Attack Attribution and Cyber Conflict

The vigorous debate after the Sony Pictures breach pitted the Obama administration against many of us in the cybersecurity community who didn't buy Washington's claim that North Korea was the culprit.

What's both amazing -- and perhaps a bit frightening -- about that dispute over who hacked Sony is that it happened in the first place.

But what it highlights is the fact that we're living in a world where we can't easily tell the difference between a couple of guys in a basement apartment and the North Korean government with an estimated $10 billion military budget. And that ambiguity has profound implications for how countries will conduct foreign policy in the Internet age.

Clandestine military operations aren't new. Terrorism can be hard to attribute, especially the murky edges of state-sponsored terrorism. What's different in cyberspace is how easy it is for an attacker to mask his identity -- and the wide variety of people and institutions that can attack anonymously.

In the real world, you can often identify the attacker by the weaponry. In 2006, Israel attacked a Syrian nuclear facility. It was a conventional attack -- military airplanes flew over Syria and bombed the plant -- and there was never any doubt who did it. That shorthand doesn't work in cyberspace.

When the US and Israel attacked an Iranian nuclear facility in 2010, they used a cyberweapon and their involvement was a secret for years. On the Internet, technology broadly disseminates capability. Everyone from lone hackers to criminals to hypothetical cyberterrorists to nations' spies and soldiers are using the same tools and the same tactics. Internet traffic doesn't come with a return address, and it's easy for an attacker to obscure his tracks by routing his attacks through some innocent third party.

And while it now seems that North Korea did indeed attack Sony, the attack it most resembles was conducted by members of the hacker group Anonymous against a company called HBGary Federal in 2011. In the same year, other members of Anonymous threatened NATO, and in 2014, still others announced that they were going to attack ISIS. Regardless of what you think of the group's capabilities, it's a new world when a bunch of hackers can threaten an international military alliance.

Even when a victim does manage to attribute a cyberattack, the process can take a long time. It took the US weeks to publicly blame North Korea for the Sony attacks. That was relatively fast; most of that time was probably spent trying to figure out how to respond. Attacks by China against US companies have taken much longer to attribute.

This delay makes defense policy difficult. Microsoft's Scott Charney makes this point: When you're being physically attacked, you can call on a variety of organizations to defend you -- the police, the military, whoever does antiterrorism security in your country, your lawyers. The legal structure justifying that defense depends on knowing two things: who's attacking you, and why. Unfortunately, when you're being attacked in cyberspace, the two things you often don't know are who's attacking you, and why.

Whose job was it to defend Sony? Was it the US military's, because it believed the attack to have come from North Korea? Was it the FBI, because this wasn't an act of war? Was it Sony's own problem, because it's a private company? What about during those first weeks, when no one knew who the attacker was? These are just a few of the policy questions that we don't have good answers for.

Certainly Sony needs enough security to protect itself regardless of who the attacker was, as do all of us. For the victim of a cyberattack, who the attacker is can be academic. The damage is the same, whether it's a couple of hackers or a nation-state.

In the geopolitical realm, though, attribution is vital. And not only is attribution hard, providing evidence of any attribution is even harder. Because so much of the FBI's evidence was classified—and probably provided by the National Security Agency -- it was not able to explain why it was so sure North Korea did it. As I recently wrote: "The agency might have intelligence on the planning process for the hack. It might, say, have phone calls discussing the project, weekly PowerPoint status reports, or even Kim Jong-un's sign-off on the plan." Making any of this public would reveal the NSA's "sources and methods," something it regards as a very important secret.

Different types of attribution require different levels of evidence. In the Sony case, we saw the US government was able to generate enough evidence to convince itself. Perhaps it had the additional evidence required to convince North Korea it was sure, and provided that over diplomatic channels. But if the public is expected to support any government retaliatory action, they are going to need sufficient evidence made public to convince them. Today, trust in US intelligence agencies is low, especially after the 2003 Iraqi weapons-of-mass-destruction debacle.

What all of this means is that we are in the middle of an arms race between attackers and those that want to identify them: deception and deception detection. It's an arms race in which the US -- and, by extension, its allies -- has a singular advantage. We spend more money on electronic eavesdropping than the rest of the world combined, we have more technology companies than any other country, and the architecture of the Internet ensures that most of the world's traffic passes through networks the NSA can eavesdrop on.

In 2012, then US Secretary of Defense Leon Panetta said publicly that the US -- presumably the NSA -- has "made significant advances in ... identifying the origins" of cyberattacks. We don't know if this means they have made some fundamental technological advance, or that their espionage is so good that they're monitoring the planning processes. Other US government officials have privately said that they've solved the attribution problem.

We don't know how much of that is real and how much is bluster. It's actually in America's best interest to confidently accuse North Korea, even if it isn't sure, because it sends a strong message to the rest of the world: "Don't think you can hide in cyberspace. If you try anything, we'll know it's you."

Strong attribution leads to deterrence. The detailed NSA capabilities leaked by Edward Snowden help with this, because they bolster an image of an almost-omniscient NSA.

It's not, though -- which brings us back to the arms race. A world where hackers and governments have the same capabilities, where governments can masquerade as hackers or as other governments, and where much of the attribution evidence intelligence agencies collect remains secret, is a dangerous place.

So is a world where countries have secret capabilities for deception and detection deception, and are constantly trying to get the best of each other. This is the world of today, though, and we need to be prepared for it.

This essay previously appeared in the Christian Science Monitor.

Posted on March 9, 2015 at 7:09 AM • 34 Comments

Comments

BlusterMarch 9, 2015 7:57 AM

Question for wise men: Anonymous is supposed to be a free-form hackers' collective which anyone can join and anyone can leave. Correct me if I'm wrong. But that seems to mean that anyone can wear an Anonymous hat, hack anyone he or she or it wants and then proclaim that Anonymous has done it. Seems to me such an un-organization would be riddled with moles and that self-attribution of a hack to Anonymous should raise the question: who's behind this week's Anonymous attack?

