"The ability to determine the responsible party of a military attack and convince a would-be attacker that one has the ability to determine this culpability constitutes a key capability for nations wishing to deter aggression. However, within domain of cyberspace, a belligerent state, non-state and/or criminal actor can manipulate elements of the domain to shroud and/or maliciously redirect culpability elsewhere. In such an environment, is the basic premise of deterrence (threat of retaliation or denial of benefits to the attacker) still viable? This research paper will look at the problem of attribution from both a technical and national policy standpoint. Specifically, the research will briefly describe the technical problems challenging attribution and review some of the proposed solutions. Further, the research will examine the problem of attribution from a national policy standpoint to outline the potential policy solutions that could provide alternate solutions outside or in addition to the purely technical ones as well as highlight consequences of some of the proposed solutions.This paper argues that a central focus on attack attribution to enable a retaliatory response as a means to accomplish deterrence presents an untenable, unsustainable strategy. Cyberspace, unlike other domains of air, space, land and sea, provide the ability to recreate the domain at will to complicate an attackers ability to penetrate. This paper argues that old ideas of centralization and hardening for defense should give way to ideas of randomly moving cyber attack surfaces (logically defined vice physically defined) in order to rebalance the current asymmetry between attacker and defender. Transformative security in cyberspace can only take place when industrial age ideas are supplanted by modern information age ideas that exploit the strengths of the malleable cyber domain to ensure security. Defenders should turn the advantages that favor the offense on its head."
Defense Technical Information Center (DTIC): http://www.dtic.mil/dtic/