although no formal policy demands it, 
Internet cafe owners are often coerced through licensing raids into 
recording customer IDs and maintaining them on file. The records are 
not sent to a central database.\37\ In Iran, ISPs are liable for their 
users' activity, and are also responsible for recording all user 
information and IP addresses.\38\ All Internet traffic is also routed 
through the Telecommunications Company of Iran, so it can easily be 
monitored.\39\ In Syria, although other ISPs are available, users 
wishing to use the government-owned Syria Telecommunication 
Establishment (STE) must apply with their government issued identity 
card and supply their username and password.\40\ Internet cafes are 
also heavily monitored, with cafe managers required to take customers' 
personal information (up to and including mother's and father's names) 
and to keep a record of what sites their customers visit. Additionally, 
cafe managers must report any overtly illegal activity.\41\ Just like 
in China, all these identification and tracking requirements must lead 
to self-censorship of politically sensitive speech.
    \35\ Reporters Without Borders, Internet Enemies--Burma, at 3, 
    \36\ See Eric Goldstein, et al., False Freedom: Online Censorship 
in the Middle East and North Africa, Human Rights Watch Vol. 17, No. 
10(E) at 33 (2005) (hereinafter False Freedom).
    \37\ Id.
    \38\ See False Freedom, supra note 36 at 47.
    \39\ Open Net Initiative, Internet Filtering in Iran, 2009, http://
ONI-Iran-2009.pdf at 3.
    \40\ False Freedom, supra note 36 at 75.
    \41\ Reporters Without Borders, Internet Enemies--Syria, at 3, 

II. In the United States, a government-mandated Internet identification 
                    requirement would likely violate the First 

    Anonymity is an important protection to shield the speakers of 
unpopular or controversial opinions. It is settled law that the First 
Amendment incorporates a right to speak anonymously.\42\ A government 
mandated identity requirement would pose a significant threat to the 
ability of users to engage in political speech online. In order to 
place such a burden on the ability of individuals to express political 
speech, the government must show that the proposed burden is the least 
restrictive means of advancing an overriding state interest. Under this 
standard, a program to deter and investigate cyber attacks in which all 
users are required to identify themselves before accessing the Internet 
is unlikely to be constitutional in practice.
    \42\ McIntyre v. Ohio Elections Comm'n, 514 U.S. 334 (1994).

A. The First Amendment protects the right to speak anonymously online.
    Anonymous and pseudonymous speech has a long history in the United 
States. Before the American Revolution, much political writing was 
distributed in the form of anonymous pamphlets and later, during the 
debate surrounding adoption of the Constitution, the Founders published 
essays under names such as ``Publius,'' ``Cato,'' and ``Brutus.'' \43\ 
In light of this history, the Supreme Court has recognized a First 
Amendment right to anonymous political speech.\44\ As the Supreme Court 
said in the McIntyre case, while this right to remain anonymous ``may 
be abused when it shields fraudulent conduct. . .our society accords 
greater weight to the value of free speech than to the dangers of its 
misuse.'' \45\ Courts have also recognized that in the area of speech, 
the interest in anonymity outweighs other competing interests, such as 
the interests in preventing fraud, false advertising, and libel. \46\
    \43\ See McIntyre v. Ohio Elections Comm'n, 514 U.S. 334, 368 
(1994)(Thomas, J. concurring).
    \44\ Id. at 342.
    \45\ See id. at 357 (citing Abrams v. United States, 250 U.S. 616, 
630-31 (Holmes, J., dissenting)).
    \46\ See, e.g., Talley v. California, 362 U.S. 60, 65 (1960).
    In the current age, the Supreme Courts has recognized the important 
role the Internet plays as a means of communication.\47\ People use the 
Internet for a wide range of political and social purposes.\48\ Through 
the use of the Internet, ``any person with a phone line can become a 
town crier with a voice that resonates further than it could from any 
soapbox.'' \49\ Anonymity is an important part of Internet 
communication. ``The `ability to speak one's mind' on the Internet 
`without the burden of the other party knowing all the facts about 
one's identity can foster open communication and robust debate.'' \50\ 
Knowing they might face retaliation, ostracism, or embarrassment, users 
were forced to identify themselves before engaging in speech on the 
Internet might be deterred from expressing unpopular ideas or seeking 
sensitive information.\51\ As a result of the Internet's importance as 
a communication tool, courts have extended the protections of the First 
Amendment, and specifically the right to anonymity, to online 
    \47\ See Reno v. Am. Civil Liberties Union, 521 U.S. 844, 870 
(1997) (finding that Supreme Court precedent ``provide[s] no basis for 
qualifying the level of First Amendment scrutiny that should be applied 
to [the Internet]'').
Facebook to promote an anti-FARC group in Columbia).
    \49\ Id.
    \50\ Doe v. 2theMart.com, 140 F. Supp. 2d 1088, 1092 (W.D. Wash. 
2001) (citing Columbia Ins. Co. v. Seescandy.com, 185 F.R.D. 573, 578 
(N.D. Cal. 1999)).
    \51\ See McIntyre, 514 U.S. at 334; Am. Civil Liberties Union v. 
Miller, 977 F. Supp. at 1230.
    \52\ See e.g., Sinclair v. TubeSockTedD, 596 F. Supp. 2d 128, 132 
(D.D.C. 2009) (``Generally speaking, the First Amendment protects the 
right to speak anonymously. Such rights to speak anonymously apply, 
moreover, to speech on the Internet.'' (citations omitted)); Doe v. 
2TheMart.com, 140 F. Supp. 2d at 1093 (holding ``the right to speak 
anonymously extends to speech via the Internet''); Am. Civil Liberties 
Union v. Johnson, 4 F. Supp. 2d 1029, (D.N.M. 1998) (holding that a 
state statute requiring website operators restrict access to indecent 
materials through use of a credit card, debit account, or adult access 
code violates the First Amendment ``because it prevents people from 
communicating and accessing information anonymously'').

B. Courts have found broad identification requirements on Internet use 
        to violate the Constitution.
    A broad requirement for all users to identify themselves before 
being able to access the internet would almost certainly be considered 
overbroad, insufficiently narrowly tailored to achieve its purpose, and 
unconstitutional. In ACLU v. Miller, the Northern District of Georgia 
considered a state law that criminalized knowingly transmitting data 
while falsely identifying oneself.\53\ The state asserted that the 
statute's purpose was fraud prevention. The court agreed that this was 
a compelling interest, but held that the statute was not sufficiently 
narrowly tailored to achieve its purpose because the statute would 
apply whenever anyone falsely identified themselves, even when there 
was no intent to defraud or deceive. Furthermore, the court noted that 
``the act prohibits such protected speech as the use of false 
identification to avoid social ostracism, to prevent discrimination and 
harassment, and to protected privacy. . .'' \54\ As a result, the court 
held that the statute was overbroad and unconstitutional.
    \53\ 977 F. Supp. 1228, 1230 (N.D. Ga. 1997)
    \54\ Id. at 1233.
    Whereas Miller merely prevented people from falsely identifying 
themselves, in Doe v. Shurtleff the state of Utah sought to require a 
convicted sex offender affirmatively submit his ``internet 
identifiers'' to the state for inclusion in its sex offender registry. 
This would include all of the offender's email addresses, chat user 
names, instant messaging names, social networking pages, and passwords. 
Once the information was submitted, there were no restrictions on how 
the Department of Corrections could use or disseminate it. There were 
no statutory limits which prevented the Department of Corrections from 
``using the information to reveal the identity of a registrant who had 
spoken online in a non-criminal manner, or to release the information 
to others who wish to do so.'' Although he was a convicted sex 
offender, Doe retained his First Amendment right to speak anonymously 
online and the statute implicated criminal and protected speech 
alike.\55\ Thus, the court held that the statute was not sufficiently 
narrowly tailored to achieve its purpose of protecting children from 
Internet predators and investigating online crime.\56\
    \55\ Id. at 21.
    \56\ Doe v. Shurtleff, No. 1:08-CV-64 TC, 2008 U.S. Dist. LEXIS 
73787, at *23 (D. Utah Sept. 25, 2008).
    These two cases show that where the government attempts to install 
a mandatory identification requirement without limits as to how the 
information can be used, the courts are likely to strike the 
requirement down as overbroad and unconstitutional.