DanielMarch 9, 2015 8:06 AM

> It's actually in America's best interest to confidently accuse North Korea, even if it isn't sure, because it sends a strong message to the rest of the world

Unless it later comes out that the attacker wasn't North Korea, and America is shown to have been wrong (even if they honestly believed it). So now America has an interest in suppressing future evidence that goes against their theory.

Clive RobinsonMarch 9, 2015 8:59 AM

@ Bruce,

And while it now seems that North Korea did indeed attack Sony

Please don't make the mistake of believing that. It's based on a single unreliable source and a bunch of very dodgy assumptions.

Normally an investigative journalist would look for other independent sources, which don't apparently exist. At which point they would either give it a wide berth or start digging.

If you dig you come up against a problem. Firstly the source has considerably more interest in casting blaim, than those being blaimed have for commiting the act. This is another point that would make a journalist dig deeper.

Eventually you come down to this assumption,

The NSA is so far in advance of everybody else in the world that they can not possibly be wrong. That is they can reach out without being detected and can plant their listening points without being detected, and even if they are detected they can not fail to spot a deception anybody including themselves or other IC agencies more experianced at deception than the NSA puts up...

I'm sorry but that assumption does not hold water, not only has the NSA proved to be not the brightest light bulb in the corridor before, it can be shown to be a technical impossibility...

An investigative journalist would if they were wise reach out to independent others to see just how such a detection and deception could be carried out.

And in this case the answer that comes back is "all to simply" for a variety of reasons. Worse it could be fairly easily done by just one or two people with the right knowledge and skills...

It's something the NSA should be aware of so one can only conclude they have either chosen to bluster rather than be factual or have been directed to lie, not good when you are advising the Comander in Chief of the worlds largest collection of weapons and personnel under flag...

vas pupMarch 9, 2015 9:29 AM

@Bruce:"Whose job was it to defend Sony? Was it the US military's, because it believed the attack to have come from North Korea? Was it the FBI, because this wasn't an act of war? Was it Sony's own problem, because it's a private company?" It depends what kind of private company was attacked. If defense contractor (e.g. Northrop) - US military, if part of critical infrastructure (power grid, Hoover dam IT, etc.) - DHS and FBI, if entertainment company like Sony - their own problem. Regarding financial system: Federal Reserve - NSA (national economic security) and DNS, and FBI, and CIA since attack originated outside US, but for private banks - FBI.

@Bruce:"Today, trust in US intelligence agencies is low, especially after the 2003 Iraqi weapons-of-mass-destruction debacle." Sorry, I have other opinion. That was not CIA failure, but politically motivated decision to start war against Iraq which was done before any reliable xref checked intel was provided. Trust for internal intel/LEAs activity is low due to latest disclosed fact on their actions in violation of basic constitutional right (4th Amendment in particular, mass surveillance, gag orders, entrapment practice, etc.). But legislature should be blamed first for generating vague laws, insufficient oversight.

keinerMarch 9, 2015 9:32 AM

@clive R

blaim = blame?

It's war time for the US, war time is lie time.

Remember the famous trains with chemical weapons in Iraq. and related nonsense the US presented to the UN.

Mr. Fischer's "I#m not convinced" the a the mildest assessment you can draw on such BS presentations.

Same with what's happening in Ukraine. All US/UK lies, even the German government (not the brightes lightbulb in the corridor) has to refute in the press the NATO BS press releases.

Alex CoxMarch 9, 2015 9:48 AM

If Sony were responsible for their own IT infrastructure failings, then they are liable for damages to all the people whose information was compromised by their poor IT practices.

If North Korea "did it" then Sony are home free: no damages to pay anyone, business continues as usual. President Obama did Sony a great favour when he leapt to blame a foreign country for Sony's IT breach. But then, Democratic politicians always bend over backwards to help the studios, do they not?

Eugeniu PatrascuMarch 9, 2015 9:53 AM

I do not believe that the government should retaliate against attackers if the target is a private company and no lives were lost.

I'm so rone-ryMarch 9, 2015 10:27 AM

Clive is right. It seems?!? Discredited propaganda organ New York Times tells us that unnamed 'experts' assert something unspecified that convinced somebody DPRK did it. It seems like the US government is still full of shit.

Be careful you don't get used here. The secret police will dupe you or take advantage of your deference, and then ruin your career for trusting them, just like they did to Tom Thurman and countless other credulous tools. Maybe accepting the official line was a rhetorical device to make your point that reckless attribution is bad. But strictly speaking, what's at issue here is not reckless attribution, but deceptive imputation by the US government as a pretext for armed attack.

If you're implying that the Sony intrusion relied on an insurrectional movement like Anons, it cannot legally be attributed to North Korea unless the movement takes power. Haven't seen any photos of DPRK troops goose-stepping past Jeremy Hammond in Pyongyang... Have you?

And picking up the death merchants' 'arms race' metaphor militarizes situations that would be better handled with pacific dispute resolution. The NSA Stasi doesn't like pacific dispute resolution because they can't make shit up to frame official enemies. That's why NSA will have to be defunded to comply with US international obligations.

NielMarch 9, 2015 11:15 AM

The New York Times is an extension of the US State Departement. This whole Sony hack story was intented to antagonize China. Attributing this attack to North Korea is a lie and it's impossible to keep a count of all the lies spread my MSM papers like the NYT.

