Basic Internet Operations

Prior to discussing technical attribution, it is necessary to examine the basic structure and operation of the Internet. The core concept and design of the Internet are responsible for the numerous issues relating to technical attribution of Internet-based cyber-attacks. To understand these challenges, it is necessary to understand the core ideas behind the original founding of the Internet and the core technical concepts behind how the Internet operates. To understand the issues presented in technical attribution, it is necessary to understand the basic operations of cyberspace/the Internet.

The Internet is an “open” system,13 _{that is, “the specifications are publicly available.”}14

Meaning that the specifications on how the Internet operates and the programming languages needed to operate within the Internet are readily available,15 thus enabling disparate networks to operate together to allow the Internet to function. However, the Internet’s “openness” also allows any individual or state the ability to use the Internet for nefarious purposes. The Internet’s greatest strength is arguably its openness and interoperability. These same attributes are also its greatest weakness as these attributes do not allow for identification of end user nor the end user’s locations.

The Internet, as originally designed, was never intended to be the global information exchange that it has become.16 To support this idea, one need only look to the exponential growth of the Internet over its first 25 years of existence, where it went from tens of users to billions of users, while utilizing the same basic infrastructure and programming.17 This is supported by the fact that the IP address system (Internet Protocol Version 4 [IPV4]) ran

13 Douglas E. Comer, Internetworking with TCP/IP, Principles, Protocols and Architecture 2, (5th _ed. 2006).

14 Id. 15 Id.

16 See generally, Mark Bowden, Worm: The First Digital World War (Kindle ed. 2011). (Discussing the history of the Internet and its lack of security features.)

17 Douglas E. Comer, Internetworking with TCP/IP, Principles, Protocols and Architecture 9, fig.1.1 (5th _{ed. 2006).}

145

out of IP addresses needed to accommodate the exponential growth of Internet-enabled devices.18 _{The fact is, the Internet is operating on security features first put in place in its}

first iteration which cannot be changed without a reshaping of the Internet as a whole.

The Internet as it currently exists19 is the result of a corroborative effort between computer scientists and the United States Defense Advanced Research Projects Agency (DARPA) in the 1960s, which resulted in the creation of an early Internet called ARPANET (Advanced Research Project Agency Network).20 The purpose of ARPANET was to allow disparate computer systems to communicate and to allow researchers a means to quickly share information for disparate geographical locations. The ethos of the early Internet was premised upon the free exchange of ideas and information between researchers and institutions.21 While initially limited in scope, the ARPANET quickly grew beyond the original purpose and became a social tool.22 ARPANET started to transition to what is now the Internet in 1974 when computer scientists promulgated the idea of data packets and the Transmission Control Protocol (TCP).23 The TCP has evolved into what is now known as

18 For comparison, numerous sources state that the IPV6 theoretically can handle 3.4×1038 _{distinct IP} addresses.

19 As used herein, the Internet refers to the current IPV4/IPV6 format. As of this writing, the Internet was in transition from the IPV4 to IPV6. The transition mainly has to do with how IP numbers are assigned, as the Internet under IPV4 had run out of IP addresses and transitioned to a format (IPV6), which enabled virtually unlimited IP addresses to handle the exponential growth of the Internet. While IPV6 has more robust security features most have not been incorporated upon rollout, and the IPV6 format is still based upon technology that was standardized in 1996. See, W. Earl Broebert, A Survey of Challenges in Attribution, 41-49 Proceedings of a Workshop on Deterring Cyberattacks: Informing Strategies and Developing Options for U.S. Policy (2010).

See also, ICANN, A Beginners Guide to Internet Protocol Addresses (n.d.).

20 Barry M. Leiner, et. al., Brief History of the Internet, Internet Society (n.d.), http://www.internetsociety.org/ internet/what-internet/history-internet/brief-history-internet.

See also, Mark Bowden, Worm: The First Digital World War 9-14 (Kindle ed. 2011). Note,

DARPA and ARPANET are used interchangeably as they are the same agency, therefore some texts refer to ARPANET as DARPA, see, Douglas E. Comer, Internetworking with TCP/IP,

Principles, Protocols and Architecture 6, (5th _{ed. 2006).}

21 Mark Bowden, Worm: The First Digital World War 13 (Kindle ed. 2011). 22 Id.

146

the Transmission Control Protocol/Internet Protocol (TCP/IP) and is the basis for most Internet communications.24