C. Courts have only found Internet identification requirements to be 
        constitutional in extremely limited circumstances involving 
        convicted sex offenders.
    The only courts that have found Internet identification 
requirements not to violate the Constitution have been considering 
extremely limited situations involving the tracking of convicted sex 
offenders on specific websites. The best example of this is the sequel 
to the Shurtleff decision. After the original decision, the Utah 
legislature went back and amended the statute requiring the sex 
offender to submit his Internet identifiers to include new limits on 
how the information could be used and disseminated. The Department of 
Corrections would only be able to use the information ``to assist 
investigating sex-related crimes.'' \57\ In accordance with Utah's 
Governmental Records and Management Act, they would also be able to 
disclose the information to the subject of the record, to anyone 
authorized by the subject, or when the information is subject to a 
court order or legislative subpoena. With these new restrictions in 
place, the court held that the identification requirements ``no longer 
intruded into Doe's ability to engage in anonymous core political 
speech.'' \58\ Because the information could no longer be used to 
monitor Doe's speech, the chilling effect on his speech was diminished 
and the registry was in compliance with the First Amendment.\59\
    \57\ Doe v. Shurtleff No. 1:08-CV-64 TC, 2009 U.S. Dist. LEXIS 
73955, at *5 (D. Utah Aug. 20, 2009) [hereinafter ``Shurtleff II''].
    \58\ See id. at *9-10.
    \59\ Id.
    In a similar case, White v. Baker,\60\ the court struck down a 
requirement for sex offenders to submit all of their Internet 
identifiers as overbroad, however, it provided suggestions for how such 
a statute would pass constitutional muster. The court held that the 
Georgia statute at issue went wrong by requiring all of the offender's 
Internet identifiers. First, the court noted that ``a regulatory scheme 
designed to further the state's legitimate interest in protecting 
children from communication enticing them into illegal sexual activity 
should consider how and where on the internet such communication 
occurs.'' \61\ A requirement to turn over all Internet identifiers 
would include an offender's identification on blogs or on shopping 
websites where communication with children would be unlikely or 
impossible.\62\ Furthermore, there were few limits as to how the 
information, once submitted, could be used or disseminated.\63\ The 
statute allowed the information to be used for undefined ``law 
enforcement purposes'' and even to be disclosed to the public. This 
opened up the possibility that the offender's speech could be monitored 
by government or private citizens, disclosing protected speech that the 
offender chose to engage in anonymously.\64\ Concluding the opinion, 
the court noted that, because the state had a compelling interest, it 
had the ability to enact regulation, provided it was sufficiently 
narrowly targeted at the kind of interactive communications that entice 
children into illegal sexual conduct and the disclosure provisions of 
the statute were narrowed.\65\
    \60\ No. 1:09-cv-151-WSD, 2010 U.S. Dist. LEXIS 25679 (N.D. Ga. 
Mar. 3, 2010).
    \61\ Id. at 48-49.
    \62\ Id. at 49-50.
    \63\ Id. at 50-54.
    \64\ Id. at 52.
    \65\ Id. at 55.
    Investigating cyber attacks is a broad use compared to 
investigating sex crimes and one could easily imagine it turning into 
monitoring of political speech on anonymous message boards or similar 
communications platforms. This would be an especially prevalent concern 
if the government required individuals to submit all of their Internet 
identifiers, as in White. Finally, there would be the ever-present 
specter of a data breach in the government's database, thereby risking 
the exposure of the identities and activities of all Americans on the 
Internet. Given the difficulties in narrowly tailoring the law to meet 
some ill-defined interest in cyber attacks, a mandatory identification 
scheme for Internet use may be possible, but it would probably be 
unconstitutional in practice.

III. Most research makes clear that attribution techniques have 
                    significant limitations.

    So far, I have described how countries will deploy Internet 
attribution techniques for purposes unrelated to cyber security. I have 
also suggested that it would be unconstitutional for the United States 
government to impose an identity requirement for Internet users in the 
United States. Still, there is a clear need in the instance of a cyber 
attack or other types of malicious Internet use to determine the source 
of an attack. As one commentator has said, ``[w]ithout the fear of 
being caught, convicted and punished, individuals and organizations 
will continue to use the Internet to conduct malicious activities.'' 
\66\ But the problem is not easily solved. As Internet security expert 
Bruce Schneier has bluntly stated:
    \66\ Jeffrey Hunker, Robert Hutchinson & Jonathan Margulies, 
Attribution of Cyber Attacks on Process Control Systems, in CRITICAL 
INFRASTRUCTURE PROTECTION II 87, 88 (Mauricio Papa & Sujeet Shenoi 

         Any design of the Internet must allow for anonymity. Universal 
        identification is impossible. Even attribution--knowing who is 
        responsible for particular Internet packets--is impossible. 
        Attempting to build such a system is futile, and will only give 
        criminals and hackers new ways to hide. . . .

         Attempts to banish anonymity from the Internet won't affect 
        those savvy enough to bypass it, would cost billions, and would 
        have only a negligible effect on security. What such attempts 
        would do is affect the average user's access to free speech, 
        including those who use the Internet's anonymity to survive: 
        dissidents in Iran, China, and elsewhere.\67\
    \67\ Bruce Schneir, Schneir on Security: Anonymity and the 
Internet, Feb. 3, 2010, available at http://www.schneier.com/blog/

    As I said earlier, improved attribution techniques may chill 
speech, including dissenting speech in repressive political and 
organizational regimes. This has been acknowledged by many of the 
current participants in the cyber security debate. One group stated 
that the absence of attribution, or ``non-attribution,'' can be ``vital 
to protecting radical ideas and minority views in oppressive regimes,'' 
\68\ and cautioned that the ``[m]echanisms developed to facilitate 
attribution must enforce non-attribution for the purposes of sharing 
opinions and ideas.'' \69\ Another group pointed out that attribution 
exposes political dissidents and whistleblowers to potential 
reprisals.\70\ The Department of Homeland Security has itself made 
clear the need to balance attribution against the need for anonymity 
and free speech.\71\
    \69\ Id.
THE TRAVELING PACKETS 4 (2009), available at http://www.nspw.org/
RESEARCH 69 (2009), available at http://www.cyber.st.dhs.gov/docs/DHS-
    Second, no matter how good attribution technologies are, 
attribution will probably still fail to identify the most sophisticated 
attackers. In the words of one expert group, ``[w]hile anonymizers can 
be defeated in theory, there are numerous practical difficulties to 
achieving attribution when a sophisticated user desires anonymity.'' 
\72\ Another commentator notes that ``[s]mart hackers . . . route 
attacks through countries with which the target's government has poor 
diplomatic relations or no law enforcement cooperation, and exploit 
unwitting, third-party networks.'' \73\ Because sophisticated attackers 
often obscure their trail by routing activities through multiple 
countries, complete attribution capability would require the 
implementation of coordinated policies on a near-impossible global 
    \72\ Hunker, Hutchinson & Margulies, supra note 66, at 91.
    \73\ Kenneth Geers, The Challenge of Cyber Attack Deterrence, 26 
COMP. L. SEC. REV. 298, 301 (2010).
    Finally, improved attribution techniques will probably not be 
effective against non-state enemies, such as the al-Qaeda terrorist 
network. As an initial matter, non-state actors are unlikely to have 
access to the resources necessary to launch successful cyber attacks. 
As Mr. Knake has said ``al-Qaeda lacks the capability and motivation to 
exploit. . .vulnerabilities'' in our country's critical 
    \74\ Robert K. Knake, Expert Brief: Cyberterrorism Hype v. Fact, 
cyberterrorism-hype-v-fact.html (last 
accessed July 13, 2010).
    On the other hand, some scholars believe that terrorist groups may 
well have access to the sort of sophisticated computer technologies 
needed to conduct cybercrime.\75\ Even if terrorists could get their 
hands on the tools needed to launch a successful cyber attack against 
the United States, improved attribution techniques probably wouldn't 
help us deter them because one of the biggest problems with non-state 
terrorists is that they aren't deterred by the threat of retaliation.
CONGRESS 16 (2008), available at http://www.fas.org/sgp/crs/terror/
RL32114.pdf; Geers, supra note 73, at 302.
    The National Research Council (``NRC'') recently undertook an 
extensive review of cyber security and considered the problem of 
attribution in several instances.\76\ The NRC identified three reasons 
that deterrence by retaliation may be particularly ineffective against 
non-state actors:
OF CYBERATTACK CAPABILITIES (William A. Owens, Kenneth W. Dam & Herbert 
S. Lin eds., 2009).

         First, a non-state group may be particularly difficult to 
        identify. . . . Second, a non-state group is likely to have few 
        if any information technology assets that can be targeted. 
        Third, some groups. . .regard counterattacks as a challenge to 
        be welcomed rather than something to be feared.\77\
    \77\ Id. at 313.

    The NRC concluded:

         The bottom line is that it is too strong a statement to say 
        that plausible attribution of an adversary's cyberattack is 
        impossible, but it is also too strong to say that definitive 
        and certain attribution of an adversary's cyberattack will 
        always be possible.\78\
    \78\ Id. at 41.

    Based on our review of the costs and benefits of attribution 
techniques, there are a few key points to consider:

          The attribution of cyberattacks would greatly assist 
        in facilitating counterattacks.

          The law of war requires an attacked body to attribute 
        the initial attack before a counterattack will be permitted.

          Improved attribution methods would probably increase 
        the ability to deter attacks; however, deterrence would only be 
        effective against individuals or groups who fear retaliation.

          Attribution of activities carried out over the 
        Internet is extremely difficult, and in many cases impossible, 
        to achieve.

          Improvements to attribution methods will most likely 
        fail to prevent technically sophisticated attackers from hiding 
        their identity.

          Because Internet activity may be routed through 
        multiple countries, including those with limited network 
        security resources, complete attribution capability will 
        require the implementation of coordinated policies on a near-
        impossible global scale.

          Improved techniques for achieving attribution of 
        Internet activities will chill dissenting speech in repressive 
        political and organizational regimes.

          Critical infrastructure administrators ought to be 
        more concerned about vulnerability to internal attacks than 
        about vulnerability to attacks from the outside.


    Steve Bellovin, another security expert, noted recently that one of 
risks of the new White House plan for cyber security is that it places 
too much emphasis on attribution.\79\ As Dr. Bellovin explains:
    \79\ The White House, National Strategies for Trusted Identities in 
Cyberspace: Creating Options for Enhanced Online Security and Privacy 
(Draft), June 25, 2010, http://www.dhs.gov/xlibrary/assets/

         The fundamental premise of the proposed strategy is that our 
        serious Internet security problems are due to lack of 
        sufficient authentication. That is demonstrably false. The 
        biggest problem was and is buggy code. All the authentication 
        in the world won't stop a bad guy who goes around the 
        authentication system, either by finding bugs exploitable 
        before authentication is performed, finding bugs in the 
        authentication system itself, or by hijacking your system and 
        abusing the authenticated connection set up by the legitimate 
    \80\ Steve Bellovin, SMBlog: Comments on the National Strategy for 
Trusted Identities in Cyberspace, July 11, 2010, http://

    While I believe the White House, the Cyber Security Advisor, and 
the various participants in the drafting process have made an important 
effort to address privacy and security interests, I share Professor 
Bellovin's concern that too much emphasis has been placed on promoting 
    I also believe that online identification, promoted by government, 
will be used for purposes unrelated to cyber security and could 
ultimately chill political speech and limit the growth of the Internet. 
Greater public participation in the development of this policy as well 
as a formal rulemaking on the White House proposal could help address 
these concerns.
    Thank you for the opportunity to testify today. I will be pleased 
to answer your questions.

