Americans and the news media have displayed a great willingness to believe that the Russian government stands behind the theft and release of emails that may have helped Donald Trump win the U.S. presidential election.
They should keep in mind that, despite the “high confidence” of intelligence agencies, tracing a data breach is almost never a sure thing.
Two years ago, Sony Pictures suffered an embarrassing hack that released a trove of confidential data. After four weeks of research, the Federal Bureau of Investigation concluded that the North Korean government was responsible. An FBI press release explained that the conclusion was based partly on the fact that the malware used on Sony was similar to tools found in previous attacks attributed to North Korea.
In that case, blaming North Korea made sense. The attack was accompanied by a demand that Sony Pictures pull its film “The Interview,” a tasteless comedy depicting an effort to assassinate North Korean leader Kim Jong-un. It seems plausible that Kim might be self-absorbed enough to order a cyber attack to stop the release of an unflattering movie.
Then in February, the Bangladeshi central bank fell victim to an $81 million cyber heist. Upon examining the tools used, security researchers discovered the same type of malware that was used against Sony Pictures, including identical encryption keys. As one security researcher explained: “If you believe North Korea was behind (the Sony Pictures) attacks, then the bank attacks were also the work of North Korea.”
Well, wait a minute. That seems a bit out of character. North Korea doesn’t have a history of conducting bank heists for financial gain, and the same attacks were attempted on other banks all around the world. Are we supposed to believe that the North Korean government was responsible for everything?
The attribution of a cyber attack to a particular nation-state often relies on the results of previous assessments, and on the assumption that those earlier assessments were correct. Problem is, there’s rarely any affirmative validation. If we correctly identify North Korea as the perpetrator of a hack, no North Korean official will come forward and say, “Whoops! You got us!”
Many security experts doubted the FBI’s original assessment of the Sony hack, including one researcher who previously infiltrated Sony’s network himself. Sony Group has a long and well-documented history of network breaches across all its subsidiaries. Why did the FBI blame North Korea and not somebody sitting in a bed someplace?
Assessing a cyber attack is more art than science. Intelligence analysis deals with information that is often intentionally deceptive. As Central Intelligence Agency veteran Richards Heuer explains, “The significance of information is always a joint function of the nature of the information and the context in which it is interpreted.”
This feels uncomfortable to those who want to be sure beyond a reasonable doubt. Extraordinary claims require extraordinary evidence, and the idea that a nuclear-armed state stole Democratic National Committee emails to interfere with the U.S. election is a pretty extraordinary claim. After all, multinational corporations have suffered much bigger data breaches at the hands of hackers with far fewer resources.
Unfortunately, intelligence agencies tend to avoid revealing their sources, lest they alienate their allies. As we learned from Edward Snowden’s leaked documents, the National Security Agency relies on “fourth party collection,” which entails stealing information that foreign agencies have collected on their own surveillance targets. For example, the NSA has spied on South Korea to find out what South Korea has learned from spying on North Korea.
Intelligence agencies expect people to trust them, but they also have to earn that trust. It was only last Friday that President Obama ordered a review of potential election-related hacking.
While the idea of Russian meddling might fit conveniently into the collective disbelief that Donald Trump could have won the election fairly, we should probably demand more evidence before freaking out.
• Elaine Ou is a blockchain engineer at Global Financial Access, a financial technology company in San Francisco. She wrote this for Bloomberg View. Readers may email her at elaine@globalfinancialaccess.com.
