The FBI’s statement that North Korea is responsible for the cyber attack on Sony Pictures Entertainment has been met with various levels of support and criticism, which has polarized the information security community. At its core, the debate comes down to this: Should we trust the government and its evidence or not? But I believe there is another view that has not been widely represented. Those who trust the government, but disagree with the precedent being set.
Polarization and Precedents
The government knew when it released technical evidence surrounding the attack that what it was presenting was not enough. The evidence presented so far has been lackluster at best, and by its own admission, there was additional information used to arrive at the conclusion that North Korea was responsible, that it decided to withhold. Indeed, the NSA has now acknowledged helping the FBI with its investigation, though it still unclear what exactly the nature of that help was.
But in presenting inconclusive evidence to the public to justify the attribution, the government opened the door to cross-analysis that would obviously not reach the same conclusion it had reached. It was likely done with good intention, but came off to the security community as incompetence, with a bit of pandering.
Robert M. Lee
Robert M. Lee is a PhD candidate at Kings College London and an active-duty Air Force Cyber Warfare Operations Officer who has led operational teams in the Air Force and Intelligence Community.
When I served in the intelligence community as an analyst and team lead doing digital network analysis, dealing with these types of threat attribution cases was the norm. What was not the norm was going public with attribution. I understand the reason for wanting to publicly identify attackers and I also understand the challenges of identifying attackers while at the same time preserving sources and methods. Being open with evidence does have serious consequences. But being entirely closed with evidence is a problem, too. The worst path is the middle ground though. The problem in this case is that the government made a decision to have public attribution without the needed public evidence to prove it. It sets a dangerous international precedent whereby we’re saying to the world “we did the analysis, don’t question it—it’s classified—just accept it as proof.”
This opens up scary possibilities. If Iran had reacted the same way when it’s nuclear facility was hit with the Stuxnet malware we likely would have all critiqued it. The global community would have not accepted “we did analysis but it’s classified so now we’re going to employ countermeasures” as an answer. If the attribution was wrong and there was an actual countermeasure or response to the attack then the lack of public analysis could have led to incorrect and drastic consequences. But with the precedent now set—what happens next time? In a hypothetical scenario, China, Russia, or Iran would be justified to claim that an attack against their private industry was the work of a nation-state, say that the evidence is classified, and then employ legal countermeasures. This could be used inappropriately for political posturing and goals. The Sony case should not be over simplified as there were no clear cut correct answers but it’s important to understand the precedent being set and the potential for blowback.
I Believe the FBI
Let me be clear. I’m not one of the people in the infosec community who thinks the government got the attribution wrong. I agree with the attribution supporters who say the FBI has access to more data than the public has and can therefore reach a better conclusion. The FBI and the intelligence community have highly competent professionals and have experience working on these types of cases. And in this case, they’ve also engaged the private sector to add outside expertise. This combination of internal government expertise with industry expertise was a mature response to a complex situation.
In my intelligence work, we did tech analysis with government sources and methods on a regular basis for attribution. Sometimes we got it right. Sometimes we got it wrong, because we’re human and technical data, while not magic, is not easy to always interpret right. But finished intelligence reports that have examined multiple sources of data and competing analyses are often highly accurate. That type of quality intelligence product is what the FBI has internally.
I believe that North Korea probably did hack Sony. I do trust the government in that regard. I do not trust the standard it is setting, however, and I will never accept “it’s classified and we can’t tell you, but we’re going to publicly blame someone anyway” as a legitimate response. I believe the FBI’s analysis is likely right. But I also believe the critics to be correct.
The Critics Are Right
I don’t think the critics are posing the best counter theories on the attribution issue in the Sony hack—pointing the finger at company insiders—and I don’t think they have enough data to “know” anything about who did it. But the critics accurately state that technical analysis is prone to bias and error, making inherent trust in the government’s theory unwise. The evidence presented so far does not accurately show that North Korea was responsible for the Sony attack. And by its nature, the information security community does not generally accept “because I said so” and “trust us” as adequate answers. Not blindly trusting information is exactly what makes for a good infosec professional. And asking tough questions is an important part of solidifying theories and reaching appropriate conclusions. The FBI should have predicted this response from the community when it decided to publicly attribute while withholding significant portions of the evidence. What the government chose was a middle ground that not only polarized the community but set a bad precedent. More transparency would have strengthened the case and established a higher bar for attribution.
The government in the future needs to pick one path and stick to it. It either needs to realize that attribution in a case like this is important enough to risk disclosing sources and methods or it needs to realize that the sources and methods are more important and withhold attribution entirely or present it without any evidence. Trying to do both results in losses all around. There will be lessons learned from this, but whether or not they get applied will be determined by history.
These views do not represent or constitute an opinion by the U.S. Government, Department of Defense, or Air Force. They are the author’s views alone.
No comments:
Post a Comment