(Iraq 2: The WMD story) Why We Know Iraq Is Lying by Condy Rize
http://www.nytimes.com/2003/01/23/opinion/why-we-know-iraq-is-lying.html

(Libya: The Viagra story) Claims of Wartime Rapes Unsettle and Divide Libyans
http://www.nytimes.com/2011/06/20/world/africa/20rape.html?pagewanted=all

(Iraq 1: The baby incubator story) ...that they would find that indeed the Amnesty report was reported in "The New York Times" at the time that Nayirah testified. Reports of incubaters and babies were reported in A.P., in "The New York Times," in U.P.I., and several other credible wire services. It was indeed in the press at the time. Not after the fact....
http://www.democracynow.org/2003/12/2/a_debate_on_one_of_the

This propaganda is used to sell wars or antagonize US enemies of the day.

Jim LippardMarch 9, 2015 11:18 AM

The North Korea attribution is backed by many organizations at this point (including CrowdStrike, McAfee/Intel Security, FireEye/Mandiant, and others). That FBI Director Comey was willing to expose that the hackers made a mistake which exposed an IP known to be associated with North Korean hackers suggests that this was not the only method used to make the attribution, since that exposure means the attackers will be careful not to do that again in the future. My inference is that the attribution is supported not just by technical indicators (like the similarity to methods used in prior attacks) but by human intelligence as well (Google "Bureau 121" and "Chilbosan Hotel hackers" and read Steve Sin's report, for example).

albertMarch 9, 2015 11:40 AM

@Bruce

"...What's both amazing -- and perhaps a bit frightening -- about that dispute over who hacked Sony is that it happened in the first place...."
.
I don't give a rats ass about Sony Pictures Entertainment. Karma's a bitch. Now I see their lawyers (like David Boies) are going after the media for reporting on the hack! Can you imagine the gall? The music/film business is rotten to the core, and has been since its mafia connections way back when.
.
That said, you (and others) have made it very clear that Sony could have followed stricter security policies, and prevented, or at least mitigated, some of the damage. I also agree with @Clive and others about the FBIs highly dubious and unprovable claims about the DPRK (a convenient multi-purpose bogeyman that everyone hates).
.
If SPE can be shown to have been negligent in their computer security policies, then they can still be held accountable. It's high time this concept be codified in law. They will comply if profits are at stake. Just because Microsoft innovated the sale of buggy software and liability-cancelling EULAs, doesn't mean that the concept should apply to corporations in general. This is the purpose of the 'blame game'; to escape liability.
.
The Sony Hack was a boon for the movie, just like the Charlie Dildo thing was for the magazine, and both took advantage.
.
Accountability doesn't matter. How does that help? Yeah, we can punish the evildoers if we catch 'em. Would bombing NK help? Doesn't really do anything for the 'victims', does it? Deterrence? It's gonna stop folks in other countries? What does deterrence mean to suicide bombers?
.
Security begins at home. We can do a helluva lot better. We _have_ to do better. Our entire critical infrastructure depends, unfortunately, on the internet. Other countries are in identical situations. What are they doing?
.
Before we start planning cyber wars (and you can bet we are), we need cyber defenses first. I don't see that happening. The 'weapon makers' are ahead of the 'weapon defenses'.
.
...

HermanMarch 9, 2015 11:55 AM

The main problem is that we cannot rely on our governments protecting us in cyber space, because an attack happens at the speed of light and whenever a government tries to, it is accused of building a fascist firewall, as in China and many middle eastern states.

I'm so rone-ryMarch 9, 2015 12:07 PM

To vilify DPRK Lippard leads off with the bandwagon fallacy (Awkwardly,waving from the bandwagon are those dotcoms that didn't tell us when they found Regin.) Then we get: suggests, infers, &c., &c., &c. More fake proof. We're invited on an irrelevant wild-goose chase after unsourced stories of shadowy organizations with nothing there to prove whodunit. Intriguingly, we learn, USG imputation relies not on COMINT but on HUMINT. What a shame that's based on some James Bond fantasies Lippard just made up.

What's actually suggestive are these increasingly feckless attempts to perfume unsupported government accusations. That suggests that NSA is not merely afraid of looking like fools - they don't mind that, everything that happens blindsides them - No, NSA is pushing some pretext for use of force. Probably against China, based on that much-hyped "Chinese hotel" red herring. If the aggrieved parties want redress, they can take their case to the PCIA. That the US government doesn't do that shows the US claims are full of shit.

keinerMarch 9, 2015 12:08 PM

@Herman

Do you require "the government" to protect you from the dangers of driving a car? Or stepping on a ladder (VERY dangerous, many, many lethal accidents)? Or to provide safety in general public, so that not every jerk thinks he has to run around with a machine gun?

Why do you expect something in "the cyber space", wherever that is?

rikonMarch 9, 2015 12:12 PM

Last time i looked at the map, Tokyo belongs to Japan and so does Sony
USA has zero zip nada to do with what happens or doesnt happen to Sony period

SkepticalMarch 9, 2015 12:24 PM


Whose job was it to defend Sony? Was it the US military's, because it believed the attack to have come from North Korea? Was it the FBI, because this wasn't an act of war? Was it Sony's own problem, because it's a private company? What about during those first weeks, when no one knew who the attacker was? These are just a few of the policy questions that we don't have good answers for.

Absolutely the biggest gap exposed by the Sony hack.

That said, I think the US has begun to draw some clear lines:

Strategic/tactical espionage: We'll try to stop you, and we'll do the same to you, but if you play by the rules, then it's simply part of the game.

Commercial espionage: We'll try to stop you, and we increasingly regard this as outside the bounds of acceptable espionage. Expect legal and economic retaliation.

Destructive attacks on critical infrastructure: We'll treat this no differently than any other kinetic attack on critical infrastructure by a foreign state. We will respond in kind with whatever weapons will best achieve our objectives. You may have used a virus against a dam; we may use a few missiles in response.

Destructive attacks on commercial enterprises by nation-states: We'll retaliate in a calibrated and proportional manner, including by means outside of legal and economic punishment. You won't like it, and you can be sure that we will own the escalation ladder.

