cybersecurity

The Problem of Attribution in Cyberattacks, Or “Don’t Fall for the Banana in the Tailpipe”

On December 12th, Speaker of the House Paul Ryan said in a statement on Monday that “We must condemn and push back forcefully against any state-sponsored cyberattacks on our democratic process.”

The hacking of the Democratic National Committee’s servers was first reported in July when Wikileaks published emails from the hack.  Some have argued that these emails, some of which contained damaging information about the Democratic party during the heart of the election season, played a part in Trump’s upset victory.  Early on, the hack was suspected to be originating from Russia.

The link to Russia has been confirmed, kinda.  But not without controversy.  As NPR reports:  “The CIA has concluded that Russia interfered in the U.S. presidential election to help Donald Trump win. But Trump says he doesn’t believe that. And the FBI doesn’t think there’s enough evidence.”

Whether or not our leaders can come to a consensus about what country the hack came from or whether or not that country sponsored said hack, Ryan’s bellicose statement that we should “push back” is premature and unnecessarily aggressive.

Image of Paul Ryan

Paul Ryan – “We must condemn and push back forcefully against any state-sponsored cyberattacks on our democratic process.” Image from Townhall.com

The Problem of Attribution

It is very difficult to know for sure when a cyberattack is state sponsored.  Just because hackers live in an area or speak a certain language does not then mean that the hack must be a direct result of a government giving orders.  Here are some scenarios:

  • A group originating from Russia looking to make a political statement on behalf of their country.
  • A group originating from Russia hacking for shits and giggles.
  • Hackers using the Russian language or some mechanism to make it appear as if they are from Russia.
  • A group funded through a Russian government agency that is not a part of Russian intelligence or military.  Think of a kind of “committee on new coding” simply learning how to hack.
  • A group funded through Russian intelligence or the military.

In each of these scenarios, tying the hack directly to Russia and Putin is either blatantly wrong or a misconstruing of the facts.

We cannot apply terrestrial, cold-war logic to 21st century cyberspace.  If this was 1980, and the weapons used to damage a nation required large amounts of investment that only a few nation states could muster, then there would be far less problems of attribution.  In other words, if a small force of rebels attacked an American embassy with tanks, bazookas, and automatic rifles, the odds are quite high that these weapons were purchased or given to these rebels by the Soviet Union.

But in the digital environment, a cyberattack of the kind on the Democratic National Committee’s servers does not require the same types of resource intensive and high capital investment outlays.  You just need a few people with the know-how, a reasonably modern computer, some select software, and an Internet connection.

Let’s Not Fall for the Banana in the Tailpipe Again

One of the funniest scenes in movie history is the “don’t fall for the banana in the tailpipe” scene from Beverly Hills Cop. Apparently, the phrase has become a part of pop culture.  Well, I’m appropriating it for the purposes of hacking and a supposed cyberwar.

Remember how the American people were duped with the 9/11 bait and switch?  Remember how we were attacked by a group of 19 radicals, 15 of which were from Saudi Arabia, claiming allegiance to an Islamic fundamentalist group based primarily out of Afghanistan….and then invaded…Iraq?

Since then, the media and other politicians have done a mea culpa.  But it’s too late.  We’ve lost money and lives and the only people who came out on top were the businesses that either got government contracts or had the way cleared for capital investments.  Oh, and the politicians gained votes because they look to be “tough” on terrorists.

The almost mystical nature of cyberattacks, and the ability (or inability) to definitively determine the source of the attack will play right into the hands of hawkish politicians.  A cyberattack could be initiated by a couple of snooty twenty-somethings in Syria, who may or may not have received funding in the past from an organization that may or may not be affiliated with the Iranian government.  But that would be enough to justify a “push back” against the Iranians.  And here we go again.  More war.  More paranoia.  More civil liberties taken away.  More money in the pockets of oil companies and weapons manufacturers.

 

Donald Paying Dividends?

It might be that Donald Trump’s unorthodox orientation to public service is paying off.  Unlike Obama and Bush the Younger, he seems less hawkish and less likely to be pushed around by the military.  For now he’s his own man and looking to make nice with Russia.

But that probably won’t last.  And so we the people must assert our rights.  We can’t allow our leaders to lob these verbal grenades at other nations without holding their feet to the fire, demanding evidence, and questioning their every move.  And this time, there can be no Colin Powell waving a vial of baby powder.  They have to prove to the American people that they can link a cyberattack to a nation’s military, intelligence, or executive body.  Committees need to be formed, civilians need to be on that committee, it needs to be bipartisan, and it cannot be rushed.

In other words, we should take Ryan’s words to heart and “push back”.

 

 

On Romance Scams, Populism, Cybercrime, and Cybersecurity

Cybersecurity and cybercrime are very similar in that a computer is the tool in the commission of a crime or the target of a crime.  Cybersecurity is a bit more narrow in that the major concern is the unauthorized access and use of computers, or hacking.  Cybercrime has a broader focus, encompassing hacking along with other computer related offenses such as identity theft, cyberbullying, and online fraud.  In the best case scenario, the two would be treated very similar as similar techniques can be used to understand and prevent both.

However, our nation’s leaders have understood and responded to cybersecurity and cybercrime in two very different ways.  This tells us a great deal about the current gulf between elites and commoners.  It is one more quiver in the bow for those embracing American populism.

Cybersecurity

Modern organizations have a series of interconnected computers housing valuable pieces of information. Only authorized personnel – people with the right identities and passwords – are able to access and manipulate this information.  The network in which I have access through my user ID and password allows me to see student information and manipulate grades.  The employees at Bank of America use their credentials to see the bank statements of customers stored on their computers.  The information kept in these computer networks have various levels of sensitivity – from the contact information of faculty and students to the emails and operational plans on military bases.  People are always trying to get access to these networks in order to steal information or manipulate information.  Sometimes they want access in order to change the way in which these computers operate.