                      Biography for Marc Rotenberg
    Marc Rotenberg is Executive Director of the Electronic Privacy 
Information Center (EPIC) in Washington, DC. He teaches information 
privacy law at Georgetown University Law Center and has testified 
before Congress on many issues, including access to information, 
encryption policy, consumer protection, computer security, and 
communications privacy. He testified before the 9-11 Commission on 
``Security and Liberty: Protecting Privacy, Preventing Terrorism.'' He 
has served on several national and international advisory panels, 
including the expert panels on Cryptography Policy and Computer 
Security for the OECD, the Legal Experts on Cyberspace Law for UNESCO, 
and the Countering Spam program of the ITU. He chairs the ABA Committee 
on Privacy and Information Protection. He is a founding board member 
and former Chair of the Public Interest Registry, which manages the 
.ORG domain. Rotenberg is editor of ``The Privacy Law Sourcebook'' and 
co-editor (with Daniel J. Solove and Paul Schwartz) of ``Information 
Privacy Law'' (Aspen Publishing 2006). He is a graduate of Harvard 
College and Stanford Law School. He served as Counsel to Senator 
Patrick J. Leahy on the Senate Judiciary Committee after graduation 
from law school. He is the recipient of several awards, including the 
World Technology Award in Law.

    Chairman Wu. Thank you very much, Mr. Rotenberg.
    Now it is in order for questions, and first I want to note 
that we in Congress sit on multiple Committees, and as is 
frequently the case where there are two flies flying in the 
Grand Canyon, they collide, and I have votes occurring right 
now in my other Committee and I will have to excuse myself 
after asking this first set of questions, and I aspire to come 
back because this is a very, very important topic that I care 
about very much.
    Secondly, I would like to welcome our friends from Russia 
TV Today. I understand that Russia TV Today has also broadcast 
one of our NASA hearings. It is not unusual for foreign media 
to take a stronger interest in topics of importance to the 
United States more so than American media does at times, and we 
welcome our Russian friends. But we also want to note that the 
usual process is to accredit into the Committee prior to 
attendance, but you are welcome to stay today.
    Now, I think that each of the witnesses referred to both in 
your spoken and oral testimony that there may be some limited 
role for deterrence and that there may be some greater role for 
attribution in protecting legitimate interests on the Internet, 
but that both deterrence and attribution to different extents 
are overplayed in the current discussion. I would like each of 
the witnesses to the extent you can or want to address first 
that opening query about deterrence and attribution.
    Mr. Rotenberg. Well, I will jump right in and I am sure the 
other witnesses will make comments. I cited in my testimony the 
conclusion of the National Research Council report because I 
thought this was a very thoughtful point they were making, 
particularly with non-state actors. They said attribution would 
be difficult. We are talking about entities that are typically 
outside of the United States so you would need an attribution 
technology that is global, not easy to identify outside the 
United States, not much of a technical infrastructure, which 
means that there is not much opportunity to respond, and with 
some of the non-state actors, it is not even clear they 
wouldn't mind being identified. It is almost the exact inverse 
of the model that we had during the Cold War in our 
relationship with the Soviet Union, and I think the National 
Research Council report makes this point very well.
    Mr. Giorgio. Yes, I would like to add, even in the hearing 
background that was put together by the staff, we talk about 
attribution not only from a point of view of identifying the 
person who is on the other side but perhaps just identifying at 
least the location they are coming from. So if you have a 
purist view of attribution, I certainly agree that it is 
extremely difficult technologically to guarantee you know who 
the human person is on the other end, but that doesn't mean 
that some attack attribution technology wouldn't give us lots 
of information which could be used for other purposes such as 
shutting down the computer at the other end independent of who 
is on it. Thank you.
    Dr. Wheeler. If I may speak as well, as I noted earlier, 
there is no possibility of having absolutely perfect defenses, 
so I believe there is value for attribution. On the other hand, 
we have to admit that attribution itself is difficult and there 
are some serious limitations to that as well. You know, 
attackers can cause attacks to be delayed and perform their 
attacks through lots of intermediaries and often can make it 
very difficult to attribute when they don't want to be 
attributed. And so basically I think computer network defense 
shouldn't depend on attribution, it should be part of a larger 
strategy having basically multiple tools in the toolbox.
    Mr. Knake. The only comment I would add is that for the 
last decade our strategy for preventing another major terrorist 
attack on U.S. soil has both been effective and does not in any 
way materially rely on deterrence so I think that may be a 
better model for how we deal with the cyber threat, to focus on 
prevention, to focus on protection, to focus on resiliency 
rather than to focus on trying to deter cyber actors. The only 
other point I would make is that in a lot of cases we don't 
lack attribution, we lack response options. We don't know what 
we should do when we discover that the Chinese have hacked into 
Google in 30 other countries. We seem to have fairly good 
evidence that they did that. We have traced the attack back. We 
have then asked for an explanation and we have not received it. 
I am not sure how better attribution one further layer down 
would help resolve that problem. Similarly, with French 
intelligence or Russian criminals, Nigerian scammers, we know 
their national origins. We simply lack response options and a 
mechanism for cooperating and requiring cooperation 
    Chairman Wu. Thank you very much. Because there are votes 
going on and not only votes for me in my other Committee but I 
am told close votes, I am going to ask one further question and 
then I am going to step out and aspire to return promptly after 
those votes.
    Thank you for your answer to the deterrence and attribution 
question and its utility. Following up on that, I think several 
of you, perhaps all of you have noted that to the extent that 
there is a deterrent utility and that there is a capability for 
attribution, that there is also potentially or there is a 
drastic effect on speech and free flow of information, and I 
think, Mr. Giorgio, you stated in your written testimony that 
there is a necessary tradeoff, and I don't know if others put 
it quite that crisply, but can you address that issue to the 
extent that we put attributability capability into the backbone 
of the Internet that we would be decreasing anonymity, freedom 
of speech and freedom of inquiry? Whoever wants to start with 
    Mr. Giorgio. Chairman, since you referenced me, let me also 
say that I do believe that we need protocols with a lot more 
privacy in them, and I am very troubled by the situation today 
because frankly a lot of people learn information about us that 
they shouldn't need to know in, for example, a financial 
transaction. So it is very important that we build new 
protocols to protect anonymity or privacy, I should say, when 
it is called for.
    Mr. Rotenberg. I should say also, Mr. Chairman, that many 
businesses that operate on the Internet have identification 
requirements. In fact, there is a big controversy right now 
involving the company Blizzard, which offers World of Warcraft, 
and they are now requiring the use of true names for people who 
come in the forums and it has, you know, provoked a big 
discussion about, you know, identity requirements as a way to 
make people a little more hospitable online, but the key point 
here is that whatever decisions private companies might make 
about identification is really very different from a 
government-mandated identification requirement, because what a 
government-mandated identification requirement does is 
basically hold out the specter that if you say something that 
is unpopular and the government can trace it back to you, the 
government can hold you accountable, and I think that is really 
anathema to our view in the United States of freedom of 
expression, and so it concerns us, of course, that a 
government-mandated identification requirement wherever it may 
be imposed in the world could have a similar impact on 
political speech.
    Mr. Knake. I think I would echo those comments, but I would 
also add that I see the equation in need of being reversed. I 
actually think government needs to do a better job of 
protecting the privacy of users in the commercial arena. That 
is where the biggest threat to privacy is today. The reliance 
on anonymity, which is still very, very useful for protecting 
freedom of speech and is useful for protecting freedom to 
access information, is not useful in the context of 
communicating, banking and interacting the way we do online and 
increasingly commercial web operators are tracking their users 
without telling them by downloading cookies onto their 
computers, some very insidious forms, and using other 
geolocation technologies that your browser, your computer, your 
Internet service provider and the services that you are using 
online are all by default not going to tell you that that is 
going on so essentially you surrendered your anonymity without 
knowing it, and in my view, government needs to step in to 
create some form of disclosure that is upfront and obvious to 
the average Internet user that for the free content they will 
be tracked and that will be used to target advertising at them.
    Dr. Wheeler. If I may jump in also, first of all, getting 
back a little bit to the original question, clearly attribution 
technologies have potential to greatly harm anonymity, 
pseudonymity, privacy and so on but it is not the same for all 
the different technologies. Some technologies are much riskier 
than others. I cite probably the more egregious example, 
recording every bit that goes back and forth between a user and 
everything else has radically different effects than storing 
much smaller pieces of information, you know, fingerprints and 
so on. So depending on what is stored and how it is stored 
makes a big difference on the effect on anonymity and privacy 
and pseudonymity.
    Mr. Giorgio. May I make an additional----
    Chairman Wu. Mr. Giorgio, yes.
    Mr. Giorgio. Thank you. You know, I think credibility is 
very important when we decide who to listen to, so whether it 
is the distinguished Members of this Committee or my 
distinguished colleagues, when they speak, I want to listen 
because I know what they have gone to get to the position they 
are in today. So all of that is lost when people speak with 
anonymity, and so I would--and even during emergencies, it 
would be very important to me, for example, if somebody who is 
reporting from ground zero if I have some confidence that they 
are actually at ground zero. So the credibility of listening to 
what people have to say is tied up to some extent in being able 
to attribute who they are, what their past is, how they came to 
be in that position and why we should listen to them, and where 
they are. Thank you.
    Chairman Wu. Thank you all very much. I am going to hand 
over the gavel to the gentlelady from Maryland, Ms. Edwards, 
and before I do that, I will recognize Mr. Smith for his 
    Mr. Smith. Thank you, Mr. Chairman, and I appreciate the 
opportunity, and I would also like to briefly note that it is 
my understanding a follow-up hearing in which we hear from 
NIST, the National Science Foundation and other relevant 
Federal agencies is under consideration, and I would certainly 
like to offer my support for holding such a hearing.
    Regarding the questions that I have, I was wondering if you 
could just share what you think are the best methods for 
tracing the attacks, anyone? Maybe start with Dr. Wheeler.
    Dr. Wheeler. That actually turns out to be more difficult 
than you'd like. I would like to give you a very simple, 
``there it is, there is the one solution,'' and of course, life 
is often more complicated than we wish it could be. Actually, 
what is intriguing, when I started writing this particular 
paper that I mentioned earlier and I submitted as testimony, I 
didn't expect there to be many different possibilities to do 
this, and it turned out in fact there are a very large number, 
and although I haven't worked on this particular area more 
recently, the number can only go up. So there turns out to be a 
remarkably large number of ways, and unfortunately what it 
really turns out to be is, I suspect people aren't surprised 
when you go to technologies, there are various tradeoffs. Some 
of the techniques are particularly helpful for tracking down 
what is called denial of service attacks. You are being 
attacked, sent a lot of messages, maybe from many different 
places, and there is basically constant streaming of data. In 
that case, the very fact that someone is constantly sending 
messages to you and trying to overwhelm your systems means that 
you can try to track back, ``well, I just wait for the next one 
and start looking backwards that way,'' for example. But of 
course, those techniques that depend on that don't work for 
many kinds of attacks where in fact that isn't what happens, it 
is a few messages and all of a sudden your systems are down or 
something terrible has happened. So I don't believe there is a 
single answer. There is a set. And one other good thing about 
that from the point of this particular hearing is that some of 
them are much more egregious or concerning in terms of privacy 
