Hacking the DNC is not as much about Russia's cyber skills, but weaponizing the gained information by leaking it. Yet, insufficient technical attribution may make us vulnerable in the information-psychological domain. This is why we should word our blame game very carefully.
It appears the US elections have been rigged. Numerous US states’ voter registration systems have faced multiple hacking attempts. The Democratic National Congress was double-breached by two APT (advanced persistent threat) campaigns. Their voicemail messages, emails and other material were leaked. Now the public has been convinced that we are threatened by vicious Russian hackers thriving with an endless governmental budget.
So what? Why would this make a difference? Let us assume the entire objective of the breach was not to leak useless voice mails, but to create cacophony around the original objectives of the constant debate.
It really does make a difference. Even talking about the contents of the leaked materials might turn out useless. The entire conversation undermines the public trust to the US governmental system and blurs the possibilities to reach to the currently important information.
But there really is much more than meets the eye. I’d love to say the devil is in the detail, but I’d hate to err as I wouldn’t be able to prove those details at the time of writing. Preferably, the devil is in the details of attribution and analysis.
As Mika Aaltola from Finnish Institute of International Relations and Mariita Mattiisen from Estonian Atlantic Treaty Association write on their briefing paper Election Hacking in Democracies, no evidence has yet emerged about e-voting machines being breached. The risk appears real, though.
Remember these, for example?
1. A day before the presidential election in Ukraine, the local security service SBU discovered malware in the Central Election Comission’s systems. It has been told that the malware was designed to compromise data collected on the election results.
2. The same APT campaign targeting DNC has been detected targeting German MP’s and the parliament of Germany, the Bundestag. Common fears have been raised that the actual target could be next year’s elections.
3. Andrés Sepúlveda ran a team that rigged various major presidential campaigns across Latin America for eight years. His team hacked, stole data, manipulated social media, created fake news and helped Mexico’s president Enrique Peña Nieto win.
4. A Finnish security researcher Harri Hursti discovered vulnerabilities in optical scan voting machines back in 2005. Hursti is a whitehat, so he helped to fix the vulnerabilities instead of selling them to some vicious entity.
Many might not remember that just a few years ago Hursti was part of an independent group conducting a security research on Estonian e-voting systems. They were able to pinpoint vulnerabilities, but the matter appeared rather touchy: the research team’s findings were downplayed as a pro-Russian information operation, seasoned with hints that the Estonian center-right party Keskerakond paid for the researchers’ flights to Estonia when presenting their findings.
There are differences in the level harm what it comes to interfering with elections. In those two cases involving Harri Hursti, no damage was done. What it comes to the case of DNC, the level on harm is still yet to be determined. But apparently some harm exists. It is unlikely US would take such a bold step of publicly blaming Russia for it unless the matter was found harmful.
Aaltola writes that “The signs of at least some level of election interference in several important elections and referendums should be a clear danger-sign that requires counteractions.”
Evaluating proportionate counteractions is tricky, as they should not lead to further escalation. As it is difficult to apply the rules of criminal hacking one-to-one in a context of a textbook example of information warfare with the cyber context employed, it would be absurd to assume there would be some form of an even hack-back.
We must also consider the public attribution. If hacking the DNC was merely a criminal investigation, most of us wouldn’t cry the wolf on a murder case unless the police has caught the killer red-handed. This of course isn’t the case, for two reasons: this is geopolitics, and on the other hand, this is cybersecurity.
With cyber matters, gathering that scarce and questionable evidence for attribution has evolved into a state of art. Unfortunately it seldom gets the recognition it deserves as there is often outside pressure included especially when nation state actors are involved.
In the case of breaching the DNC, the evidence looks fairly clear. It can be supported by the notion that in the case of Ukraine’s elections as well as Germany’s Bundestag, the same APT campaign was used. Just recently USA took the course of openly blaming Russia for the DNC breaches. If the recent notion of the Republican party being targeted is also included in this blame game, is unclear at the time of writing.
Most likely there is hard evidence to support such a serious act of officially blaming Russia for the deeds. This has not always been the case, though. Such attacks make breaking news with flashy headlines, and as a journalist I have no difficulties in understanding why. Thus attribution and all kinds of speculations related to it make an easy tool of free PR.
As Brian Bartholomew and Juan Andres Guerrero-Saade from Kaspersky lab worded on their whitepaper about the complicity of attribution:
“An eager but sometimes technically naïve media machine is abused to the detriment of the threat intelligence production landscape. In an effort to foster a sense of balanced debate, media outlets have entertained any sign of contention in the research community, lending credence to doubt even where there is little ambiguity and breeding a class of pundits charitably referred to as professional cyber-truthers, who have built careers on the basis of sparsely substantiated contrarian attributory claims.”
And let me tell you, information security is a very big, global market. I have personally encountered quite a few of these “cyber-truthers” during these couple of years I’ve dealt with cyber matters. They are problematic not only in the respect of twisting the information security market where PR value adds to market value, but also on the grounds of threat assessment. One might happily assume that sexy headlines about threats don’t make a difference in the real world. But from a journalistic point of view assuming so would be irresponsible and often also against common press ethics.
In such cases with foreign policy strongly involved, there of course is much more to the holistic approach than just technical attribution. Yet it appears that various counts of Fancybear aka APT28 aka Sofacy aka PawnStorm being caught before should have by now contributed to an adequate set of evidence. Such an obnoxious modus operandi really does suit well to Russia’s recent acts of foreign policy elsewhere, as well as plausible deniability.
