An Attribution Skeptic’s FAQ

I’ve written extensively about the challenges of technical evidence and faith-based attribution so it’s no wonder that I frequently receive calls from journalists who ask me many of the same questions regarding my lack of faith in government and private sector findings.

I’ve decided to create an FAQ of the most interesting ones along with my answers in order to save time and clear the air.

What amount of evidence would it take to convince you that the Russian government is behind the DNC hack and election tampering?

(Update Jan 3, 2017) I get this question a lot and should have included it in my original post. Here’s my answer, and it applies to any question of attribution to a nation state.

I want to see a chain of verifiable evidence available for peer review that is internally consistent, that is not dependent solely upon technical evidence, and that brings us to reasonable certainty as defined by international law.

If the evidence is classified, then I’d want to see it reviewed by an independent bi-partisan commission composed of individuals with sufficient technical understanding to review the source evidence and ask hard questions of those involved, up to and including the executives of the commercial cybersecurity companies that had a hand in the U.S. government’s finding of responsibility against another nation state.

Didn’t you claim that China was behind Stuxnet?

This is one of the most common attacks that I receive as a skeptic — “You can’t listen to him. He said that China created Stuxnet!”

On December 14, 2010, I proposed China as the possible nation state behind the Stuxnet attack before it was clear that it was the U.S. and/or Israel. Here’s the blog post where I lay out my reasoning. And here is my June 2, 2012 blog post with my acknowledgment that I was wrong. Everyone talks about the former. No one mentions the latter.

You are TOO skeptical. No amount of circumstantial evidence is enough for you!

Not true. While I’m critical of most reports, I’ve also praised reports that I thought were fair and balanced. I’ve particularly praised Kaspersky Lab for successfully identifying Equation Group as a nation state threat actor. I also thought that Airbus Defense and Space did a fine job with their APT threat report on Pitty Tiger. ESET just produced a great three-part report on Sednit (also known as Fancy Bear).

To be clear, I strongly believe that the role of determining attribution belongs to the government, not to for-profit companies with an economic incentive in making claims and no downside in being wrong. However, when a company issues a report that is responsibly worded and provides detailed evidence that they are willing to share for peer review, I’m onboard.

Seventeen U.S. Intelligence Agencies have concluded that Russia did it. Why aren’t you convinced?

I’m not convinced because there have been many reports that consensus on this finding is an illusion at best. There’s the controversial letter that Director Brennan sent to CIA employees along with his alleged leaks to the press. The FBI reportedly resisted signing off on the DHS/ODNI statement. And really, the whole 17 agencies thing is nothing more than a reference to the fact that the ODNI represents 16 agencies. Does anyone really think that every single one of those sixteen agencies in the IC individually evaluated the evidence and came to their own finding like 12 jurors in a murder trial?

Why aren’t there more skeptics in InfoSec?

There’s a cost to being too critical. One infosec company threatened to sue a researcher if he didn’t make substantive changes to a published paper that was critical of their report. Many employers don’t allow their employees to express controversial opinions that could hurt the company’s business or reputation. And if the company or organization that you’re critical of has influential connections in Washington D.C., your professional reputation may suffer as well.

I think you would do well to graduate from an intel school before you presume to tell a former Air Force intel officer what intel is or how to do it.

This is one of my favorite insults sent to me from a Mandiant executive in response to my criticism of his company’s APT1 report. How dare I point out that their table of evidence lacked rigor! I wonder if he knew that a U.S. Air Force intelligence officer came to that same conclusion sixteen years ago.

Like what you read? Give Jeffrey Carr a round of applause.

From a quick cheer to a standing ovation, clap to show how much you enjoyed this story.