Attribution of Cyber Attacks Is Critical to Deterrence

Alumnus Kevin Mandia, CEO of FireEye, said private companies should practice defensive measures in the cyber domain.

June 29, 2018

Director of CCHS Frank Cilluffo (left) and Kevin Mandia, A George Washington University alumnus and CEO of FireEye, discuss attr

Director of CCHS Frank Cilluffo (left) and Kevin Mandia, a George Washington University alumnus and CEO of FireEye, discuss attribution of cyber attacks during a forum in Duques Hall. (Logan Werlinger/ GW Today)

By Kristen Mitchell

The wars of yesterday depended on military supremacy, but today’s battles are being fought in cyberspace, according to cybersecurity expert Kevin Mandia.

Mr. Mandia, M.S. ’95 and CEO of FireEye, a company that provides products to protect clients against cyber threats, spoke at George Washington University Wednesday as part of a Center for Cyber and Homeland Security Cybersecurity Leadership Forum. He talked about the rules of engagement in cyberspace, deterrence and the kinds of threats private companies face from state actors.

FireEye responds to hundreds of cyber threats and hacks every year. Dealing with probes from state actors such as Russia, China and Iran, has become an inevitable part of doing business for many American companies.

“The next war…will be fought by software first and foremost in my opinion, or a lot of it will be,” Mr. Mandia said. “Cyber activities definitely reflect geopolitical conditions, and they will be the early warnings and indicators of aggression.”

The CCHS Cybersecurity Leadership Forum was hosted by Frank Cilluffo, director of CCHS, in Duques Hall. Mr. Cilluffo said Mr. Mandia and his company have been “on the forefront” of cybersecurity issues for many years.

Hackers are able to exploit the United States’ weaknesses in the cyber domain, Mr. Mandia said. Much of the country’s critical infrastructure is maintained by private companies, which are vulnerable to attack and can only respond with defensive measures. Mr. Mandia’s company was involved with the investigation into the Sony hack in November 2014, which was perpetrated by North Korea.

It was important for investigators to figure out who launched the cyber attack and what would be the appropriate response from the country. While a proportional response is typical when a country has been threatened, the cyber domain does not operate under the same rules of engagement.

“The cyber domain is not the right domain to retaliate with North Korea,” Mr. Mandia said. “I’m a layperson, I’m not an expert, but my gut tells me we’re in a $10 million glasshouse in the cyber domain, and North Korea is in a mud hut of seven IP addresses. Who wins in a cyber duel? We have everything to lose.”

Companies should practice defensive measures to protect themselves from hackers, but should never “hack back” or retaliate in the cyber domain. Those are policy decisions that should be directed by the U.S. government.

Most of the attacks FireEye investigates are state-sponsored or state-condoned. Mr. Mandia’s team meticulously catalogs forensic evidence of cybersecurity breaches, which has allowed it to pick up on patterns to assist with assigning responsibility for an attack. It can be difficult to attribute an attack to specific bad actors because they often attempt to obscure their identity.

“We do believe threat attribution matters,” Mr. Mandia said. “Whether we give it to the world, whether we give it to our customer or whether we feed it to the right agencies, if we don’t know who is doing this stuff, there is no proportional response, there is no deterrence, there are no risks of repercussions to the bad guys.”