“On an operational level, attribution is a nuanced process, not a
simple problem.”- Thomas Rid & Ben Buchanan, Attributing Cyber Attacks, Journal of Strategic Studies

If you’ve been even vaguely following the news of the Sony Pictures hack, you’ll have noted that there are two camps that have formed: those who support the US Government’s position that responsibility for the hack on Sony Pictures rests with the government of North Korea, and those who think that who dunnit it is far from certain.

Add to this mix pundits stating one way or t’other and you have a cozy little chinwag/penis-measuring contest that’s been a lot of laughs. I’m not adding to this because I’ve got no skin (so to speak) in this game, but I have noticed that it’s a lot harder these days to just take someone’s word for something like this and then engage in keyboard rattling about how them dirty North Koreans attacked our American (subsidiary-of-a-Japanese-company) Movie Icon.

I have worked in the world of cyber incident response and information security, and if there’s one thing I know about it is that it’s easier to fix a mess than it is to know specifically who caused it. “Attribution,” the industry term for “who dunnit”, is, like, really hard — and often we told customers that they’re better off fixing the problems now and worrying about who dunnit later, because it takes a long, long time to be certain. You must, of course, figure out the kind of who — you don’t want to just fix the symptom and leave untouched the cause — but it takes some time to get that part really right. Thomas Rid and Ben Buchanan recently published in Strategic Studies, Attributing Cyber Attacks, which is a really good paper on this —it’s a good 15 minute holiday read for ya.

Two of their quotes stand out:

On a technical level, attribution is an art as much as a science.

and,

On an operational level, attribution is a nuanced process, not a
simple problem.

In many cases, it’s easier to point to a region — “Russians”, “Chinese”, “Moldovans” — than it is to say that the hack, “was pulled off by a Mr George Thomason, who lives at Flat three, Kipling Mansions, Murray Road, London, West nine.”

But here was the cavalcade of stars, saying that it was the North Koreans, and mocking those who might challenge this or ask for evidence. I got included in one such exchange (I retweeted a link to a well-written article that questioned in detail the official story) by Dave Aitel, who has been pretty vocal (for him) about attribution to North Korea being just spot-on. It seems to have disappeared now, but basically it said, “tl;dr spy agencies don’t always tell you everything they know, supersadface.”

I replied that, while this was true, it is similarly true that intelligence agencies don’t often go on public relations campaigns with statements that, in a manner that is politically convenient, support a position already taken by our nation’s leaders. Dave wrote a blog post earlier, saying in part,

Don’t be fooled by the rather circumstantial public evidence that ties the Sony attack to North Korea — that’s just cover for the real intelligence behind the attribution assertion, which is no doubt air-tight.

“No doubt air-tight,” he said.

Bas Alberts wrote on the Daily Dave mailing list a fascinating balance piece, which partly claimed,

“…[R]eally it boils down to this “event” (legit or not)
becoming a policy vehicle or catalyst. This is not so much about Sony,
or North Korea, or even whether or not the attribution is correct. It
is much more a dry run for a near future filled with the real thing….All hype aside, Dave’s narrative has always been the same for this
kind of thing… He has always claimed that a big part of “cyber” is
not so much the “I will turn off your lights in the middle of winter”
of Hollywood lore (heh) and much more a game of economic pressure to
coerce and otherwise influence policy and strategy.”

Fair enough. But more on why many people have trouble believing the, excuse the expression, FBI, when they claim to have solid attribution to an elite team of North Korean hacker-superstars.

See, here’s the thing: I know Dave a little, and respect him and his work to the extent that if he says it, I believe he knows it. But I don’t know it and it’s a little presumptuous on his part to expect that anyone else should just believe him because … Dave. Given our recent national experience and history, I think it’s a little rich to just expect anyone to believe anything the US Government says without some modicum of proof that rises above, “IP addresses associated with North Korea”

Dave pointed to it himself in a Daily Dave post:

“[T]he continual “I still don’t believe it’s NK” news reports and Twitter grumblings can be explained by looking at the extremely confused [Intelligence Community] strategy in terms of a failed Counter-Insurgency operation. In other words, the IC’s credibility is in the toilet.”

Duh.

In January, 2003, a CBS News poll found that support among Americans for military action in Iraq had slipped to “only” 64%. Seventy-seven per cent of Americans said that, if inspectors hadn’t found a smoking gun by a US-imposed deadline the following week, that they should keep looking.

I supported invasion, my wife was bitterly against it. I didn’t support invasion because of weapons of mass destruction (WMD) — I didn’t give a shit about WMD and whether they existed. Rather I supported invasion because the Iraqi regime had forced us to spend billions of dollars policing the No-Fly zones and responding to having our planes lit up by Iraqi radar. Iraq flouted the terms of the 1991 cease fire, and I believed that the only way to stop this never-ending war was to go in and, you know, do something.

My wife said I was an idiot, and that a war was the stupidest thing she’d ever heard of.

Then the government started telling us stuff about WMD and using that as the basis for invasion (as if legitimate grounds weren’t available. I’m not even going to mention yellowcake). In that same January, 2003 CBS News poll, Americans were shown to overwhelmingly believe that Hussein had WMD — 85% said so, despite the failure of inspectors to uncover them, and ultimately prescient statements by inspectors that they wouldn’t, because the WMD weren’t there. In fact, 48% of Americans believed that the WMD were there, but that the UN would never find them.

Fast-forward ten years: in June, 2013 I was on Fox Business to talk about NSA spying; it was just after the Snowden story broke, and people in the mainstream didn’t quite understand what was happening. It was to be a chat about basics of link analysis and other really high-level stuff. As it happens, I was in the studio all miked-up and waiting to blather when I had to wait, because President Obama decided to speak to the American people about it. This was the speech in which he said, ‘Nobody is listening to your phone calls…’

So right after the President finished his unfathomably mealy-mouthed statement (“What the intelligence community is doing is looking at phone numbers and durations of calls — they are not looking at people’s names and they are not looking at content,” he said), I was asked if I thought that was OK.

Well, you know, no. I didn’t and I don’t. It’s also not OK to just tell us, “Trust us, we’re the government,” and have us all happily march towards a conflict. It’s not OK to provide the skimpiest of evidence, then refuse to answer questions, mocking those who have them with statements about how things are super-top-duper-secret and asking for — pah! — proof means you don’t know how intelligence works.

It’s not OK. I’m not sure if it really ever was, but even if it was…It’s not any more.