But these don't answer some of your questions. To what extent should the NSA prioritize resources to detecting foreign attempts to destructively attack commercial enterprises and/or conduct commercial espionage? To what extent should this be treated as a criminal offense, and to what extent should this be treated as a problem that requires military and intelligence lines of effort as well as law enforcement efforts?

And I think the answer is simply that an effective response will require a coordinated effort among domestic law enforcement, intelligence, and military units. Capabilities will need to be fused and information will need to be shared.

I also think that the coordination will have to include voluntary cooperation from the private sector, along with some creative re-engineering of aspects of our networks.

Ideally, the end result would be a system in which companies and individuals operating within the United States are protected from foreign attacks and from commercial espionage, without any sacrifice of the rights afforded to all persons inside the United States. With some work, that could be extended to other nations as well, provided they shared the US view that governments should not engage in commercial espionage, and that governments should respect fundamental human rights.

HermanMarch 9, 2015 12:36 PM

@keiner: Normally a government is responsible for foreign affairs and defence. A citizen is also not allowed to take action against a foreign entity. A cross border computer attack is therefore a federal government defence issue both in Canada and USA for example.

Coyne TibbetsMarch 9, 2015 12:38 PM

All the difficulty of attribution means is that either side in a conflict can blame whoever they want.

Berzerkistan attacks Elbonia by way of intermediary systems they control in Creta; Creta is blamed. Creta retaliates against Berzerkistan and the latter blames Elbonia for the attack because they want to start a war with Elbonia.

It gets even more nebulous when a multi-national company is attacked. Umbrella Corporation has business in all three countries. They were attacked in Elbonia, by Elbonia, who blames Creta, the country Elbonia wants to attack.

Creta says Berzerkistan attacked them, when actually there was no attack at all.

Berzerkistan attacks Elbonia; but then Creta claims it was actually their attack.

Not only is it fundamentally hard to attribute these attacks in the first place, but the same difficulty allows deception in attribution. When there's a physical war, it is usually obvious who the participants are. We're entering an age when propaganda will name the "evil attackers", at national or corporate will.

Under such conditions, "attribution" must be regarded as a (nearly) meaningless concept.

keinerMarch 9, 2015 1:29 PM

uuhm, yeah, all this NSA/GCHQ hacking throughout Europe, federal and private institutions, critical infrastructure. I think we should declare war on the USA/UK. That would be adequate for crossborder computer attacks ...

LorenzoMarch 9, 2015 2:43 PM

Wouldn't be ironic if the US government made the NSA responsible for the cyber security of every US-based company (or those with servers on US soil, or a variation of the sort). And every nation followed suit.

I mean this could actually make the internet more secure.

Then of course the devil is the (implementation) details: for example the NSA could say "in order to make everyone more secure, we need constant unrestricted access to all your neworks". Not that it doesn't happen already, but making it actually explicit and sanctioned could actually improve IT security for a lot of people. Market forces would then drive corporations and concerned people towards other nations that protect their cyber infrastructure without demanding access (i.e. by mandating strong crypto and enforcing security practices).

Isn't it fun to toy with such ideas?

WalksWithCrowsMarch 9, 2015 2:46 PM

Glad to see these problems discussed whenever they are, especially the problem of false attribution and what sort of fallout that can cause.

So much of the various industries connected are treated by the public as some form of mojo or magic.

I am also glad to have seen this well covered in Data & Goliath. And, I like seeing some of the posts above.

I am not entirely sure about the reason for mentioning the HBGary Federal attack & the Sony hack. By the time of the Sony hack, all information on the HBGary Federal attack was already known. This is because one of the attacker's, a primary, "Sabu" was caught shortly afterwards.

Last I read, it is true, one of the brains behind much of these things did remain on the loose, though I rather read into that... that the individual was somehow government. HBGary Federal stunk of being a provocation, so I would not think a foreign government agent, they would probably shy away instinctually from such a situation. So, probably, of the very same agency Sabu ended up working for -- the FBI.

As stories in Vice & Daily Dot showed, there is yet another attribution problem, and that related from that case of "Anonymous" & Sabu: Sabu attacked Stratfor while working for the FBI, as well as many other targets such as foreign embassies and even domestic law enforcement. At one juncture then even attacked the FBI its' self. These times and dates are all known, and the circumstances are as well.

Circumstances wise, the FBI were monitoring every move he made from an adjacent apartment. They clearly had firm control from all the other evidence. So, did they order these attacks? There is an attribution problem right there.

The US, post-Manhattan project became extremely cellular in organization wherever intelligence is involved, be it domestic or foreign. This has significant drawbacks, but also significant benefits.

But, the drawbacks of cellular structures mixed with maxed out secrecy, called "overclassification", can be severe, both in terms of lost intelligence and in terms of the danger of poor authentication. Poor authentication means that rogue like behavior can and does happen, and it can also mean there is the strong possibility of impersonation. Eg, someone posing as USG when they are not.

For instance, in the above situation, maybe the USG - or even just a few agents not really thinking about it - decided to attack the domestic USG sites, or allow them to happen to catch the unknowns involved. Maybe they allowed it or even instructed for it to happen to spread doubt if they were ever caught attacking foreign embassies. After all, as Bruce points out in Data & Goliath, much attribution in nation state attacks depends on who was targeted.

Maybe it was just lack of oversight.

Whatever the case: right there is a good, live example of a real mess of an attribution problem. There you had the FBI, or some small handful of agents, attack one of their own sites and, for instance, a state police site. Under the guise of "Anonymous". Under the further guise of "lulzsec". And probably even under further guises: as Sabu's team had international members coming from who knows where, attacking all over the planet.

So, for instance, a Japanese embassy attacked from someone in Hungary. Where is that embassy? Say, for instance, Germany. Japan might see the attack as being from Hungary, or maybe from being from Germany. If Anonymous claimed credit for it, they then might concede it was Anonymous. But, in continuing this "for example", they would have been wrong on every account. It was the US FBI.

