51
Hoover Institution • Stanford University
investigators will plant a variety of false clues. Thus, at the moment of collection, the investigator cannot presume
the independence of any given clue, and he or she must take into account the probability that a newly gathered
clue is not in fact independent. On the other hand, that probability is not unity, and it would have to be probability
1.0 to discard the new clue entirely. In general, the higher the probability of non-independence, the greater the
necessity of obtaining other corroborating sources that are not technical in nature.
49 MichaelCaloyannides.“Forensicsisso‘yesterday,’”IEEE Security & Privacy 7(2):18–25, March/April 2009,
https:// www . computer . org / csdl / mags / sp / 2009 / 02 / msp2009020018 - abs . html. Some empirical work undertaken
byNunesetal.foundthatinanexercisewheregroundtruthaboutidentitieswasknown,themajorityof
misidentifications of an intruder resulted from deceptive activities. See Eric Nunes, Nimish Kulkarni, Paulo
Shakarian,AndrewRuef,andJayLittle,“Cyber-DeceptionandAttributioninCapture-the-FlagExercises”,2015
IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining, ASONAM ’15, August25–28,
2 0 1 5 , P a r i s , F r a n c e , h t t p : / / d l . a c m . o r g / c i t a t i o n . c f m ? d o i d = 2 8 0 8 7 9 7 . 2 8 0 9 3 6 2 .
50 Similarities between the malware used in the 2014 hack on Sony Pictures Entertainment and malware used
inothercyberintrusionspreviouslyattributedtoNorthKoreawereinpartresponsiblefortheFBI’sattribution
oftheSonyhacktoNorthKorea.SeeJamesB.Comey,director,FederalBureauofInvestigation,Remarksatthe
InternationalConferenceonCyberSecurity,FordhamUniversity,January7,2015,www.fbi.gov/news/speeches
/addressing-the-cyber-security-threat.
51 JohnP. Carlin, “Detect, Disrupt, Deter.”
52 Guitton and Korzak elaborate on this point, arguing that the correlation between “sophistication” and
likelihood of a nation-state actor being involved is not perfect, at least in part because “the lack of clarity and
inconsistencyaroundtheterm‘sophistication’”meansthatsophisticationiscontext-dependentandistherefore
an unreliable guide to associating a nation-state with any given intrusion. See Clement Guitton and Elaine
Korzak,“The Sophistication Criterion for Attribution: Identifying the Perpetrators of Cyber-Attack,” The RUSI
Journal 158(4):62–68, 2013, www . tandfonline . com / doi / abs / 10 . 1080 / 03071847 . 2013 . 826509.
53 Central Intelligence Agency, “Human Intelligence,” www . cia . gov / news - information / featured - story - archive
/ 2010 - featured - story - archive / intelligence - human - intelligence . html.
54 The Joint Civilian-Military Investigation Group, “Investigation Result on the Sinking of ROKS ‘Cheonan,’ ”
M a y 2 0 , 2 0 1 0 , h t t p : / / n e w s . b b c . c o . u k / n o l / s h a r e d / b s p / h i / p d f s / 2 0 _ 0 5 _ 1 0 j i g r e p o r t . p d f ( a m o r e r e a d a b l e f o r m c a n b e
f o u n d a t h t t p : / / w w w . g l o b a l s e c u r i t y . o r g / m i l i t a r y / l i b r a r y / r e p o r t / 2 0 1 0 / 1 0 0 5 2 0 _ j c m i g - r o k s - c h e o n a n / 1 0 0 5 2 0 _ j c m i g
- roks - cheonan . htm).
55 Formoreonthispoint,seeJonR.Lindsay,“Tippingthescales:theattributionproblemandthefeasibilityof
deterrence against cyberattack,” Journal of Cybersecurity 1(1): 1–15,2015,http://cybersecurity.oxfordjournals
. org / content / 1 / 1 / 53.
56 William Lynn III, “Defending a New Domain: The Pentagon’s Cyberstrategy,” Foreign Aairs 89(5): 97–108,
September/October 2010, www . foreignaairs . com / articles / united - states / 2010 - 09 - 01 / defending - new - domain.
57 LeonPanetta,“DefendingtheNationfromCyberAttack,”remarksoncybersecuritytotheBusinessExecutivesfor
NationalSecurity,NewYorkCity,October11,2012,http://archive.defense.gov/speeches/speech.aspx?speechid=1728.
58 JamesClapper,“WorldwideThreatAssessmentoftheUSIntelligenceCommunity,”testimonytotheSenate
ArmedServicesCommittee,February26,2015,https://www.dni.gov/files/documents/Unclassified_2015_ATA
_ S F R _ - _ S A S C _ F I N A L . p d f .
59 JamesClapper,“WorldwideThreatAssessmentoftheUSIntelligenceCommunity,”testimonytotheSenate
ArmedServicesCommittee,February9,2016,www.dni.gov/files/documents/SASC_Unclassified_2016_ATA_SFR
_ F I N A L . p d f .
60 USDepartmentofDefense,“TheDoDCyberStrategy,”Washington,DC,April2015,http://www.defense.gov
/ P o r t a l s / 1 / f e a t u r e s / 2 0 1 5 / 0 4 1 5 _ c y b e r - s t r a t e g y / F i n a l _ 2 0 1 5 _ D o D _ C Y B E R _ S T R A T E G Y _ f o r _ w e b . p d f .