It’s a valid argument that Russia has taken considerable risks with weaponizing the information it has gained from this “Watergate” of a breach. Why? Another campaign called Red October, most likely put together and operated by entities in Russia, withdrew immediately after being exposed.
The answer for the recent actions appears clear: for the sake of deterrence. The two APT campaigns revealed inside DNC’s systems are fairly well documented before. If staying covert was important for the operators of those campaigns, they would have withdrawn years ago.
These toolsets APT28 and APT29 (and various other names given by other companies tracking the same campaigns) can be assumed efficient enough for their purpose to keep on going. Their antics are productive. Most often they are attributed to Russia, who during the previous years:
- has been glad to keep sending its conscripts and weapons to Ukrainian soil, no matter how many the public sightings and how hard the diplomatic pressure around the matter is
- has been documented by its own TV to using cluster munitions in Syria and denying the obvious also on various other issues
- Prefers to identify itself as a fortress under siege. What can you expect one to do but to justify its own, hostile actions?
Now that most of us at the moment do not know how US is about to deal with an adequate response to Russia's actions, one must hope that the forensic teams working on the US evidence have done more than most of the “cyber-truthers”, us newshounds and many highly skilled private sector’s cybersecurity professionals, who also still seem to lack the smoking gun evidence for these campaings’ abouts.
Robert D. Folker Jr has an interesting example of how we are coming into conclusions with negligent processes on forming a hypothesis. In his paper Intelligence Analysis In Theater Joint Intelligence Centers from 2000 Folker explains how he had two types of teams: an experimental team and a control team. The experimental team was first given training in order for testing their hypothesis, and the control group was not. After reading scenarios, the control group formed a hypothesis and then gathered information but the experimental group examined all information before forming a hypothesis. The control group was only able to cite some tidbits of key information, as the experimental group worked their way comprehensively through all options and if new information emerged, it was easier for them to adapt.
“Members of the control group seemed to be looking for the one piece of information—the “Holy Grail”— that would make sense of everything else.”
According to Jeffrey Carr, the founder of Suits and Spooks concept, this applies to as well to cyber threat intelligence. Having one's hypothesis preset makes one liable to look for information to support that pre-existing mindset. Imagine having a group of police officers who all believe that blacks are criminals, and given a murder scene with suspect options of a black guy, a white guy and a latin guy. Who are they likely to investigate most comprehensively?
On the respect of political analysis, there is not much else to point to but Russia. Yet, if I was working for Chinese People’s Liberation Army’s cyber offensives at the moment, I’d disguise myself as a Russian and run amok with for example cybercrime. There would be so many more people in the threat intelligence community looking into Russia and happy to blame them.
This is exactly what Russians probably did when breaching the French TV5 Monde as pro-Isis group called Cyber Caliphate.
At the point of writing, it is yet unclear how the DNC hack has been attributed to two different Russian intelligence services, the military intelligence GRU and internal security service FSB. However, it would be wise to assume at this point that there is enough for convincing attribution to Russian origins whatsoever.
Is there, I do not know. I am just a journalist. But gathering information and constructing a hypothesis, based preferably on the core facts, is also a vital part of my job. I am deeply devoted for trying to provide my audience with the most accurate information possible.
One must also remember that the uncertainties in attribution function as a smokescreen. This smokescreen is a function that is very easy to turn against ourselves, as it is to our culture to demand for evidence. Thus this demand can also be used against us: if we cannot prove what happened, this weakness may be pointed out in order to make us appear mistaken. As RT’s (previously Russia Today), a state-funded international media group’s slogan sharply states: “question more”.
If there is not enough evidence, our conclusions will be questioned. Thus the actions of USA at the moment bear a highly underestimated risk factor which is not as much “cyber” but, as Russia would call it: “information-psychological”. This means we are at risk of turning against each other on the grounds of weaponizing information. The method is called reflexive control.
This is why I would find it useful for US government to present as much evidence as possible on the DNC hacks. The public might demand it sooner or later. Thus proactivity would be advisable.
I am kindly asking my fellow journalists not to jump into conclusions. Making sexy headlines based on scarce facts reminds me of Folker Jr’s control group searching for that Holy Grail. Our general view depends on crumbs of information, bits of attribution making us running blind in the wild.
All journalists should know accuracy equals to trustworthiness, which stands a core value to democracy. Democratic values might be the core target. This is why reporting on geopolitics, cyber issues and at the moment, US elections, deserves careful attention.
Aaltola also pointed out something noteworthy from Søren Kierkegaard:
“Life can only be understood backwards, but it must be lived forwards.”
The political stakes are clearly rather high, and political actions have to proceed forward based on the most virtuous and balanced strategy possible. Yet, the strategies and methods are not indifferent. It’s not as much about what one does, but how one does it.
We must stay true to our culture and core values when dealing with such delicate matters. This includes the ultimate approach for accuracy. Otherwise we may become a risk to ourselves.
Wave your false flags! ...or the Nightmares and Nuances of a Self-Aware Attribution Space
Intelligence Analysis In Theater Joint Intelligence Centers (pdf)
How Russia Pulled Off the Biggest Election Hack in U.S. History by Thomas Rid
Jeffrey Carr's posts on Medium
”We have to think twice and be very cautious about retaliating in a cyber context” (James Clapper)