And even saying "it was the US" or "the FBI" would probably be incorrect. Instead, it was either from a small handful of agents, or from an accident. Maybe they just did not supervise Sabu well enough, for instance. If intentional, maybe these agents were asked by someone in their own agency or another agency to do this. Or maybe one of Sabu's friends suggested.

While these sorts of situations might be said to be specific, and so unusual: is it really? Besides all of the attribution problems electronic attacks present in the first place. There are also physical security issues. For instance, above, you can see some who post "as if" they are USG. They do not say it, but one might assume they must be. But, they could be Russian or Chinese wanting to impersonate USG, playing a long game.

Likewise, for instance, at DEFCON, there is "spot the fed". How accurate might that really be? If someone plays up to the stereotyped definition, it might seem harmless. Until they actually find themselves interacting with them. Maybe in a bust, maybe to elicit their help. (A good example of such civilian to cop impersonation is in old 'drug bust' crimes where robbers would rob drug dealers pretending to be cops. Very prevalent at times, in the US, in past decades. But, also well know further back: the Saint Valentine's Day massacre was performed in *exactly* this manner.)

This sort of attack can also be electronic: how does one know who someone is? Badges, sure, but primarily from databases. If you check clearance or authorization at a very secure database, well, it could be hacked. Or it could be circumvented internally, under the auspices of official cover. For instance, the CIA often has used military cover, and multiple agencies have used contractor cover, or cover as other agencies.

As for the pure electronic angle: anyone can reuse code found, or cover their attacks by the very weak attribution mechanism currently in vogue, eg, attribute by who was attacked. They could also get very evil about it, launching destructive attacks that offer much proof it is from one country, when really it is from another.


WalksWithCrowsMarch 9, 2015 3:06 PM

@vas pup

@Bruce:"Today, trust in US intelligence agencies is low, especially after the 2003 Iraqi weapons-of-mass-destruction debacle." Sorry, I have other opinion. That was not CIA failure, but politically motivated decision to start war against Iraq which was done before any reliable xref checked intel was provided. Trust for internal intel/LEAs activity is low due to latest disclosed fact on their actions in violation of basic constitutional right (4th Amendment in particular, mass surveillance, gag orders, entrapment practice, etc.). But legislature should be blamed first for generating vague laws, insufficient oversight.

He could have said "because of Snowden", but then it isn't because of Snowden, it is because of what the USG has been doing. People can surely debate on issues like this, 'was it all the administration's fault, eg, the executive office', but that surely does not remove the smear of the USG operating on very bad intelligence.

That is a consistent trend with the USG, as well, across administrations. I am not seeing intel helping there. For instance, they chime in with countries like North Korea is asking for security to be supplanted, and if they had their way, we would not have ecommerce as we do today. I do not see Switzerland making such arguments. Saudi Arabia does. Vietnam does. China does. And the US does.

But, there are many other issues: Libya fell apart. Iraq fell apart. USG left Afghanistan in the 90s after upping the capacities of the Taliban, the "Arab-Afghans", and the conservative elements of the Pakistani ISI. Now there is ISIS and Boko Haram [who have just recently directly aligned under ISIS], and a global movement in many quarters of Sunnism which is far more volatile and potentially dangerous then Al Qaeda ever was. In fact, Al Qaeda disowned these guys for being too radical.

911 is another good issue: many to this day see it as a conspiracy. Others see it as simple incompetence. The Boston Bomber situation did not help: the man was on a list, but, as Bruce points out in Data & Goliath, 'so were millions of others'. This, despite the fact, that he literally aligned with violent causes, aspirations, and directly visited an offshore facility known to be engaged in training terrorists.

Comp sec wise, it can even be worse: many of the major attacks happening are from overseas. Ukraine, Russia, eastern Europe, China. Not necessarily in that order. Now we know that the US Intel is *so aggressive*, this is seen much more as a 'tit for tat' thing. They are aggressive enough to systematically state that they are interested in aggressive spying against all foreigners in all foreign nations, and that, 'by any means necessary'. Regardless of the severe economic damage this costs US Businesses.

albertMarch 9, 2015 3:36 PM

I'd like someone to explain to me how the gov't can 'protect' us from cyber attacks. Exactly how is this done?
.
I don't care about 'retribution'. It doesn't solve the problem; in fact it actually creates bigger problems. Iraq is a great example; a war of retribution, based on phony intel, that solved nothing, and led to increased terrorism, and a totally unstabilized country. Are we going to bomb NK because the NSA says they cyber-attacked us? How convenient. Are we going to bomb Iran because of the fear of their nuclear program? Is it OK to cyber-attack Iran with Stuxnet*, but not OK if they do it to us?
.
Can we bring a little of Dr. Phils 'common sense' into the picture? I don't see a level playing field here. I see policies based solely on US hegemony.
.
For years folks have been warning us about cyber-attacks on our critical infrastructure, yet nothing is being done.
.
We have been warned, by our own people. Is the gov't deliberately sitting on its hands, waiting for the next 'big one', so it can start more bombing campaigns?
...
*What would Stuxnet look like if Windows never existed?

WalksWithCrowsMarch 9, 2015 4:17 PM

Adding to the above, a consideration after the post:

If people can not agree on the attribution of the originators of the Iraq war, how on earth can they reliably claim to attribute anything? If one administration could completely subvert all of the intelligence agencies, why would any other administration be any different? If the executive office can subvert the entire intelligence structure with blantant lies and disinformation, and no manner of recourse, what else could they subvert? Or better question, what might they be unable to subvert?

