As the cybersecurity expert Bruce Schneier puts it, “Maybe the [National Security Agency] has some secret information pinning this attack on the North Korean government, but unless the agency comes forward with the evidence, we should remain skeptical. We don’t know who did this, and we may never find out.”
So what does the FBI know that the rest of us don’t? Possibly a lot. (The Bureau hasn’t revealed, for instance, whether it has signals or human intelligence to back up its claim.) Possibly nothing.
To understand why such debate rages, it is necessary to understand why the issue of “attribution,” in the field’s jargon, is such a tricky one. “Attributing Cyber Attacks” a new paper published today by Thomas Rid and Ben Buchanan, scholars at the War Studies department of King’s College London, offers a handy—and timely—guide.
Rid and Buchanan conducted focus groups with commercial security software vendors and spoke to intelligence officials to survey the state of attribution today and to offer best practices for investigators. The result is a paper, published in the Journal of Strategic Studies, that lays out in detail what is at stake when investigating a cyberattack, how to go about finding a culprit, and—crucially for the question of whether North Korea did it—how to communicate that information.
The answer to the first question—what is at stake—is partly a question of politics: “The more severe the consequences of a specific incident, and the higher its damage, the more resources and political capital will a government invest in identifying the perpetrators,” the authors write.
The Sony attack is high-profile in terms of the financial and reputational damage it caused, but it is also one that goes to the heart of what it means to be American. Threats against free speech (in the form of censorship of The Interview, a satirical film about assassinating North Korea’s leader) are a fundamental and emotional issue in the United States. It seems safe to assume there was enough political will to ensure that the FBI’s investigation did not lack for resources.
The second, how to figure out who did the deed, is a more complicated issue, dealt with at great length over the 30-odd pages of the paper. It is not necessary to go into the more than two dozen areas of questioning that the authors list; the important part is to remember, they argue, that attribution is not usually an open-and-shut case of knowing who did it.
“On a strategic level conclusions are yet further removed from forensic artefacts, and may contain a significant amount of assumptions and judgement,” the authors write. An important part of that is to bring to bear past experience, as well as connecting dots between various agencies, investigators, and sources. They may not provide incontrovertible evidence, but together they can give investigators a high degree of confidence in their hypothesis. The FBI and its peers in the intelligence community probably do know something that any individual cybersecurity professional doesn’t: The experience of several thousand experts will invariably trounce the intuition of one man.
Which leads nicely to the third point, communication. This is as important as the investigation, Rid and Buchanan argue. Part of the reason the FBI’s conclusions are unconvincing for many is the agency offers no insight into how it arrived at them.
It’s a thorny issue, the authors acknowledge: “Publicising intelligence can harm sources as well as methods,” they write. Still, they point out, “more openness has three critical benefits: communicating more details means improved credibility, improved attribution, and improved defences.”
Had the FBI provided even a few details of how it came to point the finger at North Korea, security experts might have been less skeptical. Moreover, making security holes public helps others avoid such attacks, and sharing information about how they are addressed helps others extricate themselves from similar predicaments. Openness certainly helped with the Stuxnet virus, a computer worm whose origins and purpose were uncovered by various investigators and agencies working independently but learning from each other.
The quality (or believability, in this case) of any answer also boils down to available resources, time, and the level of the adversary’s sophistication. Few would doubt the resources available to the American defense establishment. The sophistication of a paranoid, militaristic regime is up for question; there are too many rumors about the country for most people to be able to separate fact from fiction.
But the speed with which the FBI came to its conclusion still surprised many. Had it communicated its message better and with more transparency, perhaps it would have received a more welcoming reception.