Just as the original TCP/IP is in use to drive the Internet today, the security features utilized by the original ARPANET are still in place; that is, virtually no security features. The founders of the Internet focused on the free exchange of information and interconnectivity, but not security. The original security concept was to lock the computer terminals in a room with limited access.25 When first imagined, the available computers that could operate on the Internet were less than 100, all with trusted and known users. As a result, there was no mechanism built into the Internet that enabled user identity verification. While limited security features have been added, the emphasis is still upon the anonymity of the end user. Anonymity is the keystone of the Internet. Free information exchange depends upon this anonymity. As a result of this anonymity, the Internet has no true means of connecting technical attribution to human attribution.26 That is, there are no means of linking cyberspace directly to the person who committed the act. At best, technical attribution may demonstrate the IP address from where the act was initiated. This in itself is not dispositive, as multiple systems may at any given time be linked to a single IP address. This inability to attribute to the human level is again linked to the method that information is sent via the Internet (TCP/IP).

TCP/IP is used to create a packet-switched network.27 Packet-switched networks utilize data packets28 to drive the information exchange between networks and users. When data is sent via the Internet, it is broken down into smaller data packets to facilitate the ease of

24 Cf. W. Earl Boebert, A Survey of Challenges in Attribution, 41 Proceedings of a Workshop on Deterring Cyber Attacks: Informing Strategies and Developing Options for U.S. Policy (2010). 25 See generally, Mark Bowden, Worm: The First Digital World War (Kindle ed. 2011). (Discussing the

history of the Internet and its lack of security features.)

26 Id. at n. 24. (Human attribution refers to the ability to link acts on the Internet to the actual human responsible for those acts.)

27Id. at n. 24. (Packet-switching refers to the TCP/IP which allows information to be sent via small packets of information.)

28 Each packet is between 1,000-1,500 bytes of data (a byte is 8 bits of data, each bit of data in binary code a 0 or a 1). Jonathan Strickland, How Does the Internet Work, howstuffworks.com (2014), http://computer.howstuffworks. com/internet/basics/internet2.htm; “Byte” and “Bit”, Webopedia (2014), http://www.webopedia.com/TERM/B/.

147

travel within any given network. Simply stated, data packets are small pieces of information that consist of a header, a payload (computer code), and a footer.29 _{Data packets take a large}

piece of data and break it into smaller data packets to enable quicker transmission through various routers.

The Internet works on the path of least resistance theory.30 Multiple packets from the same data source may take different routes to the destination depending upon network load, router load, etc. This enables the Internet to share the data transmission load over multiple simultaneous networks enabling greater data transmission speeds. This is enabled by the fact that the header of each packet contains the source IP address and the destination IP address. As the data packet goes from network router to network router, each individual router looks at its internal routing tables for a specific IP range and may select the router with the least data load. When the data packets arrive at the destination computer, the information contained in the footer enables the destination computer to put the information back together in the correct format. This path of least resistance model, however, can create further attribution and sovereignty issues as theoretically a single attack could utilize routers in several countries. This issue will be discussed infra.

Many technical attribution problems are due to how data packets are identified via an IP address. While each data packet contains the source IP address, the IP address is not always verified, nor is the IP address always assigned to a specific individual with identifiable information. Instead, the IP address utilized by the end user is assigned by the Internet Service Provider (ISP) to a specific device on its network, and this IP address may change each time the device logs onto a network, depending upon what type of scheme the ISP utilizes to assign IP addresses.31 While IP addresses are normally assigned to a specific geographical location, at present, any identification beyond a broad general area is

29 What is a Packet?, Howstuffworks.com (01 Dec. 2000), http://computer.howstuffworks.com/ question5251.htm

30 Jonathan Strickland, How Does the Internet Work, howstuffworks.com (2014), http://computer.howstuffworks. com/internet/basics/internet2.htm.

31 An ISP may utilize a static IP address where all devices that utilize its network are assigned a “permanent” IP address, or an ISP may use a dynamic IP address where an IP address is temporarily assigned to a device when it logs onto a network, thus enabling a network to provide service to a larger range of devices in a given range of IP addresses, as not all the devices are on the network at a given time. See, Id. at n. 24.

148

impossible without further information. This information is only available via the ISP service provider and falls under the control of the host state and its internal domestic laws. This is further complicated by the issue of mobile computing. Wi-Fi hotspots now allow computer devices to access the Internet at locations that offer free access to the Internet without gaining any identifiable user information and reusing IP addresses so as to complicate locating a single device launching an attack.

Combining these factors, the openness of the Internet; the lack of security features; the need for anonymity; and the lack of true data packet tracking, demonstrates why cyber-attacks have become a cause of concern. The totality of the Internet operates to deny positive technical attribution to the individual creating multiple barriers for positive technical attribution by computer scientists. As such, computer scientists continue to work on positive means of technical attribution but continue to struggle to overcome the multiple barriers that hinder positive attribution.32