You Don’t Need to Catch Hackers in the Act, but Cyber Attribution is Hard

President-elect Donald Trump is on offense against the intelligence community’s conclusion that the Russian government meddled in the U.S. election, declaring intel officials are in the tank for Democrats and there’s no way to know much of anything in cyberspace unless you catch a hacker in the act.

Trump’s wrong, but not as wrong as many think.

Figuring out who did what in cyberspace is rarely a cut and dried proposition. Attribution requires intense study, extensive documentation and balancing myriad streams of evidence. Even then, intelligence agencies and most private sector threat trackers speak in probabilities and levels of confidence rather than hard conclusions.

“Unless you have physical, forensic evidence, someone at the keyboard operating that attack, you’ll never have 100 percent confidence,” said Justin Harvey, managing director for Accenture’s incident response practice. “We’re living in a world where attribution is you’re basically beyond a reasonable doubt … I live in a 90 percent kind of world.”

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

Harvey previously worked for both Mandiant and Fidelis, two leading cybersecurity firms that reviewed and supported the assessment by cyber firm CrowdStrike that Russian hacking groups nicknamed “Cozy Bear” and “Fancy Bear” were responsible for breaches at the Democratic National Committee and Democratic Congressional Campaign Committee.

Having reviewed some of the private evidence from those investigations, Harvey said he’s confident the assessment is correct. If non-insiders doubt the conclusions, however, he understands.

Based on evidence made public, he said, that case would be much more difficult to make.

“I think it’s valid for some people to be doubtful because not everyone is a forensic investigator,” Harvey said. “Attribution is not an exact science and there are going to be people who have doubts. I think that’s valid and healthy.”

Fidelis Threat Systems Manager John Bambenek, who reviewed CrowdStrike’s evidence, puts his confidence level at 95 percent.

“As a general rule, anyone who says their confidence is 100 percent is probably not doing their work,” he said. “The first and most important question any intelligence analyst should have is: ‘Do I really know what I think I know.’”

In this case, CrowdStrike and Fidelis relied on several years of evidence from other hacks by Cozy Bear and Fancy Bear, also known as APT 28 and APT 29, including email breaches at the White House, State Department and Joint Chiefs of Staff. That evidence includes the malware used, the locations of computers and phishing emails that trick targets into downloading malware.

APT stands for “advanced persistent threat,” a term generally applied to nation state-backed hacking groups.

Bambenek compared the investigation process to literary scholars assessing whether a play purported to be written by Shakespeare is the genuine article.

“If you have enough data on something, invariably, there are fingerprints,” he said. “If you read all of Shakespeare’s manuscripts, his language, his oddities of grammar, the patterns, you can say [when confronted with a new manuscript], this is Shakespeare or this is someone pretending to be him.”

In response to claims, made by former UN Ambassador John Bolton and others, that the breach could have been a “false flag” operation in which one actor pretends to be another to throw investigators off the scent, Bambenek acknowledged he can’t rule that out 100 percent.

However, it would make little sense for any actor capable of such an operation to mount it, he said.

“Could China do it? Yeah. But why would China do it? A Trump presidency harms them,” he said.

The Israeli and Iranian governments might also be capable of such an operation, he said, but it would be out of character for both and likely contrary to Iran’s interests.

The assertion by Bolton, a possible Trump administration nominee, that the Obama administration might have carried out the operation, of course, begs the question why on Earth a Democratic president would want to harm the Democratic candidate for the presidency whom he was widely campaigning for.

To be clear, Trump is not confined to publicly available information or even to the information CrowdStrike and other firms have collected about the breaches. As president elect, he can review and interrogate information collected by intelligence agencies, which likely goes far beyond what CrowdStrike or another private sector firm can gather.  

That likely includes human intelligence, such as tips from people close to the Russian government, and signals intelligence, such as compromised communications networks, said Jaime Blasco, vice president and chief scientist at the cybersecurity firm Alien Vault.

The publicly available evidence gives Blasco high confidence that Fancy Bear and Cozy Bear were behind the DNC and DCCC hacks, Blasco said. The conclusion by intelligence agencies confirming this—and stating those groups are directed by the Russian government—puts him over the edge, he said.

“The 10 to 15 percent of room that it could not be them, they fill that in with other sources of intelligence,” he said. “If you believe the intelligence agencies in this country are very good—and I strongly believe that’s the case—then they often know in advance when these guys are targeting a new company, individual or organization.”

Trump told Time magazine in an interview he believes intelligence agencies’ conclusion in this case was politically driven. His transition team also noted in a statement that “these are the same people that said Saddam Hussein had weapons of mass destruction,” referencing the most public intelligence failure of recent decades.

An independent commission that reviewed the intelligence conclusion that Iraq had chemical and biological weapons in advance of the 2003 U.S. invasion found the intelligence community was “dead wrong in almost all of its pre-war judgments about Iraq’s weapons of mass destruction,” but also found “no indication that the intelligence community distorted the evidence.”

A 2008 bipartisan Senate Intelligence Committee report also found the Bush administration massaged available intelligence to make its case for war.

Cybersecurity consultant Jeffrey Carr is one of the few cyber analysts who remains wholly unconvinced by intelligence agency and private sector claims about the DNC breach. Based on publicly available information, Carr says, he believes Russian-speaking hackers were responsible for the breach but is not convinced they’re connected to the Russian government.

Carr is a well-known skeptic in cyber circles and long questioned intelligence agencies’ conclusion that North Korea was responsible for the Sony Pictures Entertainment breach in 2014. He was ultimately convinced of the North Korea attribution, he said, because a sufficient number and diversity of intelligence officials backed it up in public statements.

In the DNC case, Carr said, he’s concerned intelligence agencies rushed to a conclusion because of political and public pressure and didn’t sufficiently question whether the evidence they’d gathered was sufficient to support their conclusion.

For example, agencies may have relied too much on logical assumptions in place of firm evidence—such as the Russian government had a greater interest than any other U.S. adversary in destabilizing a U.S. election and promoting Trump’s election and that other Cozy Bear and Fancy Bear targets are consistent with Russian government interests.

He’s particularly concerned by one line in the Oct. 7 attribution statement from the director of national intelligence: “We believe, based on the scope and sensitivity of these efforts, that only Russia's senior-most officials could have authorized these activities,” which he called a “mealy-mouthed assessment of responsibility.”

“They basically said they’re making this statement because only the Russian government could have orchestrated this,” he said. “That’s just blatantly false. What they should have said is, ‘we’re making this statement because we have classified evidence that beyond a doubt it was the Russian government that directed this activity.”

It is possible the intelligence community does have sufficient proof the Russian government was behind the breach but simply hasn’t made the case strongly enough, Carr said.

“If the CIA actually has evidence that an employee of the GRU [Russia’s largest foreign intelligence agency] is directing or has directed this campaign, that’s open and shut. It’s a slam dunk,” he said. “I suspect that’s not the case because we still have confusion in the government leaks and discrepancies and disputes. If that evidence existed, there’d be bipartisan support to take action against the Russian government and we don’t have that.”

He also stressed he did not support Trump’s candidacy and that the president elect has made an “irresponsible” decision in choosing not to receive regular intelligence briefings so he can better judge the quality of the intelligence he’s receiving.

“It’s really hard when there’s somebody you don’t like and is not fit for office who says some things that you agree with and he’s right in certain respect,” he said. “He’s right there’s no proof it was the Russian government. He’s right that there are intelligence failures.”