and attribution. Probably one of the more extreme examples I 
guess would be what is informally called hack backs where you 
actually say, ``I am being attacked, I am breaking into the 
computers backwards to find out where that comes from.'' 
Unsurprisingly, that is severely restricted by U.S. laws, as 
well it should be. But sometimes, particularly if those systems 
are under control of outside powers and it is really critically 
important and nothing has been pre-positioned that may be one 
of the few techniques available.
    I will quickly note, though, that a number of these 
techniques fundamentally require pre-positioning. You can't 
wake up in the morning and say, ``I would like to know where 
this attack came from.'' Many of these techniques require 
systems to be already in place before you can do the 
attribution, and I think that is one of the reasons why 
discussions and hearings like this are necessary, because if we 
the United States wish this kind of capability, we are going to 
need to put things in place and thus that requires this kind of 
discussion that we are having today.
    Mr. Smith. Thank you.
    And since I have limited time, I also want to note, Mr. 
Rotenberg, in your testimony you said that no matter how good 
attribution technologies are that it will probably still fail 
to identify the most sophisticated attackers. So I guess I have 
to ask the question, are our efforts futile, and if other 
attribution technologies will not be able to get the job done, 
what are the other options for protecting us from cyber 
    Mr. Rotenberg. Congressman, thank you for the question. I 
don't think they are futile, and I think it is important 
particularly for us to improve our security through education 
and open standards. I think it is important to develop better 
forensic techniques so it is possible to trace back attacks, as 
Dr. Wheeler described. I will also mention that, you know, one 
of the key problems here which was uncovered in a workshop 
shortly after 9/11 that I participated in where people were 
talking about attribution, Admiral Poindexter brought us 
together and said well, how do we solve this problem, and 
someone said well, you could, you know, hash a person's unique 
DNA against every keystroke so that everything that went from 
your keyboard, every single stroke was uniquely defined to, you 
know, tied to a biometric identifier, and people said ``wow, we 
have solved the attribution problem, isn't that great,'' and 
someone said ``well, what if you have a guy standing next to 
the user with a gun telling someone who is authorized to type 
into the keyboard, now what do you do?'' In other words, you 
can have perfect attribution in a hostage situation, and by the 
way, probably a good plot for a movie, and still not be able to 
prevent a smart attacker, which I think reveals really how 
difficult this challenge is. I am not saying we shouldn't 
improve security or pursue good forensic techniques. I just 
think it would be a mistake for practical reasons in addition 
to human rights reasons to place too much emphasis on 
    Mr. Smith. Okay. Thank you.
    Ms. Edwards. [Presiding] Thank you, and thank you to all 
the witnesses today. I just have basic questions kind of as a 
consumer. All these questions revolve around balancing the need 
for security against the protection of privacy and so where do 
you strike that balance.
    Mr. Rotenberg, I wonder if you could tell me, almost every 
website on the Internet uses cookies to collect data over 
activity. As a consumer I know I get to make a decision, do I 
really want to type in all of that personal information that 
they ask me or go through the list of things until I find out 
that I actually don't have to give them that information at all 
unless, if I check the box way down at the bottom after 
scrolling and scrolling and scrolling, and then you get free 
services in exchange for turning over all of your information 
and so there are instances, for example, where the user wants 
to do that and so they make a decision. There are other 
instances for some reason to get something sent to your home, 
the commercial enterprise has to have it, otherwise they can't 
mail what it is that you want. And so how is that the need to 
protect the user privacy being as important as it is can the 
Federal Government help me, the average Internet user, 
understand what my options are and what the consequences are 
for sharing that information, for sharing it at that moment, 
but also the longer term consequences once that information is 
housed someplace or other or shared with some other source?
    Mr. Rotenberg. Congresswoman, thank you for the excellent 
question. While on the national security side I imagine there 
is a sense that there is not enough attribution, I can tell you 
on the consumer side, there is a sense that there is way too 
much attribution, which is to say that when someone does a 
Google search, you simply type in, you know, apartments, 
Virginia, because you are interested in trying to find an 
apartment in Virginia. I bet no one has any understanding or 
very few people do that at that moment in time Google will 
record the time and the day when the search was made, the 
search query, the cookie tied to the user ID. If they have a 
unique identity, the IP [Internet Protocol] address for the 
device, that will also be recorded. All of this information 
will be collected and stored by the company for every single 
search and kept for months and maybe years building this 
enormous profile, and from the privacy perspective, we think 
that is very invasive. It even creates some security risks if 
the information is misused. In fact, part of the great concern 
about network vulnerability, Google's experience in China was 
that they essentially lost control over a lot of sensitive 
information because of internal vulnerabilities that were 
exploited. That information that they lost control of included 
a lot of personal data on Google users. So we think on this 
side, the government actually has a role in protecting consumer 
privacy by limiting the amount of data that is being collected 
and giving people more control over that data.
    Ms. Edwards. Thank you.
    And then Mr. Giorgio, you mentioned in your testimony that 
the bulk of the privacy concern is actually directed at our own 
government. I was reading, I think just in the last day or so, 
about the National Security Agency program, Perfect Citizen, 
and while there is this need obviously to safeguard our 
infrastructure, whether it is our nuclear plants, the power 
grid, etc., there is a concern that using a tool like that 
could then really impede on all of our individual privacy 
giving up that anonymity that you have described as a 
constitutional protection but we have to rely on the government 
to really protect us from all the bad actors. So I wonder if 
you could discuss the difficulties in achieving both security 
and privacy, especially when the bad guy of one concept is the 
protector of the other and in an environment where if the bad 
guys are operating in concert, that is kind of one thing, but 
we have a whole bunch of just bad actors, whether they are from 
Nigeria trying to get my mother's money or from someplace else, 
and those set of actors may be uncoordinated, they may be 
individuals, and to draw a national security concern around 
trying to protect against those kind of actors is, I think, a 
little complicated.
    Mr. Giorgio. Yes. Thank you, Congresswoman. I couldn't 
agree more. When Mr. Rotenberg just made his point, I agree 
with him that we may fear government least of all. It is these 
companies who have all these databases that are a true threat 
to us. And if we look at what is happening in many of these 
databases that are being collected, for example, all the 
databases that bind our physical location to our use of 
wireless devices such as cell phones, these are all in the 
hands of the private sector, and it is quite easy, and in this 
country they are in the hands of the private sector. I wouldn't 
go overseas and wander about with a cell phone turned out, you 
know, if I wanted to protect my anonymity or privacy, and so I 
see it over and over again that there is a myriad of bad actors 
out there, the least of which may be government, and as you 
point out, government does have a role to protect our critical 
infrastructure but I am not sure they are the greatest threat 
to our privacy.
    Ms. Edwards. Mr. Rohrabacher, I think you are up.
    Mr. Rohrabacher. Thank you very much.
    You know, the last point that was made was very 
interesting. If you are in a relatively free society, that may 
be true. In a relatively dictatorial society, the opposite is 
true. And the idea of how you--what you demand of people who 
involve themselves in this arena of affairs in a society, it is 
a very complicated issue and it is, for example, where I happen 
to believe in the maximum degree of individual freedom. I can 
also understand that in France, for example, they don't want to 
say women shouldn't wear a burka, all right, but there are some 
national security implications to that rather than just 
cultural implications as well. We don't permit people to go 
around hiding their identity as they are walking around the 
street, or do we? Do we in this society?
    Mr. Rotenberg. Well, it is a very interesting point, 
Congressman. Actually the United States unlike most other 
countries does not allow its police to ask people on the street 
to present identity documents.
    Mr. Rohrabacher. Right.
    Mr. Rotenberg. There actually has to be some suspicious 
activity that provides a reason for the police to be able to 
say to someone, may I see, you know, some identification. It is 
not true in most countries. In many countries, you can be asked 
without suspicion to identify yourself.
    Mr. Rohrabacher. I am wondering if a person wearing a mask, 
if that would be suspicious activity.
    Mr. Rotenberg. Yes, it is, and we actually do have anti-
mask laws in many states in the United States, so that is 
generally not permitted. But as for your identification, that 
is something that we tend to allow people to keep to 
    Mr. Rohrabacher. This is of course what we are talking 
about, cyber attacks. It is very similar to the idea, the 
challenge faced by the entertainment industry of people who are 
unlawfully making copies and downloads of material. I guess 
that is sort of a cyber attack. Is there technology that any of 
you know about that you believe that--is this a technological 
solution rather than a government regulatory solution?
    Mr. Giorgio. So there are problems that require 
authentication and authorization, knowing who people are and 
what they have access to do, and there is a tremendous amount 
of very good security research and in fact solutions today that 
provide these strong access controls. Digital rights 
management, which protects music, you know, is one form of 
those controls. The goal of those controls is not dissimilar to 
the DoD goals of trying to protect information. So as 
technology gets developed in various places, it is frequently 
leveraged for other purposes.
    Mr. Rohrabacher. Is the technology solution a wall or is it 
a retaliatory strike, you might say, against someone who has 
come into your system?
    Mr. Rotenberg. Well, in the copyright arena, it is actually 
a tracking technique. As Mr. Giorgio mentioned, digital rights 
management is much like a watermark and it basically allows an 
entity both to assign its ownership of a product, of a digital 
product and also identify who the appropriate user is. So if it 
is in the possession of someone who didn't properly acquire the 
song or the movie, they will essentially be tracked down 
through that digital watermark.
    Mr. Rohrabacher. Is it possible in dealing with the hackers 
and dealing with these types of cyber attacks to have a 
situation if someone doesn't have an authorization to be where 
they are electronically that there is an instant retaliation 
against their own equipment, meaning a disintegration of the 
system that is the vehicle for this aggression?
    Mr. Giorgio. So that capability is possible. You know, 
whether or not it is actually done anywhere, I don't know.
    Mr. Rohrabacher. Is that something that we should strive 
    Dr. Wheeler. This is David Wheeler. Is it possible? I agree 
with him, yes. Should we do it? I would be extremely hesitant. 
As I noted in my paper, attribution is something that although 
it can be done, there is also the risk of misattribution, and 
indeed, for some attackers, that may be actually their primary 
goal is to try to accomplish misattribution, perform their 
attack and cause misattribution of the attack.
    Mr. Rohrabacher. Oh, I see.
    Dr. Wheeler. And so therefore that doesn't mean under no 
possible circumstance could we never imagine this but I would 
be very hesitant about installing such an automatic 
counterattack system generally for most kinds of--you know, 
certainly for military systems you want a human in the loop 
double-checking first.
    Mr. Rohrabacher. Well, just one note, and I know my time is 
up after this, and I don't know how to pronounce your--is it--
    Mr. Knake. Knake.
    Mr. Rohrabacher. Say it again.
    Mr. Knake. Knake.
    Mr. Rohrabacher. Okay. I have surfer's ear in this ear and 
I have trouble----
    Mr. Knake. I am sorry. It is Knake.
    Mr. Rohrabacher. Knake. You mentioned that efforts made 
after 9/11 actually identifying methodologies actually had a 
major impact in preventing another 9/11. I would suggest it is 
not just identification, however. It is identification and 
retaliation. If we just had identified potential al Qaeda 
terrorists since then and let them be, we would have had 
another 9/11. We aggressively sought them out and in some cases 
killed them, which was good, or sent them to Guantanamo, which 
is debatable, but there was actually an action taken so the 
identification isn't the only step that needs to happen if we 
are to protect ourselves from the electronic type of 