Thinking on that, well, one could say, "But, the Valeria Plame affair shows intelligence and law enforcement can operate against the executive office. Or Watergate." But, maybe that was a distraction. People were so bothered about that, where was the investigation suggesting the Bush executive office supplanted the entire US Intelligence infrastructure? Which is more important? The executive office running the entire US intelligence infrastructure for their own, personal gains? As if it is their own, personal golf cart to scoot along in? Or the executive office leaking information on an officer?

Is it not highly illegal to do such a thing? That is, to force the entirety of the US Intelligence Community to provide false evidence systematically, at the time, and afterwards, to lead the entire country into a war? And for what? If this is the case (I am not stating it is), then one probably motive would be Cheney's interests and connections to Halliburton who made enormous profits from the war.

Maybe it is illegal to do such a thing. Maybe if it was smaller and frivolous, like leaking classified information about an officer, it would have been taken seriously and brought to court. But, no, it led to war, and engaged the entire nation.

That administration, as well, has been out of office for quite some time. Surely, someone from the US intelligence community could go, "Look, they took us hostage and forced us to provide unceasing rivers of false evidence. We had no choice. Now they are out of power, let us bring this case to court and convict the guilty."

Is it legal for the executive office to have done such a thing?

If so, then they held back on protecting their own people over Valerie Plame. Why? They could cause the entire structure to do as it will, even against its' will, to lead America to war. Why were they so powerless over such a - relatively speaking - trivial matter?

Was the Valeria Plame issue simply a diversion, to divert from the much larger problem?

I do not think so. I think US Intel did believe Iraq had WMD. I believe they were led by bias, and that they were influenced by the executive office. But if they were really hog tied and forced to go along with it, they could and would come back and press charges.

But, I also find it all irrelevant. The US did make a charge, the entire US intel community backed those charges - excepting some very minority opinions - and they have since admitted they were incorrect. Collectively. They cried wolf, and in a very, very big and very dangerous way.

Other nations therefore listen to them less as a result, as do the American people (who have the very basic information that it was all fraudulent). They do listen to them, though. Amazingly. But, because of their power. Not because they find them actually knowing what they are talking about.


Sancho_PMarch 9, 2015 6:06 PM


@ Coyne Tibbets

Hilarious!
And imagine @Skeptical operating the blower to the furnace of war.

@ Skeptical

Sorry, I have to degrade you for drawing incautious lines in the sand.
Your lines clearly show where the US failed.
-> No more Admiral.
There is only one single line: Quod licet Iovi, non licet bovi.
Or: White man shoots, red man is dead. (“APPLAUSE !”)


@ Bruce: “And while it now seems that North Korea did indeed attack Sony …” -
So what has changed substantially?
I’m with @Clive Robinson, repeating a bluff doesn’t make it the truth.

They were incredible fast to blame NK, too fast for a surprise attack.

No, it is not “their” job to defend singular companies.
But National Security is.
Since years “they” were focused on “The Evil”, NK’s minimalistic Internet activities.
Clearly “they” watched any connection and email, suspicious or not.
But didn’t act or say anything.
Conclusion:
There was no suspicious activity from NK side, “they” had no clue.
(Rem: Clearly “they” didn’t observe the Sony network, it’s not their duty)

However, it was a very bad time for the USG: CIA torture report was due …
And a serious cyber attack hit a US core business, devastatingly, couldn’t be stopped ...
-> 1 + 1 = Bingo!
POTUS stepped forward to assure the US:
Trust me, we know who did it, and will react accordingly. (“APPLAUSE !”)

This is the ultimate “evidence”:
"We know" it was NK gov, but Putin himself wrote them the malware (hint: bad English).

65535March 10, 2015 2:50 AM

@ Clive

“…while it now seems that North Korea did indeed attack Sony” – Bruce S.
“Please don't make the mistake of believing that. It's based on a single unreliable source and a bunch of very dodgy assumptions.” –Clive

I have to reluctantly agree with Clive’s assessment. All of the North Korea “evidence” is circumstantial, speculative and quite weak.

“[NSA] they can reach out without being detected and can plant their listening points without being detected, and even if they are detected they can not fail to spot a deception anybody including themselves or other IC agencies more experianced at deception than the NSA puts up...” – Clive

I am sure the NSA has the top scientists in IP spoofing and laying of false trails.

The NSA probably has cyber weapons vastly superior than Kali Linux [with its IP spoofer], Metasploit and Back-track put together.

The NSA has a fresh crop of zero day computer exploits growing every day and enough money to keep buying viruses six-ways-to-Sunday. Plus, the in house team that control huge bot nets and Remote Access Trojans.

If Bruce’s underlying point was that the NSA could have and should have detected and stopped the Sony hack - that is worthy of public debate.

Dines With DingosMarch 10, 2015 4:03 AM

So, @Skeptical, to paraphrase your contribution to this discussion:

The Bastard from the Bush by anon

As the night was falling slowly over city, town and bush,
From a house in Hogan’s Alley came the Captain of the Push,
And his whistle loud and piercing woke the echoes of the Rocks,
And a dozen ghouls came slouching round the corners of the docks,

Then the Captain jerked a finger at a stranger on the kerb,
Whom he qualified politely with an adjective and verb.
Then he made the introduction, “Here’s a covey from the bush,
F*** me blind, he wants to join us, be a member of the Push!”

Then the stranger made this answer to the Captain of the Push,
“F*** me dead, I’m Uncle Sam, the Bastard from the Bush!
I’ve been to every two-up school from Darwin to the ’Loo,
I’ve ridden colts and black gins, what more can a Bastard do?”

“Are you game to smash a window?” asked the Captain of the Push;
“I’d knock a f***ing house down,” said the Bastard from the Bush.
“Would you take a maiden’s baby? asked the Captain of the Push;
“I’d take a baby’s maiden,” said the Bastard from the Bush.

“Would you bash a bloody copper, if you caught the c*** alone,
Would you stoush a swell or chinky, split his garret with a stone,
Would you make your wife a harlot, and swear off work for good?”
Again that bastard’s voice rang out, “My f***ing oath, I would!”

