Hacking: What Journalists Need to Know. A Conversation with Bruce Schneier
The hacking of Democratic Party organizations has made internet security germane to the 2016 presidential election campaign. America's intelligence community has accused high-level Russian officials of backing these cyberattacks in an attempt to influence the election result. Such allegations have helped thrust relations between Washington and Moscow to their lowest point in decades.
Meanwhile, the integrity of America's internet infrastructure was tested on Oct. 21, 2016 with a distributed denial of service (DDoS) attack.
Journalist's Resource spoke with security expert Bruce Schneier about the attacks and what journalists need to know. The interview, conducted by email while Schneier was traveling, has been edited for length.
Schneier is the chief technology officer at Resilient (an IBM company focused on security), a board member at the Electronic Frontier Foundation, a fellow at Harvard University's Belfer Center for Science and International Affairs and a New York Times best-selling author. His blog, Schneier on Security, is a resource for security specialists and journalists alike. He wrote a prescient piece about DDoS attacks on his blog a month before the 2016 attack on Dyn.
When the U.S. government says the email hacks are coming from Russia, what is it that they are looking at? In your book Data and Goliath, you write that often we can only suspect a source based on possible motivations. Are you able to explain to journalists how the government might know or track the source?
Attack attribution is complicated in cyberspace, and journalists are right to be skeptical of any official attribution. In some cases, the forensics makes it relatively easy to identify attackers. In other cases, it's impossible. The deciding factors are generally the technical skill of the attacker and the attributor. It is possible to "false flag" attacks. That is, to make them appear to come from somewhere they're not. There are also instances where only the pervasive internet eavesdropping capabilities of the NSA allow us to attribute an attack, and in those instances the details of that attribution will remain secret.
In every case, though, it is far easier to attribute an attacker to a particular region or computer than to a person or organization. For example, it can be impossible to know if a particular attack from China is state-sponsored, done by a hacking organization with the tacit approval of the Chinese government, or done by a lone hacker without the government's knowledge. Recently, Yahoo claimed that their massive hack was "state sponsored." It wasn't, but the claim was their way to claim that the attackers were very sophisticated, and that the press shouldn't blame them for their shoddy security.
Are there red flags journalists should look out for to better scrutinize organizations' attribution of attacks to particular sources?
Honestly, just know that you don't have the technical chops to tell the difference between a legitimate attribution and wishful thinking. Get technical help.
Are there any caveats journalists should regularly write into their pieces when citing organizations' attribution of attacks to particular sources? Can malware designed for a specific cyberattack then go on to live a life of its own, causing "accidental" additional hacks?
I would avoid the "life on its own" metaphor, since that points to artificial intelligence and the stuff of movie plots.
More specifically, though, the answer is yes. It's very hard to tailor a piece of malware for a specific cyberattack, because there's rarely anything specific about a given target. Everyone uses the same software, the same operating systems, the same applications software, the same internet protocols. So malware has to be pretty general by design. This is more true the more autonomous the software is. If there's a person—whether a criminal or a government soldier—hacking into a network, there's not a lot of spillover. But if that same person releases a cyberweapon into the wild intended for a specific target, collateral damage is inevitable.
Intelligence experts sometimes say that divulging certain details of a cyberattack can reveal too much about a government's cyber intelligence methods and capabilities, thus giving cyber foes an edge. Would you say this is true and a legitimate security concern?
It is, and that makes attribution especially difficult. If the "sources and methods"—as they're called—are more secret than the information collected from those sources and by those methods, then that information won't be revealed to the public. We saw this in the North Korean attack against Sony. The U.S. government had attribution information, probably from NSA eavesdropping, but it couldn't make that information public. They basically asked the world to trust them, and many people did not.
What might be some of the technical concerns about potential hacking on Election Day?
This is a complicated question, and a complete answer will fill this entire publication.
Briefly, there are three areas of concern. The first are the voting rolls that determine who is allowed to vote. The second are the voting machines themselves, especially the computerized touch-screen machines with no voter-verifiable paper audit trail. And the third is the tabulation system, as the results from each machine are combined into a final result. All of those three areas are vulnerable to hacking, although the practical problems of pulling off a successful hack are much more complicated than is generally reported. Even so, the vulnerabilities are critical to fix because the system must be trusted. Elections serve two purposes. The first is to choose the winner, and the second is to convince the loser that he lost fairly. Everyone must trust the system.
My primary concern surrounding Election Day is not that the election will be hacked, but that it will be claimed to be hacked and we will have no way to verify that it wasn't.
What should journalists remember when they are writing about cyber threats?
Computers are taking over the world. Your smartphone is a small portable computer that happens to make phone calls. Your refrigerator is a computer that keeps things cold. Your oven is a computer that makes things hot. An ATM machine is a computer with money inside. Your car is not a mechanical device with some computers in it. It's a computer with four wheels and an engine. [?]
Cyber threats are not just threats. They're threats to our homes, our families, our businesses, our country. Understanding the risks of any technology in the 21st century means understanding cyber threats. As to specifics: journalists should learn enough to understand what they're reporting on.
Are you seeing anything missing from the current reporting about the hacks? If so, what?
I would like stories about computers and hacking to contain more nuance—what's happening and what's possible; what it means in context, and what it doesn't mean. Too much reporting is worst-case "what if" scenarios and wild speculation. It might be better headlines to report this way, but it isn't the best way to inform the public.
What are the biggest security concerns you think journalists need to be following?
I am worried about the increasing legal uses of data by governments and corporations, and the increasing vulnerabilities stemming from computers having the ability to affect the world in a direct and physical manner. Both will change our notions of risk and security in ways we cannot yet comprehend.
I also worry about government creating internet policy without understanding how the internet actually works. There is a huge gap between policymakers and technologists, and that will result in both bad policy and bad technology.
What are some ways for journalists to protect themselves?
This is a complicated question, and journalists should seek advice outside this short paragraph. I recommend the Committee to Protect Journalists, and any of the good security guides you can find by typing "computer security for journalists" into your search engine. It's important that journalists take steps to protect both themselves and their sources, especially in countries where freedom of the press is at risk.
- The Electronic Frontier Foundation is a nonprofit that defends civil liberties on the internet.
- The Berkman Klein Center at Harvard University publishes research on all aspects of internet and the law, including on cybersecurity.
- Brian Krebs, a former reporter for the Washington Post, authors an insightful blog on internet security.
- Radio Free Europe has a timeline of major cyber attacks, including suspected sources.