Given the importance of these computer networks, billions of dollars have been invested in developing tools, techniques, and personnel to protect them.  Thus the cybersecurity industry.

Cybercrime

Cybercrime is more broad in focus.  It also deals with the unauthorized used of a computer (in the simplest terms, a virus placed on your computer or the stealing of someone’s computer passwords is unauthorized use).  But the use of computers to steal one’s financial identity, and then run up their credit cards also falls under the cybercrime rubric.  As does using sending out harassing tweets, posts, and emails to someone.  As well as defrauding someone by taking advantage of the Internet’s anonymity.

But it is not the scope of cybercrime that makes it different than cybersecurity.  It is the targets.  Everyday people are the targets of these crimes, not large corporations of bureaucracies. 

Media attention and legislative efforts have been disproportionately aimed at cybersecurity.  Yet in reality more people have been touched and hurt by cybercrime.

The FBI hosts a website that collects and reports cybercrime, the Internet Crime Complaint Center (IC3). Their website states that: “The IC3 accepts online Internet crime complaints from either the actual victim or from a third party to the complainant.”

One of the types of complaints collected by the IC3 are romance scams.  These are instances where offenders use the anonymity of the Internet to portray their love for a victim only in an effort to fleece them of as much money as possible.  This scam is as old as the world’s first profession, I imagine.  The difference is that the Internet makes it possible to (a) reach more people, and (b) more easily construct the idea in the victim’s mind that the relationship is real and genuine.

In 2014, the FBI reported a total loss of approximately 87 million dollars through romance scams.  This is in an underreporting of the total dollar loss.  People are too embarrassed or do not know about IC3.

 

Romance scams are, in my opinion, one of the more despicable offenses.  They prey on a vulnerable subset of the population – middle aged women.  It is highly likely (although I do not have the data to support this idea) that the victims are low on digital literacy, and are unaware of the many ways that lotharios manipulate the digital environment.  Many individual lives and homes can be destroyed through crimes like this.  However, these people do not have a lobby in Congress to protect them.

One could make the argument that being duped by a man who makes sweet music with computer keys is more about the ignorance of the victim, has little to do with technology, and at any rate is not a new crime.

Well, what about when an individual’s private computer or computer network is used without authorization (i.e. hacking)?   People fall victim to viruses, worms, and phishing attacks (when a fraudulent email is sent) everyday.  All of these are the same types of techniques used to compromise the computer networks of large entities.

The crucial difference is the targets.

 

Follow the Money

In 2009 the Obama administration announced a Comprehensive National Cybersecurity Initiative (CNCI), with a “total budget 40 billion over several years”.   This has trickled to my current home state of Virginia.  Our governor, Terry McAuliffe has been aggressively pushing a number of cybersecurity initiatives:

There is nothing wrong with providing the vision and funding for cybersecurity.  We need it the same way we need to protect our water facilities (see Flint) or our levees (see New Orleans) or our bridges (see Minneapolis).

But there is no such federal initiative and consequent state level programs that deal with cybercrime.  I am sure there are some monies somewhere.  But the level of interest in protecting everyday American citizens is paltry in comparison to the interest in protecting bureaucracies.

I can go a bit further.  This government aid is in all likelihood a subsidy for American corporations.  Corporate networks are much more numerous than those of the military, and although there are many hospitals and colleges storing sensitive information, hackers simply are not interested in x-rays and midterms.  The majority of people who are trained and the greatest application of the innovations produced will accrue to entities like Wells Fargo and Bank of America.

 

American Populism

And so cybersecurity is to cybercrime as Wall Street is to Main Street.  Millions of dollars are being funnelled into protecting large industries while a relative trickle of dollars is devoted to educating the people themselves or the law enforcement charged with protecting the people.

Universities and colleges are scrambling to develop cybersecurity programs and dole out cybersecurity certificates, while little interest is in developing digital literacy courses that teach everyday citizens some basic measures that will protect them from romance scams, phishing attacks, and computer viruses.

I am aware that people are not that upset about how the government ignores their computer security.  The world of bits, bytes, packets, and protocols is too arcane and too distant from the everyday necessities of life.  But the relationship between cybercrime and cybersecurity is another illustration of why people feel the government does not work for them.  They have a legitimate beef, and their support of Donald Trump and Bernie Sanders – what has crudely been labeled “populism” – is more than justified.

From the government bailout of banks, to a national health care plan that forces people to give money to health insurance companies, to billions of dollars in subsidies going to sugar producers, to costly wars that only seem to provide benefits to defense contractors and oil companies, to free trade agreements that never provide benefits to working Americans, to cybercrime and cybersecurity, the American people are realizing that their government no longer represents them.

Ashley Madison and Cultural Dopes

I can imagine a movie done in 2050 about the 2010’s.

It’ll be a period piece, with the usual cultural exaggerations done to let the viewer know it is about that era. Ever notice how movies set in the 1970’s show every house with a lava lamp and a water bed? Some music will be playing in the background to make sure you now it is 70s. Carol Kane? Elton John? If it is a movie set in an urban setting, then you will hear Stevie Wonder. In these period pieces, some cultural attitude or behavior is pointed out for the purpose of showing how naive or silly people were. If it is a movie about the 1950’s, there will always be the obligatory racist or sexist remark – often inserted into the dialogue casually in order to show how commonplace those ideas were.

The period piece set in the 2010’s will have women sporting that “thrift shop” look, men wearing slim fit clothes, and people drinking fair trade coffee. The soundtrack will be by Daft Punk or Adele. And what will be the cultural attitude or behavior that is made fun of? People’s unbelievable naiveté when putting personal information into the hands of online companies.

(more…)