“Do you help the girls pick gum leaves?” asked the Captain of the Push;
“No, I hit ’em with the branches!” said the Bastard from the Bush.
“Would you knock me down and rob me?” asked the Captain of the Push;
“I’d knock you down and f*** you!” said the Bastard from the Bush.

“Would you like a cigarette?” asked the Captain of the Push;
“I’ll take the bloody packet,” said the Bastard from the Bush.
Then the Pushites all took counsel, saying “F*** me, but he’s game.
Let’s make him our star basher, and he’ll live up to his name.”

So they took him to their hide-out, that Bastard from the Bush,
And they gave him all the privileges belonging to the Push;
But soon they found his little ways were more than they could stand,
And finally the Captain thus addressed his little band:

“Now listen here you buggers, we’ve caught a f***ing tartar;
At every kind of bludgin’ that bastard’s got the starter,
At poker and at two-up he shook our f***ing rules,
He swipes our f***ing liquor and he robs our f***ing girls.”

I considered The Man From Kaomagma as an alternative paraphrase, but it was not actually that relevant.

Nick PMarch 10, 2015 1:00 PM

@ Skeptical

Your framework misses a bit of the reality of the situation. Your strategic/tactical and destructive categories seem fine. But, the commercial espionage issue has been unacceptable to U.S. government for a long time. There are lists of the various cases where U.S. intelligence identified companies taking bribes, stealing info, and so on. They've long shown intent to deal with this stuff. So, with NSA's dragnet, they have the capability to catch even more.

That brings us to North Korea. They were a country heavily monitored by NSA. They're known to be both involved in commercial espionage and incentivized to do destructive attacks. That the NSA just sat there watching them siphon TB of data out of Sony Pictures without intervention is worth talking about. This is the same NSA that has secrectly been handling over to law enforcement information they discover about drug deals, tax dodges, and so on. Someone dealing weed? Intervene. A massive attack on a U.S. company that we can stop using our Internet backbone capabilities? Nah, let them burn.

Had they called it commercial espionage, then my argument might be easier to fight. That they call it a straight up attack makes my argument stronger. The reason is that they argued for their capabilities and privacy invasions specifically to detect and prevent attacks. Also, to retaliate later. Here they were in literally the perfect position to see the attack, watching it occur, watching the potential damage mount up, and they didn't do crap. Once again, just like Boston, entrusting them with more power didn't do anything in an almost ideal situation for them to handle (eg have heads up on aggressor). Most situations in the future will be less than ideal.

The public should ask: do we entrust them with more, let them keep trying a few more decades with what they have, or just cancel most of this crap in favor of people/organizations/projects that might actually accomplish something? I say cancel the crap while continuing to work on targeted attacks and more effort into HUMINT.

WalksWithCrowsMarch 10, 2015 1:56 PM

@Dines With Dingos

Holy shit, that is hilarious and scary.


@Nick P & @Skeptical & @anyone 'on the other side of the coin'

I am afraid that the USG has been revealed as morally bankrupt in many areas where they once were treated as exceedingly wealthy. Worse, then has been little backtracking in these regards, instead this poverty is stood upon as if it is a new manner of wealth. Which, unfortunately, it clearly is not.

That is, from nearly every corner, though already bankrupt, they continue to spend as if it were the old days. As if they can not stop.

The creditors are swooping in, and instead of filing for bankruptcy and reaching terms in a humble fashion, their top spenders are 'screaming from the rooftops': 'accept our money, it is still good, this can not be, it must not be'.

Sure, North Korea was probably behind the Sony hack. They had the motive, more substantially then other parties. And to some degree, the capacity more then other parties. If there is 'evidence' or not, however, well... on that front, that is asking people to accept on credit an entity known to be very dishonest in exactly these dealings.

As for that changing anything, of course, 'not much'. Maybe more literal revenue might make its' way to attempting to down that empire, as small as it is. But, that in form of what actually is working: invasion of the media.

On the commercial espionage front: that has yet to be seen. It is another matter where the USG is asking people to take them on credit, and at a very high cost, indeed. This "little" cost, from the Americans standpoint... is actually extremely high, from the standpoint of their creditors. Very few are buying, and those who are - very likely - are just really interested in collecting the collateral when the loan is not repaid.

The more interesting front, however, for me, anyway... is the privacy front. And that little 'screaming from the rooftops' note. Let us consider privacy, here, as some form of currency. Governments, then, are clearly putting very high expectations on that front. They hope to take from their public, and the rest of the world, secret information. But, that, without giving. So, there is a massive debt built up.

We are starting to see that sort of massive imbalance tilting.

That is, is this the society people have longed for and expected for millenia? I would hazard a guess, 'no'. In fact, in some ways, it is the exact opposite of it. And in other ways, it presages it and speaks of it coming. Including, very ironically, the exact opposite of it.

Such a concept can be seen when a balloon is being blown up too much. It will burst. Or, before a tsunami, when the waters recede. It will come back. And with far more water then was there before.

FYI, my own stance is 'neither for not against', but merely an observer noting details of the times. I have some pleasure in advising investors where to put their money, but I get no charge from that until they are made wealthy by my accuracy. Something which they do not pay me, but such an economy is much more beneficial in a mutually rewarding manner of way. That is by trust.

(And indeed, I, in turn, come to my conclusions based on my trust in others, who lead me in exactly these directions.)

One might, in fact, come to the conclusion that it is exactly 'trust' which is the very currency the USG has well overspent on, in relation to both the domestic and global economies.

And they certainly continue to do very little to try and build that currency back up.

Not wise.

albertMarch 10, 2015 2:07 PM

@Nick P
.
"...That the NSA just sat there watching them siphon TB of data out of Sony Pictures without intervention is worth talking about...."
.
If true, it speaks volumes. What the NSA/IC _doesn't_ do. Folks expect the gov't to protect them from cyber-attacks? Cyber-attacks can be politically useful. Since everybody's doing it, they can cherry-pick which ones they need for propaganda purposes. Sounds like a plan.
.
OTOH, perhaps you're giving them too much credit. IRRC, the Russians gave 'us' detailed information on the two Boston Bomber perps. Who said "'so were millions of others'"? Since when are there millions of suspected terrorists in the US? If that's what the IC believes, then we are really screwed, because they believe their own propaganda.
.
Every time an incident happens, we hear the familiar refrain: "We had our eye on them", "We had a dossier", etc.
.
"...more effort into HUMINT...". Totally! It can't cost more than the billions we're spending right now. Of course, it won't be flowing into corporate coffers...
.
,,,,

WalksWithCrowsMarch 10, 2015 10:35 PM

@albert

OTOH, perhaps you're giving them too much credit. IRRC, the Russians gave 'us' detailed information on the two Boston Bomber perps. Who said "'so were millions of others'"? Since when are there millions of suspected terrorists in the US? If that's what the IC believes, then we are really screwed, because they believe their own propaganda.

I said that and was quoting Schneier from his latest book.

Yeah, they have super dense lists from what I have been reading which basically are full of stacks of hay and very low on actual needles.

The Boston Bomber did something *very* important, which was visit a well known terrorist training and recruiting center overseas. That is definitely a major trait to look for. It is a common trait to many past terrorists. But it got lost in a watered down list.

Not even sure if since then they have tried to improve things. Not my area, but I have designed heuristic detection systems for malware and zero day. You have to do extensive looking at commonalities for "known bad" and try and find some meaningful signatures, meaningful indicators. Every report I have been reading, this is amazingly not been done with people though it is done routinely with malware and network attacks, which is absurd.

albertMarch 11, 2015 11:15 AM

@WalksWithCrows
.
"...this is amazingly not been done with people..."
.
I thought the whole point was to analyze the _people_ involved.
.
Do you think 'visited a terrorist training camp' wasn't on the checklist? Just like 'taking flying lessons-not interested in takeoff or landing' wasn't either. Then, after the damage is done, someones says 'well, we better put those on the list'.
.
The word 'incompetent' comes to mind. I'd be interested in knowing how many 'visitors to terrorist training camps' are wandering around here right now.
.
Perhaps the Decision Makers in the IC put too much Faith in the Power of Computers, or, more likely, have been sold a Bill of Goods by the Vendors.
.
...

WalksWithCrowsMarch 11, 2015 3:50 PM

@albert

I thought the whole point was to analyze the _people_ involved.


My comment was coming from having worked designing and performing statistical analysis for the purposes of designing security software which is heuristic based and geared towards finding previously unknown malware and zero day.

Most of that work was well over ten years ago, though I did do some work with a major vender about four years ago or so.

To some degree, I have mildly followed how heuristic technology has progressed.

From 'how people approached heuristic systems', I still remain disappointed. It seems there are considerable flaws which cause this to be a much more difficult problem then it should be, flaws in human nature. Flaws in how people operate in groups in how they approach these sorts of problems. I am very confident of that. So, I have not been surprised to see these very same flaws of thinking even worse in heuristic systems designed to single out suspects.

All that said, systems have been well designed and implemented in ensuing years. There are now, and for the past few years, some systems I am very confident in, in regards to their capacity to reduce noise and find signal. In regards to "previously unknown malware" and "previously unknown zero day" [in the later, of course, where it is specifically utilized in an attack]


Do you think 'visited a terrorist training camp' wasn't on the checklist? Just like 'taking flying lessons-not interested in takeoff or landing' wasn't either. Then, after the damage is done, someones says 'well, we better put those on the list'. The word 'incompetent' comes to mind. I'd be interested in knowing how many 'visitors to terrorist training camps' are wandering around here right now. Perhaps the Decision Makers in the IC put too much Faith in the Power of Computers, or, more likely, have been sold a Bill of Goods by the Vendors.

My understanding is that they have cast 'too wide of a net'.

This is also what Bruce Schneier well covers, and I am sure he is much more up on the systems, then I am.

So while those indicators you mention would put someone "on the list", the problem is "so would many other indicators, including very many that are very poor indicators entirely".

With, it seems, very poor weighting, if there is any weighting at all.

However, of course, we have very little data on such systems. That decreases my confidence. The monolithic structures they are designing and operating these systems in, also decreases my confidence.

With application focused heuristic systems, this took many years to even begin to get right, and the market was entirely open - globally - for competition, and therefore, improvement. Yes, there is *some* of this in this other field, but very much more closed.

As a "for instance" in my work, I could pick up books and papers by major designers, I could test run just about any system I wanted. I could constantly find new feed and new ideas from a wide variety of sources, all, of course, open. I could also get datasets which were highly accurate, and to some degree static: eg, "known good binaries" and "known bad binaries".

But, you have to have an enormous amount of data on "known good people" to really properly perform such calculations, data I do not think they have access to. And you have to have an enormous amount of data on "known bad actors", which, of course, is a far smaller pool... so maybe a better sampling set. They are also very good at researching past cases, so they do know a lot about who known bad actors are.

Situations, however, like ISIS change things in these regards. If their systems were not already finely tuned, well, then they have a problem.

There is another problem, of course: known bad indicators would have to be very secret information, otherwise this would give a playlist of "how to evade detection" to terrorists. The same criteria, of course, applies to spies.

So, 'security by obscurity'...

Obviously, to a very certain degree, this is a problem with malware detection systems. This is often handled by 'cloud based' or 'like cloud based' solutions. For instance, like how Warcraft's system operates, where much of the analysis data is upstream and beyond detection. (eg, see some of Greg Hoglund's talks.)

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.