aggression. You can answer that if you would like.
    Mr. Knake. Thank you, sir. I think that is absolutely 
right, and I think I would go a step further. Prior to 9/11, 
the United States roving ambassador for counterterrorism, 
Michael Sheehan, delivered a very stern message to the Taliban 
which was essentially, if we are attacked by al Qaeda who plan 
their attack on your soil, we will hold you responsible for 
that. The Taliban did not get that message until after 9/11 but 
we followed through on that. So essentially we assigned 
responsibility to the Taliban for the activities carried out by 
a terrorist organization on their soil. Their failure after 9/
11 to cooperate with apprehending bin Laden resulted in the 
invasion of their country. So I think it is actually very 
analogous to the situation we want to move to in cyberspace 
where if a country refuses to cooperate in an investigation 
that attributes the attack to a system or an individual in 
their country, we in turn hold them responsible for it.
    Mr. Rohrabacher. Thank you very much. That was very astute, 
and I appreciate you permitting me, Madam Chairman, the right 
of questioning because I am not a member of this subcommittee. 
But thank you for allowing me to do that.
    Ms. Edwards. Thank you, Mr. Rohrabacher.
    I just have one question. We are going to take one 
question. We have been called for votes. The Chairman will come 
back and so we are actually going to recess. He is on his way 
back and so I am just going to stall and ask my question.
    Mr. Giorgio, it is actually an important question. You 
discussed the need for standards in a lot of areas and you say 
that government should actually invest in this development but 
allow standards development organizations like the Internet 
engineering task force to develop them through normal 
processes, but Mr. Knake has testified to the difficulties 
involved in using these processes to produce standards, 
specifically new protocols and advocates for more government 
involvement. How can the Federal Government better protect the 
development of consensus-based standards?
    Mr. Giorgio. So Mr. Knake is quite accurate on that point. 
It is extremely difficult to get these standards pushed through 
the standards bodies, even when various governments are behind 
them. So I think--but first and foremost we have to develop the 
technology that will allow us to propose those standards in the 
first place. In parallel, we have to work with the standards 
committees, however difficult that is, and try and influence 
the course of those standards.
    Ms. Edwards. Mr. Knake, there are just so many different 
agencies, though, whether you are talking about the DoD, the 
FBI, I mean, just all of these various agencies that all use so 
many different tools. I mean, it does feel very daunting to 
then create a standard for the multiple tools that are used 
within these agencies. Do you have any comment about that?
    Mr. Knake. I certainly would recognize the problem that you 
are highlighting. I think in a couple of areas, however, it is 
a narrower issue, particularly for the main suite of Internet 
protocols which are universal, and I think we have a fairly 
good set of what are the security problems with those protocols 
and how they should be addressed, essentially how do we secure 
them to a standard to which they cannot be abused but not to a 
standard in which attribution becomes ironclad across the 
Internet, and so that is the area where I think we need to 
return to a situation of more government intervention. These 
protocols were initially developed for the Defense Department 
with U.S. government funding. I think a similar initiative now 
would be in order in an effort to address the vulnerabilities 
that were introduced in that original protocol suite.
    Ms. Edwards. Thank you very much, and I see the Chairman 
has returned and so I will let him take it from here, and thank 
you very much.
    Chairman Wu. We have about seven minutes before Floor 
votes, and I frequently talk about having three rings going in 
this particular circus at any given time, at least when we are 
here in Washington, and that is why it takes more time when we 
are home in our districts because we can only do one thing at a 
time there. I have several more questions. If the minority does 
not, I will try to get my questions in before we go vote on the 
Floor, but let us see how we do.
    Based on both your spoken but particularly your written 
testimony, I get the impression that you all are of the opinion 
that there is limited utility of any particular security 
technique, and that some combination of techniques would afford 
us potentially the best combination of security and privacy. Is 
that roughly accurate?
    Mr. Rotenberg. Yes.
    Dr. Wheeler. Yes.
    Chairman Wu. Okay. If that is the case, is it further sort 
of what you overtly state or what you imply that perhaps we 
have a system of networks in our country or in the world which 
are best served by different degrees of security and privacy/
anonymity, that is, we might set a different standard for those 
networks dealing with publicly available information or 
journalism or blogs and opinions, we might set a higher 
standard for networks dealing with utilities, the power grid or 
banking or financial transactions and we might set again an 
even higher standard for, let us say, DoD or NSA types of 
networks. Can you address that?
    Mr. Rotenberg. Well, Mr. Chairman, I think there are a 
couple different ways to think about it. Certainly we have 
within the United States and in the military community, for 
example, secure networks that are essentially not connected to 
the public open Internet, but with respect to the public open 
Internet, I think as much as possible we want to keep systems 
connected because of all the benefits that the Internet 
provides and place the added security obligations at the end 
points. In other words, if there are applications or 
organizations or entities that have needs for enhanced 
security, for example, a password and user ID is a simple one, 
you know, place the responsibility there, and as much as 
possible maintain the common protocols of the public Internet 
for general use. Now, that is not to say, as I said at the 
outset, that clearly there will be segregated networks for 
specialized purposes but I am concerned as, you know, Vint Cerf 
and others have expressed concern about the possible 
balkanization of the Internet if we start carving things up too 
much. Literally separating parts of the network out from other 
parts, we will lose a lot of the benefit.
    Mr. Giorgio. Sir, I am on the DARPA [Defense Advanced 
Research Projects Agency] oversight board with Vint Cerf on an 
issue related to this, and I completely agree with Mr. 
Rotenberg that, you know, we have to preserve as much as 
possible for common use, okay? However, when somebody is 
providing a service at one end of the network and somebody 
somewhere else in the world is trying to use that service, it 
is the responsibility of that endpoint to enforce the protocol 
that they will demand that person to use. So they might be on 
the same backbone but we might have very different protocols 
running through that and effectively have different networks, 
but we don't want to physically separate them, and I think Marc 
said the same thing.
    Dr. Wheeler. If I can jump in here also, I very much by the 
way agree that there are different levels of anonymity, privacy 
desires comparing, say, the public Internet versus, say, you 
know, a network inside the DoD that involves classified 
information or weapons systems or something. You would expect a 
whole lot less anonymity in the latter situation. I think the 
interesting thing is that there is somewhat odd good news that 
attribution often tends to be a lot easier against insiders. We 
were talking about this before while you were out, Congressman 
Wu, but many of these attribution technologies fundamentally 
require pre-positioning. You have got to put the technology in 
place ahead of time. That tends to be easier to do inside a 
smaller closed network. The DoD is of course large but 
nevertheless it is certainly not as large as, say, the United 
States as a whole or some such and therefore when you have a 
smaller network, you can treat it as inside an organization. It 
is much easier pre-positioning things. And so in that sense, at 
least, you can put attribution technologies available that 
perhaps at least will tell you well, he is inside and there he 
is, or he is outside and now at least maybe I should start 
closing off the gates for them to come inside.
    Chairman Wu. Some of you have addressed the need for 
standards for the operation of anonymity services like Hotspot 
Shield, and I think the argument is that because these services 
make it easier for folks to do all sorts of things anonymously 
that there is an interest in different forms of access or 
identifiers in order to gain this level of anonymity, and there 
may be a difference of opinion on this issue and I would like 
to have that specifically addressed.
    Mr. Rotenberg. Well, let me say that, you know, pure 
anonymity means that you really can't trace back to the user. 
Now, there are a lot of escrow-style configurations where you 
can allow people to conceal their public identity but still put 
a responsibility on a service provider to say, for example, 
with a warrant we now need to know who this person is and this 
isn't true anonymity but it gives, you know, many of the 
elements of anonymity. Here is the hard problem. You know, true 
anonymity, which we think is important, will protect the 
political dissident in a country that is hostile to the 
person's views and may in fact imprison the person if his 
identity is known. Pure anonymity will also protect the 
pedophile who is trying to distribute images on the Internet 
and should be prosecuted and imprisoned. And do you see in this 
one tool, you know, there is one application that we would 
value very much and another application that we would try to 
prevent, and if we go the half step in and we say, well, maybe 
we should allow this through a pseudonym escrow service, it 
will be easier to catch the person engaging in the transfer of 
child pornography but it will also be easier to catch the human 
rights advocate. It is not a simple problem.
    Chairman Wu. Well, that is what I was thinking about in 
reading the testimony. One of the trapdoors is, if you get a 
legitimate judicial decree asking for identification in 
connection with a crime, well, we in our society would view 
pedophilia as very legitimate for such a judicial decree, and 
it is my impression that there are other countries where for 
what we view as vague crimes like breach of state security 
which can cover a whole host of activities that in this country 
we view as legitimate that that may result in the issuance of a 
valid judicial decree, and the question is, how does the third 
party respond to such a judicial decree which on its face these 
two decrees are indistinguishable?
    Mr. Rotenberg. That is the dilemma.
    Mr. Giorgio. I think we need to rely on other types of 
third parties in these circumstances. It might be perfectly 
okay for me to positively identify myself to my identity 
provider but then perhaps that identity provider could enable 
me to talk to a search agent, for example, and maintain my 
privacy. The identity provider might be blind to everything I 
do and the search--the service doing the searching for me 
doesn't know who I am but yet because that privacy is provided 
to me by a third party.
    Mr. Knake. I would only add that if what you are looking 
for is anonymity, there is a limited number of reasons that you 
really need that. It is freedom of speech, it is access to 
information. So restricting the ability to use these services 
for transactions can cut down on a lot of criminal behavior and 
a lot of network infiltration.
    Chairman Wu. If there is no further answer on this 
question, the rules of this Committee preclude us from 
recessing and reconvening without a minority Member present, 
and since that apparently is not possible, I am going to 
adjourn this meeting momentarily. I do want to point out--well, 
there are many additional questions, many additional topics to 
be covered. You all have prepared very thorough presentations, 
and it is normally the practice of this Subcommittee in 
addition to asking many questions to give you all an 
opportunity to say anything in addition that has not been 
asked. We apparently will not have that opportunity today. 
There will be written inquiry of each of you. In particular I 
am curious as to the confidence that the legal analyses that 
some of you all have presented, your level of confidence since 
these are district court opinions, and I also want to commend 
the law clerks for having done a fine job. I just want to add 
that I think there is enough material here for an interesting 
law review note or maybe several law review notes, and also in 
particular I would like to have addressed the role of 
international agreements, international standards and 
agreements about what constitutes a breach, what constitutes an 
attack, and what kind of standards there should be for the 
various technologies for attribution or otherwise, and finally, 
I think that addressing the issue of standards in general needs 
to be further fleshed out.
    I want to thank you all for your presence, for your 
tolerance for the wrinkles in Congressional operation, and as I 
said to some of you before the hearing began, you prepared 
very, very thoughtful, thought-provoking and dense materials. 
It is as if I were trying to reduce to five or ten pages how 
Congress really works, the version that is not in your high 
school civics textbooks. It would require a lot of parsing of 
what is between the lines.
    I want to thank you all very much for being here today. The 
Subcommittee hearing is adjourned.
    [Whereupon, at 11:19 a.m., the Subcommittee was adjourned.]


                   Answers to Post-Hearing Questions

                   Answers to Post-Hearing Questions
Responses by Dr. David A. Wheeler, Research Staff Member, Information 
        Technology and Systems Division, Institute for Defense Analyses

Questions submitted by Chairman David Wu

Q1.  Information sharing is critical for success in cybersecurity, 
whether it supports attribution of attacks or awareness of 
vulnerabilities. How important is it to have common nomenclature, 
common metrics, and standard sharing methods for success in information 
sharing? How should these different elements be developed, which 
government agencies should be involved, and what roles should they play 
throughout the process?

A1. In any technical endeavor it is important to have some common 
nomenclature, common metrics, and standard sharing methods in the areas 
most important to the task. In many cases these should be developed 
through a partnership between government, industry, and academia. The 
government organizations that should be involved should include those 
in charge of defending the country and/or involved in information 
technology (IT) standards. These government organizations include the 
Department of Defense (DoD), the Intelligence Community (IC), the 
Department of Homeland Security (DHS), and the National Institute of 
Science and Technology (NIST).

Q2.  Many of you have discussed the need for new internet protocols to 
be built on the concepts of security, authentication, and attribution. 
What parties would help develop and implement these protocols and what 
would their roles be? Who would use these new protocols and would 
multiple protocols diminish the utility of the internet?

A2. I do not believe there is a need to replace the existing suite of 
Internet (``TCP/IP'') protocols with radically different protocols. 
Even if this were desired, the cost and effort to make this switch 
would exceed any likely benefits. For example, organizations are 
currently adding support for version 6 of the Internet Protocol (IP), 
in addition to version 4, yet this minor change is taking more than a 
decade to complete. Thus, instead of wholesale replacement, there is 
primarily a need to develop new protocols (for new functionality) that 
build on top of the existing protocols. In a few cases there may need 
to be extensions of existing protocols (to add new capabilities) but 
this is still different from replacement.
    There are already standards-setting bodies whose purpose is to 
develop and promulgate Internet protocols, such as the Internet 
Engineering Task Force (IETF) and the World Wide Web Consortium (W3C). 
The government, industry, and academia should gather within these 
standards-setting bodies help develop the specifications of these 
protocols. Where attribution-related standards are involved, 
``attribution techniques that pose less danger to privacy should be the 
ones most encouraged.'' \1\
    \1\ Wheeler, David A. and Gregory N. Larsen, ``Techniques for Cyber 
Attack Attribution,'' Institute for Defense Analyses Paper P-3792, 
October 2003 (hereinafter referred to as ``IDA 2003 ''). Section 3.13.
    The internet already has many protocols; as long as each protocol 
performs a specific task not performed by others, this is not a 
problem. However, having multiple incompatible protocols with the same 
functionality does bear the risk of diminish the utility of the 
internet, due to incompatibilities between parties.
    The key mechanism to countering such incompatibilities is for users 
to insist that their systems, including all network protocols, must be 
built using open standards. ``Standards should be publicly defined and 
held. This way, no single vendor controls others, permitting 
competition.'' \2\ Any patents possibly present on parts of the 
standard must be made irrevocably available on a royalty-free basis. 
This is because a ``standard that cannot be implemented without a 
patent license gives a special advantage to the patent holder(s). Such 
patents constrain or prevent competition, and thus undermine the 
advantages of standards listed above'' \3\). There must be no 
constraints on the use and re-use of the standard (since such 
constraints would threaten to balkanize the Internet). The standard's 
specification document should be available without fee over the 
Internet (the IETF and W3C already do this), enabling all to copy, 
distribute, and use the standard freely.\4\
    \2\ [IDA 2003], section 3.7.
    \3\ [IDA 2003], section 3.7.
    \4\ This definition from Digistan is available at http://
www.digistan.org/open-standard:definition, and is a clarification of 
the definition by the European Union (EU) European Interoperability 
Framework (EIF).
    Many attribution ``techniques are immature and will require funding 
before they are ready for deployment. If the [government] wishes to 
have a robust attribution capability, it must be willing to fund its 
development and deployment.'' \5\
    \5\ [IDA 2003], section 4.

Q3.  Please discuss how the level of confidence can have an impact on 
the utility of attack attribution. Please relate the level of 
confidence to the spectrum of available responses including diplomatic, 
economic, cyber, and kinetic.

A3. Responses that are especially damaging or non-reversible, such as 
kinetic responses, should be avoided unless the attribution confidence 
is extremely high, typically through confirmation by multiple methods.
    One issue that must be kept in mind is that attackers may ``wish to 
cause misattribution as their primary purpose, rather than actually be 
successful at the attack. For example, if there is already tension and 
conflict between two adversaries (e.g., two countries A and B), a third 
party (C) could try to attack one (A) and cause the attack to be 
misattributed to the other party (B). Thus, the third party could 
escalate a conflict between others simply by forging attacks.'' \6\
    \6\ [IDA 2003], section 3.15.3.
    Ideally, ``an attribution process would also report the confidence 
level in the attribution, but this information is often not 
available.'' \7\ In some cases, using multiple techniques and using 
techniques that resist misattribution can increase confidence. 
Fundamentally, however, ``computer network defense should not depend on 
attribution. Instead, attribution should be part of a larger defense-
indepth strategy.'' \8\
    \7\ [IDA 2003], section 3.15.3.
    \8\ [IDA 2003] section 4, conclusion 2.

Q4.  Are there any other thoughts or issues you would like the share 
with the Committee on attack attribution and cybersecurity?

A4. As noted in my paper, a good first step would be to ``change the 
terrain'' of our computer networks so that attacks are less likely to 
be successful or are more difficult to hide. We need to harden our 
information technology (IT) systems (including clients, servers, and 
network components) to resist attack far better than they currently do. 
This is partly because this reduces the need for attribution, and 
partly because this makes them more difficult to exploit as 
intermediaries. We should harden our routers and hosts so that 
attribution is easier (e.g., limit the use of spoofable protocols and 
disable broadcast amplification/reflection). Finally, we should 
consider implementing network ingress filtering on government networks 
at all levels, so that data packets cannot cross between networks 
unless they truly could be from the claimed network.\9\
    \9\ See [IDA 2003], especially section 4, conclusion 6.
    We should decrease the number and impact of vulnerabilities in 
commercial software (both proprietary and open source software) we use, 

        1.  Education. We should try to ensure that all software 
        developers know how to develop secure software. This knowledge 
        includes knowing the common mistakes and methods to prevent 
        these mistakes. Since the U.S. economy depends on software and 
        nearly all software connects to a network or uses data from a 
        network, practically all software developers now need this 
        knowledge. Unfortunately, secure software development education 
        is often available only as an optional graduate-level course.

