Saturday, October 22, 2016

Time To Halt The Russian Hacking Hysteria - Fact: We Don't Know WHO Launched Yesterday's Cyber Attack

Almost like clockwork as news of the denial of service attack on the internet spread, out came media dunderheads and propagandists blaming it on the Russians.  But as I pointed out several months ago, in respect of the DNC hack (also blamed on the Russians) there isn't a scintilla of hard, incontrovertible evidence.

I cited tech sources that noted the sheer difficulty about actually positively identifying the source of the hack, indeed any hack. As one expert put it (on the site techdirt.com), : "Just because you find an AK -47 lying around doesn't mean a Russian was responsible". Same thing with a system hack bearing  "Russian Cyrillic letters in the code". Ever heard of spoofing a hack? When did we see this before? Well with the claimed Sony  hack by N. Korea three years earlier. (Which turned out to be due to a disaffected, former  Sony employee).

Worse, the cyber security firms (like 'CrowdStrike')  and resident "experts" that make these wild claims are often the beneficiaries of   "faith-based attribution"  whereby they skate and are never held accountable when they are wrong. SO pardon me if I didn't bite then about "the Russians and Putin doing it" and don't now with this massive hack attack yesterday. Indeed, too many Americans have the memories of gnats and appear to forget there is a perfectly capable group out there ("Anonymous")  that has done denial of service attacks before and isn't connected to any "Russians". See e.g.

http://www.newyorker.com/magazine/2014/09/08/masked-avengers

As the techdirt.com line in the preceding paragraph points out (and I implore readers to read the entire account):

"It’s important to know that the process of attributing an attack by a cybersecurity company has nothing to do with the scientific method. Claims of attribution aren’t testable or repeatable because the hypothesis is never proven right or wrong. Neither are claims of attribution admissible in any criminal case, so those who make the claim don’t have to abide by any rules of evidence (i.e., hearsay, relevance, admissibility).

The closest analogy for a cybersecurity company’s assignment of attribution is an intelligence estimate, however intelligence analysts who write those estimates are held accountable for their hits and misses. If the miss is big enough (No WMDs in Iraq, missed India’s five nuclear bomb tests in ’98, missed Iraq’s invasion of Kuwait in 1990, etc.), there are consequences, and perhaps a Congressional investigation.

When it comes to cybersecurity estimates of attribution, no one holds the company that makes the claim accountable because there’s no way to prove whether the assignment of attribution is true or false unless (1) there is a criminal conviction, (2) the hacker is caught in the act, or (3) a government employee leaked the evidence."

The last paragraph is especially important about no one holding the cyber bunch making the original  claim to account because there's no way to prove the assignment of attribution is true. Thus, Crowdstrike and its sister corporate companies - even the FBI - can make all the rash claims they want about "the Russians" but no one will hold them to account given the lack of proof.

It's analogous to a rash physicist making a claim, say that heat generated in a one-off experiment arose from "cold fusion".  But he has no way to replicate it,  no way to prove it. He has succumbed to "faith based attribution".  But given with these recent hacks, rash claims against nation states put us in a geopolitical arena, it is reckless to assign blame without 100 % hard proof. This is given that any consequences could be severe.

For example, launching a U.S. cyber attack on Russia could provoke a full scale cyber war. Let us also, for reference, note that the Stuxnet worm that was released to attack Iranian centrifuges back in 2012  was known to have the potential to be "re-purposed" by just about any adept hacker. See, e.g.

http://brane-space.blogspot.com/2012/06/who-made-flame-virus-same-bunch-that.html

In terms of faith -based attribution, recall James R. Clapper Jr. (the same character who lied before the Senate Intelligence Committee  denying the U.S. had  any mass surveillance of its citizens) recently said in a statement on Oct. 7 that "high-level Russian officials were trying to interfere with American elections."

But to refer back to the previous tech link again:

"the closest profession to the attribution estimate of a cyber intelligence analyst is that of a religious office like a priest or a minister, who simply asks their congregation to believe what they say on faith. The likelihood that a nation state will acknowledge that a cybersecurity company has correctly identified one of their operations is probably slightly less likely than God making an appearance at the venue where a theological debate is underway about whether God exists"

In other words, Clapper is more playing the role of a padre citing religious   dogma than a cyber intelligence analyst or authority. It simply doesn't hold water, it's merely faith based attribution that serves the purpose of spreading anti-Russian propaganda.

Perhaps the biggest slam on today's cyber companies hurling these attributions is that their methodology is largely passe. Thus:

"Many of the cyber intelligence analysts who work at companies like CrowdStrike, FireEye, and Mandiant have come out of the military or the Intelligence Community with prior analytic training."

The problem is these companies are still using unstructured analysis as opposed to structured. This difference was explained by Maj. Robert D. Folker, Jr. (USAF) in his January, 2000 paper “Intelligence Analysis In Theater Joint Intelligence Centers: An Experiment In Applying Structured Methods” published by the Joint Military Intelligence College. He believed that adding structure would vastly reduce the conjecture component and yield "superior results". It remains to be seen whether any of these cyber security outfits have upped their game, and until they do we simply can't accept their conclusions any more than a religious dogma.

Until real evidence manifests, citizens would be well advised not to jump to conclusions,  especially when assorted "authorities" insist they have identified  the culprits for the hack. No they have not. Again, read the full account in the "faith based attribution" link.

For the person grounded in deep politics, these unproven accusations from the Neoliberal and Neocon national security state fetishists are especially disturbing as we've seen this before. The spread of propaganda prior to an attack on the specified "enemy".  One can only hope this isn't leading up to a full scale cyber attack on the Russians, followed by the folly of trying to implement a "no fly zone" over Syria after HRC is elected. As one observer put it on Chris Hayes' All In several nights ago, that would be a harbinger of nuclear war.

Temperatures are soaring with this general election. It is important the nation and its people keep their cool and operate within the province of evidence and reason - not "faith" - when it is finished.

See also:

https://www.techdirt.com/articles/20160724/17512435054/whether-not-russians-hacked-dnc-means-nothing-concerning-how-newsworthy-details-are.shtml

And:

No comments: