BERLIN – As cyberwars between countries, corporations and organized crime groups heat up, correctly attributing the attacks becomes a priority: responses, obviously, must be tailored to the attribution. The U.S. government last year provided a good and a bad example of how attribution should be handled.
As Thomas Rid and Ben Buchanan of the Department of War Studies at King’s College London point out in a recent paper, attributing a cyber attack is “an art as much as a science,” requiring what Prussian King Friedrich the Great called military coup d’oeil.
It isn’t enough, to find traces of a certain human language in the malicious code or determine that it was developed during business hours in a certain time zone: Such telltale signs could be designed to misdirect. Matching bits of malware to other attacks isn’t conclusive, either: Code is available for sharing among hackers, and hackers contract out to take part in attacks or help each other on principle.
That means a team of security experts working on attribution needs to tie in technical evidence with operational intelligence and even insights into geopolitics. When all these factors come into play, the outcome of an investigation can’t be certain, and it becomes difficult to release details on how the finger came to point at a particular suspect.
Still, in May 2014, the U.S. Department of Justice released lots of details on how it concluded that it was certain Chinese army officers who had conducted cyber attacks on a number of U.S. companies. It didn’t exactly publish the evidence, but at least it explained what it had to go by.
“Releasing these details bolstered the government’s case and its overall credibility on attribution,” Rid and Buchanan wrote. The conclusions weren’t challenged by outside technical experts because they made sense.
The government’s communication strategy in the Sony hack was the exact opposite. The Federal Bureau of Investigation accused North Korea of organizing the attack, saying that “the need to protect sensitive sources and methods” precluded it from releasing the full details. Then it mentioned similarities to other attacks linked to North Korea, giving rise to suspicions that it had been the victim of a false decoy. A Seattle cyber-security expert even claimed the bad English used by the Sony hackers to communicate with the world pointed to native Russian, not Korean speakers.
The government said independent experts didn’t have access to the same classified information as the FBI. “Trust us on this,” the authorities told the cyber-security community and the general public. The White House issued an executive order imposing additional sanctions on North Korea, which has denied involvement. The sanctions are largely symbolic, but they are a real-world response to a nebulous charge. Ever since U.S. intelligence claimed it had found weapons of mass destruction in Saddam Hussein’s Iraq, the public has a right to be skeptical.
The biggest problem with blaming North Korea is that Kim Jong Un’s dictatorship gained nothing from the hack. Because of the phenomenon known as the Streisand effect, “The Interview,” the Sony comedy spoofing Kim, became a major hit on download and streaming services, pulling in $18 million in just a couple of days. All the free publicity the movie received is likely to make other filmmakers consider attacking Kim — of course, after taking measures to take their sensitive information offline.
Are North Korean spies so stupid that they couldn’t predict the explosion of interest in “The Interview” after the hack? I doubt it: no one should be so dumb. Certainly not the U.S. government, which itself triggered a kind of Streisand effect by making a highly public accusation and then withholding the evidence on which it was based.
Now, the hacking and anti-hacking communities will forever doubt the FBI’s judgment and alternative versions — especially the well-developed one from Norse, the reputable security firm, involving laid-off Sony employees — will circulate.
Whoever hacked Sony — and this point, it’s wise to reserve judgment — the lesson for governments and other hacker targets, is that there is no point in publishing one’s suspicions unless a lot of detail can also be released.
Giving out as much information as possible is a good idea, Rid and Buchanan wrote. “When a case and its details are made public, the quality of attribution is likely to increase,” they pointed out, citing the example of “the more and more detailed reports on Chinese espionage campaigns, partly driven by competition among security companies.”
In security matters, it’s best to be quiet and go it alone or release a maximum amount of data and get a lot of outside help. There is no comfortable middle path.
Berlin-based writer Leonid Bershidsky is a Bloomberg View contributor.