        2.  Improved tools and standards. We should enhance software 
        development tools (such as programming languages and key 
        libraries) and their standards so that writing secure software 
        is much easier, mistakes leading to vulnerabilities are much 
        less likely, and mistakes are easier to detect before the 
        software is released to users.

    The government should consider becoming even more involved in the 
development and deployment of open standards. It is currently 
government policy to encourage the use of commercial items where 
applicable, for reasons that are well-understood. However, commercial 
items are less likely to support government needs and concerns if the 
standards they are based on were not developed with those 
considerations. The government has unique needs and concerns, both as a 
user and as a representative for the people of the United States, 
including issues around cybersecurity, privacy, and anonymity. It 
should be noted that in some cases the government is already involved 
in standards development, and in some cases the government asks if the 
commercial products it buys meet the relevant standards. However, to 
ensure that commercial products will be suitable for its own use and 
use in the country, the government should ensure that it has ``a seat 
at the table'' when key information technology standards are set, 
ensure that those standards are open standards, and require that the 
commercial items it purchases correctly implement the relevant 

Questions submitted by Vice Chair Ben R. Lujan

Q1.  The Fourth-generation of cellular wireless network standards being 
developed uses the internet protocol suite and would extend the 
internet to cellular devices. What are the implications of this 4G 
standard for this discussion on privacy and attribution?

    The Internet protocols have long been demonstrated and used for 
wireless communication. Indeed, DARPA experiments in the 1970s 
demonstrated that packet radio networks could interact with other 
networks using protocols that eventually became the Internet protocols. 
However, I have not evaluated the 4G standards in depth for their 
implications on privacy and attribution, so I cannot give a specific 
answer about the 4G standards. If the government is concerned about the 
privacy or attribution affects that 4G standards could have on itself 
or its citizenry, it should be involved in the development of those 
                   Answers to Post-Hearing Questions
Responses by Mr. Robert Knake, International Affairs Fellow, Council on 
        Foreign Relations

Questions submitted by Chairman David Wu

Q1.  Information sharing is critical for success in cybersecurity, 
whether it supports attribution of attacks or awareness of 
vulnerabilities. How important is it to have common nomenclature, 
common metrics, and standard sharing methods for success in information 
sharing? How should these different elements be developed, which 
government agencies should be involved, and what roles should they play 
throughout the process?

A1. In my view, we need to move beyond information sharing as the 
answer to addressing cybersecurity. Along with ``public-private 
partnerships'', information sharing has been called out as the solution 
to cyber security for the last two decades. The idea is that once 
companies and individuals are informed about threats and 
vulnerabilities, they will be armed with the information they need to 
improve security. That was a good theory but it is one that has turned 
out to be proven wrong by the facts. Information sharing is in fact 
quite good in cybersecurity. At last count, there were more than thirty 
partnerships between the Federal Government and the private sector to 
share information on cyber security. The National Institute of 
Standards has done a excellent job of providing standard nomenclatures 
for policy makers and practitioners. Efforts such as the National 
Vulnerability Database and the Common Vulnerabilities and Exposures 
naming standard provide the technical means for exchanging information. 
Information sharing is good. It is getting better. We now need to take 
a hard look at why better information sharing hasn't led to better 
cybersecurity and then develop remedies.

Q2.  Many of you have discussed the need for new internet protocols to 
be built on the concepts of security, authentication, and attribution. 
What parties would help develop and implement these protocols and what 
would their roles be? Who would use these new protocols and would 
multiple protocols diminish the utility of the internet?

A2. I believe that the current iterative, consensus-based process 
through the Internet Engineering Task Force for the development of 
protocols is broken. By way of example, look at DNSSEC. The security 
flaws in the Domain Name System (DNS) that DNSSEC is designed to 
address were first discovered in 1990. It took another decade to 
develop the first specification for DNSSEC. In 2010, we are just taking 
the first meaningful steps to implement the solution and it will likely 
take another decade for widespread adoption. In my view, government 
needs to set the goals, fund the research, and then require 
implementation. The argument that the pace of innovation is too fast 
for government regulators to keep up with is patently untrue given the 
thirty-year timeframe to develop and implement DNSSEC. I believe that 
the U.S. government should layout a technical challenge to the IETF on 
a strict timeframe to develop a secure suite of protocols, fund the 
development, and require implementation.

Q3.  Please discuss how the level of confidence can have an impact on 
the utility of attack attribution. Please relate the level of 
confidence to the spectrum of available responses including diplomatic, 
economic, cyber, and kinetic.

A3. With existing technologies, we can have a high degree of confidence 
in our ability to trace an attack back to a system. The difficulty is 
in determining both the originating system and the human at the 
keyboard. In almost every conceivable cyber attack, we will be able to 
trace the attack back to at least the first system and then ask the 
host country for assistance with further investigation. If they refuse, 
we can say with confidence that they are uncooperative and assign them 
responsibility. Ultimately, attribution back to the originator of the 
attack may take time, particularly for the President and Congress to 
authorize diplomatic, economic or kinetic responses outside the cyber 
domain; however, as in our response to the terrorist attacks of 9/11, 
we may respond ``at a time of our choosing'', once we have enough 
confidence to act.

Q4.  Are there any other thoughts or issues you would like the share 
with the Committee on attack attribution and cybersecurity?

A4. Not at this time.

Questions submitted by Vice Chair Ben R. Lujan

Q1.  The Fourth-generation of cellular wireless network standards being 
developed uses the internet protocol suite and would extend the 
internet to cellular devices. What are the implications of this 4G 
standard for this discussion on privacy and attribution?

A1. I am not familiar enough with this issue to provide a meaningful 
                   Answers to Post-Hearing Questions
Responses by Mr. Ed Giorgio, President and Co-Founder, Ponte 

Questions submitted by Chairman David Wu

Q1.  Information sharing is critical for success in cybersecurity, 
whether it supports attribution of attacks or awareness of 
vulnerabilities. How important is it to have common nomenclature, 
common metrics, and standard sharing methods for success in information 
sharing? How should these different elements be developed, which 
government agencies should be involved, and what roles should they play 
throughout the process?

A1. Common nomenclature and metrics are extremely important to move the 
current state forward. Standards have been very difficult to achieve in 
this area due to the vested interests of the private security service 
companies who want to develop these standards as their individual 
intellectual property and only make them open source after they have 
achieved sufficient market penetration. In some cases these private 
companies have no interest in standards at all because they don't want 
their systems to easily interoperate with competitor systems as that 
might cause them to eventually be marginalized. This resistance can be 
overcome by government activities such as the Security Content 
Automation Protocol (SCAP) currently underway by NIST, NSA, and others.
    SCAP details can be found on the NIST web site. In short, SCAP is a 
synthesis of interoperable specifications derived from community ideas 
and is initially focused on vulnerability management. Subsequent 
activity will expand to include compliance, remediation, and network 
monitoring. Existing SCAP standards include Common Configuration 
Enumeration (CCE) , Common Vulnerabilities and Exposures (CVE), Open 
Vulnerability and Assessment Language (OVAL), Common Vulnerability 
Scoring System (CVSS) and others.

Q2.  Many of you have discussed the need for new internet protocols to 
be built on the concepts of security, authentication, and attribution. 
What parties would help develop and implement these protocols and what 
would their roles be? Who would use these new protocols and would 
multiple protocols diminish the utility of the internet?

A2. As mentioned in my testimony, government cannot by itself mandate 
changes in underlying infrastructure technologies (Ex. IPv6). DARPA, 
NSA, NSF, and the research elements supported by the Comprehensive 
National Cyber Initiative all should be working to research and develop 
new capabilities. These could be researched, designed, implemented, 
piloted, and ultimately become operational on DoD and Intelligence 
networks, where attack attribution is far more important.
    New protocols based on the above research should be introduced 
through the IETF, as this process is the most likely to encourage 
commercial acceptance and deployment into worldwide networks. For 
security standards or algorithms, NIST is the appropriate agency.
    As for using multiple protocols, we've done this for decades with 
considerable success. The challenge is to make sure that different 
protocols complement each other rather than cause uncertainly, 
confusion, and even counter productivity. The way to reduce this risk 
is to make sure the standards development processes are not done in 
isolation as has frequently happened in the past.

Q3.  Please discuss how the level of confidence can have an impact on 
the utility of attack attribution. Please relate the level of 
confidence to the spectrum of available responses including diplomatic, 
economic, cyber, and kinetic.

A3. If we have a legally meaningful level of confidence in attack 
attribution then the utility of this goes beyond mere attribution, as 
some would-be attackers will be deterred by the ramifications of that 
attribution. We should have fine-grained control over what level of 
identification and authentication we require before access is granted. 
This in turn will give us control over the level of confidence we have 
in attribution. Perhaps for a low value target we would just accept 
that it's going to be attacked and not bother so much with attribution.
    The level of confidence one can have using attack attribution 
technologies varies dependent on the:

        1.  Type of hardware the attack is emanating from,

        2.  Specific operating system and application software in use,

        3.  Level of user authentication used on that system,

        4.  Internet protocols, including security protocols such as 
        IPSEC, and

        5.  Cooperation from the Internet Service Providers (ISPs)

    If the identity of the individual is required, that is harder than 
just knowing the machine from which the attack is emanating, and that, 
in turn, is much harder than knowing the geo-location of the that 
machine. As mentioned in my testimony, trying to pinpoint the exact 
individual who is willfully committing the attack cannot be done with a 
high level of confidence due to problems with the security on the 
system the attack is emanating from.
    Consideration of all the above attributes will be required to 
obtain a level of confidence suitable for the appropriate diplomatic, 
economic, cyber, and kinetic response. A diplomatic response such as a 
formal state department demarche does not appear to be much of a 
deterrent at all, as countries like China and Russia will simply deny 
it. Economic responses could be very valuable, but will require an 
international approach which does not impinge on the individual nation 
state sovereignty. Cyber responses are certainly unclear as to their 
effectiveness, especially since the U.S. is the most dependent on cyber 
and has the most to lose in a cyber conflict. Finally, a kinetic 
response of course escalates any cyber attack to a much higher level 
conflict and cannot be done without absolute certainty of where the 
attack is coming from. Even then, I doubt there would be much national 
or international support for such an action and this response should be 
    Lastly, in answering this question, it is important that research & 
development be done in all the five areas listed above as advances in 
these areas will both stop some attacks and deter others. DARPA, NSF, 
NIST, and NSA all have a role in accomplishing this.

