Iraq

The Problem of Attribution in Cyberattacks, Or “Don’t Fall for the Banana in the Tailpipe”

On December 12th, Speaker of the House Paul Ryan said in a statement on Monday that “We must condemn and push back forcefully against any state-sponsored cyberattacks on our democratic process.”

The hacking of the Democratic National Committee’s servers was first reported in July when Wikileaks published emails from the hack.  Some have argued that these emails, some of which contained damaging information about the Democratic party during the heart of the election season, played a part in Trump’s upset victory.  Early on, the hack was suspected to be originating from Russia.

The link to Russia has been confirmed, kinda.  But not without controversy.  As NPR reports:  “The CIA has concluded that Russia interfered in the U.S. presidential election to help Donald Trump win. But Trump says he doesn’t believe that. And the FBI doesn’t think there’s enough evidence.”

Whether or not our leaders can come to a consensus about what country the hack came from or whether or not that country sponsored said hack, Ryan’s bellicose statement that we should “push back” is premature and unnecessarily aggressive.

Image of Paul Ryan

Paul Ryan – “We must condemn and push back forcefully against any state-sponsored cyberattacks on our democratic process.” Image from Townhall.com

The Problem of Attribution

It is very difficult to know for sure when a cyberattack is state sponsored.  Just because hackers live in an area or speak a certain language does not then mean that the hack must be a direct result of a government giving orders.  Here are some scenarios:

  • A group originating from Russia looking to make a political statement on behalf of their country.
  • A group originating from Russia hacking for shits and giggles.
  • Hackers using the Russian language or some mechanism to make it appear as if they are from Russia.
  • A group funded through a Russian government agency that is not a part of Russian intelligence or military.  Think of a kind of “committee on new coding” simply learning how to hack.
  • A group funded through Russian intelligence or the military.

In each of these scenarios, tying the hack directly to Russia and Putin is either blatantly wrong or a misconstruing of the facts.

We cannot apply terrestrial, cold-war logic to 21st century cyberspace.  If this was 1980, and the weapons used to damage a nation required large amounts of investment that only a few nation states could muster, then there would be far less problems of attribution.  In other words, if a small force of rebels attacked an American embassy with tanks, bazookas, and automatic rifles, the odds are quite high that these weapons were purchased or given to these rebels by the Soviet Union.

But in the digital environment, a cyberattack of the kind on the Democratic National Committee’s servers does not require the same types of resource intensive and high capital investment outlays.  You just need a few people with the know-how, a reasonably modern computer, some select software, and an Internet connection.

Let’s Not Fall for the Banana in the Tailpipe Again

One of the funniest scenes in movie history is the “don’t fall for the banana in the tailpipe” scene from Beverly Hills Cop. Apparently, the phrase has become a part of pop culture.  Well, I’m appropriating it for the purposes of hacking and a supposed cyberwar.

Remember how the American people were duped with the 9/11 bait and switch?  Remember how we were attacked by a group of 19 radicals, 15 of which were from Saudi Arabia, claiming allegiance to an Islamic fundamentalist group based primarily out of Afghanistan….and then invaded…Iraq?

Since then, the media and other politicians have done a mea culpa.  But it’s too late.  We’ve lost money and lives and the only people who came out on top were the businesses that either got government contracts or had the way cleared for capital investments.  Oh, and the politicians gained votes because they look to be “tough” on terrorists.

The almost mystical nature of cyberattacks, and the ability (or inability) to definitively determine the source of the attack will play right into the hands of hawkish politicians.  A cyberattack could be initiated by a couple of snooty twenty-somethings in Syria, who may or may not have received funding in the past from an organization that may or may not be affiliated with the Iranian government.  But that would be enough to justify a “push back” against the Iranians.  And here we go again.  More war.  More paranoia.  More civil liberties taken away.  More money in the pockets of oil companies and weapons manufacturers.

 

Donald Paying Dividends?

It might be that Donald Trump’s unorthodox orientation to public service is paying off.  Unlike Obama and Bush the Younger, he seems less hawkish and less likely to be pushed around by the military.  For now he’s his own man and looking to make nice with Russia.

But that probably won’t last.  And so we the people must assert our rights.  We can’t allow our leaders to lob these verbal grenades at other nations without holding their feet to the fire, demanding evidence, and questioning their every move.  And this time, there can be no Colin Powell waving a vial of baby powder.  They have to prove to the American people that they can link a cyberattack to a nation’s military, intelligence, or executive body.  Committees need to be formed, civilians need to be on that committee, it needs to be bipartisan, and it cannot be rushed.

In other words, we should take Ryan’s words to heart and “push back”.