An alternative perspective would evaluate the effects of a technological incident and assess whether or not the outcome of the incident is tantamount to an “act of war” that would justify a response. According to Matt Tait: “We need to proceed with care and precision in the response to this attack, not least because it will set the normative precedent for responses to attributed-but-denied collateral mass-leaks of private citizen data by foreign governments in the future.”
Risky Business
The laws of armed conflict do require physical damage, injury to persons, etc. Using the term “war” to push the federal government into hasty action is a risky move.
Thomas Rid similarly weighed in on this story. He points to metadata within documents (that he claims were produced or modified by the leaker) as proof of origin. (Of course it could be just as likely the metadata was there purposefully as by mistake.)
Before responding to Rid’s conclusions, we should state that our critique is not an attempt to debunk anyone’s findings, or exonerate any suspects. Rid said, “One of the strongest pieces of evidence linking GRU to the DNC hack is the equivalent of identical fingerprints found in two burglarized buildings: a reused command-and-control address —176.31.112[.]10— that was hard coded in a piece of malware found both in the German parliament as well as on the DNC’s servers.”
Using an IP address alone, “hard-coded” in a piece of malware or not, is insufficient proof of attribution for something as serious as this incident. An expert can come up with multiple ways in which finding an IP address in a piece of malware can mislead a naive analyst, or an analyst trying to support a predetermined conclusion. IP addresses are not authenticated in any way, like a cryptographic hash of a document, to prove accuracy or ownership. They are not, as Rid suggests, “the equivalent of identical fingerprints found in two burglarized buildings.” IP addresses are far less reliable or less difficult to fake than human fingerprints.
This IP address could point to a system that is a proxy or relay, allowing multiple actors to use the same address. Anyone on the same network can appropriate the IP address and use it (instead of the original host that may be under control of someone else). BGP route hijacking goes on all the time, so a route hijack could send traffic destined to that IP address to an entirely different network and host, or the IP address in the malware might not actually be used as an IP address directly (perhaps instead used to calculate or look up some other address).
An IP address coded into malware may not used directly to open a TCP socket connection, but instead used as a dictionary hash to an obfuscated IP address that is used at run time. These are all actual events that have occurred in the past, that reverse engineers and security operators have misdiagnosed, or discovered at the last minute forcing a significant change in tactics preceding a botnet takedown. Just focusing on the IP address observation, one would need to provide contemporaneous evidence to support or refute a hypothesis that a specific IP address, at a specific time, was the specific means and method for committing a crime to meet a “beyond a reasonable doubt” standard. Trying to combine that simple observable as though “fact” with other observable “facts” derived from material known to be stolen, with no chain of custody prior to showing up on Wikileaks, is not much better.
High-ranking members of the House and Senate Intelligence Committees have called for the declassification of information about the intrusion, which is a requisite step to any public discussion of evidence the federal government may have that could support assertions by the private sector in news stories.
We are engaging in this conversation, not to debunk the claims of attribution, but to illustrate that “cyber incidents” are much more complicated than they seem to an unfamiliar observer, and that proper analysis of multipoint evidence that can be proven with a high-degree of accuracy to link, at specific times, up and down the TCP/IP (or ISO) application stack is necessary to reach a “beyond a reasonable doubt” standard of evidence that could be used in a criminal court of law.
Following the facts, wherever they lead, and supporting assertions with multiple sources of information (hopefully from sources that are not under the control of the suspect) is hard, but necessary, work. The court of public opinion in blogs and breathless news stories in the heat of the current news cycle come nowhere near the level of evidentiary standard of proof, which makes them mere assertions and accusations at best, or speculation at worst. Having a financial or political motive to promote a given story line just adds another level of cyber fog.
Continuing to misuse terms like “attack,” “cyber war,” and “cyber weapon” when talking about cyber incidents increases the likelihood of poor legislation, regulation, and law. This could put the public at risk of collateral damage from overly aggressive responses to cyber incidents and exposes the industry to excessive restrictions on research activity due to misguided attempts at arms control regulations. Neither result is good for the public or our industry.
Next Page: How to Create Law, Regulation, Policy Around Cyber