Questions submitted by Vice Chair Ben R. Lujan

Q1.  The Fourth-generation of cellular wireless network standards being 
developed uses the internet protocol suite and would extend the 
internet to cellular devices. What are the implications of this 4G 
standard for this discussion on privacy and attribution?

A1. There has been an explosive growth in the availability of location 
databases that associate building and emitter identifiers (IDs) with 
geographic coordinates. While these capabilities are assisting in 
solving the attribution problem, they are also enhancing criminal 
activity and adversely impacting our personal privacy and national 
security. This is especially troublesome since the data is (primarily) 
in the hands of private and frequently multinational corporations.
    Examples of these data bases include information about 4G cell 
phones & PDAs, IP addresses, WiFi and WiMax emitters, cell towers, 
routers, gateways/points of presence, physical addresses, among others. 
Additional clues to location can be derived from the above plus timing 
calculations and measurements within data and voice traffic.
    These data bases exist in many different forms today and are 
perpetually updated, some in real-time. Furthermore, these data bases 
are held in the hands of multiple distinct parties, including:

        1.  Classified government data bases

        2.  Private commercial data bases (e.g., cell phone, PSTN, ISP, 
        and utilities),

        3.  Open-source data bases (e.g., Internet registrars, Google 

        4.  Unclassified (but sensitive) government data bases, and

        5.  Foreign government or foreign corporate data bases.

    For example, the above data bases can be correlated and combined to 
discern coordinates for various scenarios, such as tracking individuals 
in real-time by overlaying their current position on a satellite image 
or street view to follow their every movement and make notes of where 
they went, at what time, who they met with, who they emailed or phoned, 
what they purchased, and so on. As mentioned in my testimony, these 
capabilities pose both an opportunity to do attribution when we need 
it, but a potentially catastrophic vulnerability when it is used for 
foreign cyber attacks, corporate espionage, criminal activity, and, 
potentially, terrorism.
                   Answers to Post-Hearing Questions
Responses by Mr. Marc Rotenberg, President, Electronic Privacy 
        Information Center

Questions submitted by Chairman David Wu

Q1.  Information sharing is critical for success in cyber security, 
whether it supports attribution of attacks of awareness of 
vulnerabilities. How important is it to have common nomenclature, 
common metrics, and standard sharing methods for success in information 
sharing? How should these different elements be developed, which 
government agencies should be involved, and what roles should they play 
throughout the process?

A1. There are technical standards that enable data exchanges but it is 
critically important to keep in mind that there are also legal 
standards that help ensure trust and confidence in the collection and 
use of personal information by the Federal Government. This problem is 
already clear in the use of ``cookies,'' i.e. persistent identifiers, 
by government agencies in the management of Federal web sites.
    The Federal Privacy Act sets out a framework for all Federal 
Government agencies collecting and using the personal information of 
American citizens. That framework embodies a set of principles that any 
new Federal attribution system is bound to adopt. The Privacy Act 
limits most agencies to maintain records of individuals only which are 
``relevant and necessary'' to accomplish specific purposes derived from 
statute or executive order.
    More generally, the framework prioritizes the individual citizen's 
right to request and view all government records about him or her that 
do fall under a set of specific statutory exemptions, and for that 
citizen to sue the government for violations of the statute.
    Clearly, there is a need to strengthen the application of Privacy 
Act across the Federal Government. The original draft bill considered 
by Congress contemplated an independent Federal privacy agency to 
oversee enforcement of the Act. We would still favor this approach. 
Short of new legislation, the OMB should play a more active role 
ensuring compliance with Privacy Act provisions.

Q2.  Many of you have discussed the need for new internet protocols to 
be built on the concepts of security, authentication, and attribution. 
What parties would help develop and implement these protocols and what 
would their roles be? Who would use these new protocols and would 
multiple protocols diminish the utility of the internet?

A2. The ideal security model for new Internet protocols should focus on 
end-to-end encryption and dynamic addressing instead of attribution and 
surveillance. End-to-end encryption translates data into a secret code, 
thereby protecting it from the moment it leaves the sender computer 
until the moment it is received by the intended recipient computer (and 
decoded). This kind of comprehensive encryption is essential for 
protecting personal data that travels over vulnerable channels, such as 
the public Internet.
    Dynamic addressing serves a similar purpose in a different way. The 
term refers to Internet Protocol (IP) addresses, which computers use to 
direct bits of data across the web. There are two ways to assign IP 
addresses. A dynamic addressing system assigns each computer a random 
selection from a preselected pool of addresses. A static addressing 
system assigns each computer a single, permanent address. The latter is 
based on the same philosophy as attribution systems, and shares its 
inherent flaws.
    The most recent version of widely used Internet Protocols is IP 
version 6 (``IP v.6''). IP v. 6 enables, but does not require, network 
administrators, IT professionals who run individual networks for 
companies and other large organizations, to use static addressing. This 
could create new risks to users. Permanently tracing personally 
identifiable online conduct to individual users serves to provide 
hackers additional targets. Alternative protocols can take advantage of 
IPv6 functionality while minimizing the privacy risk.
    There are numerous organizations that can assist in developing and 
implementing protocols that reflect a more resilient, open approach to 
internet security that rely on end-to-end encryption and dynamic 
addressing. I would recommend the Internet Engineering Task Force, the 
Internet Architecture Board, and the Internet Corporation for Assigned 
Names and Numbers (ICAAN).

Q3.  Please discuss how the level of confidence can have an impact on 
the utility of attack attribution. Please relate the level of 
confidence to the spectrum of available responses including diplomatic, 
economic, cyber, and kinetic.

A3. Attribution programs do not prevent highly skilled attackers from 
remaining anonymous. They do create vulnerable repositories of 
personally identifiable information, but only for those Internet users 
who are not trained in frustrating attribution systems. In fact, these 
repositories would soon become tempting new targets for the hackers who 
are outside the attribution system.
    Furthermore, the National Academy report that I cited in my 
testimony said, ``It is not known how much the smooth operation of 
society depends on such things, or on the assumption that they are 
possible. There is a risk, however, that they would be lost, or at 
least significantly impaired, if a broadly used nationwide identity 
system came into existence.''
    Again, current schemes of attribution are inherently limited, which 
significantly diminishes the levels of confidence we can invest in 
them. Still, one useful mechanism of attribution is called Domain Name 
System Security Extensions, or DNSSEC. DNSSEC reduces the risk of 
phishing by focusing attribution efforts on authenticating websites. 
That is a distinctly different approach than tracking individual users, 
and in 2008, the Electronic Privacy Information Center endorsed this 
approach in administrative comments relating to ICANN's adoption of 
DNSSEC for websites ending in ``.org'' (the .ORG Domain).
    ``Phishing'' is a hacker term for malicious websites that pose as 
legitimate ones to fraudulently acquire sensitive information about 
Internet users. The primary mechanism DNSSEC uses to prevent phishing 
is a new form of authentication built into the Domain Name System. The 
Domain Name System translates the computer language identifiers for 
Internet addresses into language human users understand. DNSSEC adds a 
level of security to this process by requiring sites to use digital 
signatures. Digital signatures are mathematical messages which allow 
the users' computer to discern whether or not the site is the one it 
claims to be or instead a fraudulent intruder.
    Beyond bounded approaches like DNSSEC, the Federal Government 
probably not design diplomatic, economic, cyber, and kinetic approaches 
to foreign policy around the attribution systems currently available. 
They are not very reliable, and suffers from the limitations I've 
described in my testimony and in response to questions.

Q4.  Are there any other thoughts or issues you would like to share 
with the Committee on attack attribution and cybersecurity?

A4. Cyber security is a transnational problem that requires resilient 
solutions. The primary function of a national attribution system, in 
the abstract, would aim to solve more problems than it creates by 
extending the range of our country's foreign policy tools and domestic 
policing techniques. In practice, however, available systems can yield 
ambiguous results at best, which will frustrate security efforts 
instead of bolstering them.
    Moreover, there are fundamental privacy rights at stake. Building 
the capacity to track American citizens has always been two-edged. 
Large scale, preventative surveillance invites abuse. In this case, it 
invites the malicious users we are fighting to participate in the 
abuse. Cyber attackers can operate outside of any available attribution 
system, and use our system against us.
    Invariably, solving one problem in the cyber security field will 
create a new problem. A smart strategy must anticipate this dynamic.

Questions submitted by Vice Chair Ben R. Lujan

Q1.  The Fourth-generation of cellular wireless network standards being 
developed uses the internet protocol suite and would extend the 
internet to cellular devices. What are the implications of this 4G 
standard for this discussion on privacy and attribution?

A1. As mobile phone companies such as Verizon and AT&T Mobility 
transition to the 4G wireless standard, there is the possibility that 
the ``Internet of things''--familiar communications devices, such as 
cell phones, as well as many objects, such a refrigerators, identity 
cards, and clothing--will become uniquely identifiable and locatable.
    Some may favor this capability because it will make possible new 
forms of real-time attribution. But for the determined attackers, it 
will also create new opportunities to conceal identity and to turn the 
techniques of attribution against us. Robust security systems should 
not rely on the perfectibility of attribution.