Was Russia responsible for hacking the DNC and John Podesta, and releasing their communications as part of a concerted effort to impact the US electoral result and get their favored candidate elected president? Yes. And no. And maybe.
This question, and the various questions subsumed by this question, have much broader implications for how we conduct forensic investigations, how we attribute activities, how we conduct foreign relations, and ultimately how we fight cyberwars in the future.
In the end, it all comes down to attribution. The good thing about the Internet is it allows people to be completely and totally anonymous. The other good thing about the Internet is that there is a record of everything, everyone does, at all times.
As F. Scott Fitzgerald noted, “The test of a first-rate intelligence is the ability to hold two opposing ideas in mind at the same time and still retain the ability to function.”
In order to communicate online, you have to go to a computer that eventually gets connected to the Internet, initiate a connection, and transmit information from that computer to the computers to which you want to communicate. There is a possibility of tracing every packet from its destination to its source – full attribution. Sort of.
First, of course, we are not attributing activity to a person – but rather to a computer. Or more accurately (generally) to an Internet connection with a MAC address presumptively associated with a computer.
Second, if the threat actor wants to, they can disguise or obfuscate the source of the communications.
Third, without the cooperation of intermediaries in the communication channels (or a way to infiltrate them or bypass their cooperation) it may be difficult or infeasible to actually attribute communications or actions to a specific place. Moreover, the sender may not simply want to be anonymous, but may want it to look like the message, attack, or whatever came from a different source – false attribution.
So attribution of actors is easy – except when it’s hard.
Even when we are able to successfully track an attack or message to a particular Internet connection or even device, we then have to try to attribute the attack to a specific actor. Various tools or techniques are available to do so, including textual analysis, context and linguistics, pattern matching, and tracking. It’s not easy. Nor is it perfect.
We still have to demonstrate that the attack or message that we have tracked to a particular actor actually originated from that actor, and that the actor is not a mere intermediary for someone else (witting or unwitting). Situation complex.
But even if we are successful in doing this, we now know only that some computer, with some person on it, did something. Ascribing motive to that action means either inferring motive from the action, or being provided with other information (e.g., an interception, an informant, a confession) from which we can attribute motive.
So to say definitively that the Russian government hacked the DNC because they wanted Trump to win is a bunch of assumptions and inferences. All of which may be true. I mean, it’s also possible that an informant has provided information to the CIA about the motives and actions of the Russian government, right? And even there, if we say “the Russian government” did something, do we mean the Russian President? Prime Minister? The Chairman of the Russian Federation? The Foreign Minister. The Chairman of the Duma? The FIS, FSSS, GRU, 12th Directorate, FSTEK, MVD, SSSR or Politsya? Or it could be the Russian Investigative Committee, the Ministry of Justice, or the Ministry for Civil Defense.
And are they acting WITH or WITHOUT the knowledge or authority of the others? And even if you attribute a hack to a particular hacking group operating IN or OUTSIDE Russia, made up of Russians or non-Russians, how do you know (without further intel) on whose behalf they are working, and why?
Attribution is hard.
And it’s easy. Because you CAN follow the money, follow the packets, follow the data, follow the motives, and follow the communications. You can see how a hack proceeded, what tools were used, whether these tools have been used before (in a more attributable way), and the pathways taken to both launch the exploit and to release, store or transfer the purloined data.
In the 1981 Film Noir thriller, Body Heat, Mickey Rourke’s character notes “any time you try a decent crime, you got 50 ways you’re gonna [screw] up. If you think of 25 of them, then you’re a genius… and you ain’t no genius.”
Sometimes you get lucky – someone screws up, fails to encrypt, exposes a weakness, and communicates with the wrong person in the wrong way. Or, maybe they don’t want to hide their tracks at all. Many information based attacks are intened to be attributed – even weakly. A shot across the bow. I know that you know that I know that you know that I did it, but we can both still deny knowing. You get the idea. Other techniques for attribution include watermarks, digital dye packs, beacons, “spy dust” and a host of other classified and unclassified techniques.
The real issue is not just attribution – but attribution for what purpose? How high a standard do we want to have before we are willing to say that X is responsible for Y – and what do we want to do as a consequence?
So the level of reasonable doubt we may demand before shaming a foreign country, calling them out for actions, or even calling for sanctions against them (or even taking covert or other actions against them) may be different from (either higher or lower than) the standard we may demand for, for example, a criminal case against them.
The intel community may ask for a lower standard of proof that Russia hacked the United States than the law enforcement community may look for proof “beyond a reasonable doubt.” Where one group may be satisfied making reasonable inferences based on known facts, another may demand proof that these inferences are true. It’s not that one is “better” than the other. There are things we “know” without any objective proof – e.g., we may factually assert that any hacking of the US political system from the Russian government would not have occurred without the approval of the “highest” authority of the Russian government as a substitute for proof of knowledge by that authority. It’s not that one is right or wrong – it’s a question of degree.
And the degree of attribution we demand is dependent upon what we plan to do with the information. If we seek redress from the International Court of Justice for unlawful actions by a specific person in Russia, or if we seek a computer hacking indictment in the US, we may demand one level of proof of attribution. If we want to hack back or take covert or other action, we may demand a different (higher or lower) level of proof.
In other words – it’s complicated. And it will remain complicated. But the law of nations has always been so. It involved attacks and defenses, parries and thrusts, deceit and intrigue. We do the best we can with the tools we have. It’s incumbent on the information security community though to ensure that we have the best people, the best analysts, the best tools and the best techniques, and that we question them until we have sufficient consensus. And then consensus on action. Remember, on the Internet, nobody knows we are sobaki. And that’s Russian for dogs! Or close enough.