The year is only three days old and already I can safely make my first prediction for 2017: Donald Trump will not march back on his publicly-stated belief that there’s not enough evidence to prove Russia was behind two data breaches at the Democratic Party’s national committee.
Despite an intelligence briefing set for this week which supposedly promises to give the President-elect the full Monty on why the NSA/CIA/FBI/Homeland Security are very confident two groups under the control of Vladimir Putin were behind the attacks, Trump will not publicly budge. He won’t for two reasons:
–If the briefers tell him they have a spy in Moscow or the U.S. has broken into Russia’s systems and therefore know for absolutely certain Putin was behind the hacks, Trump can’t admit that publicly. That would give away a state a secret. Nor, assuming this is true, can he be coy and suddenly announce he’s changed his mind for unexplained reasons: The public would demand to know why, and immediately speculate Washington has done it’s own hacking.
–Trump has already said he’s wants to reduce tension with Moscow. To change his mind so fast would make him look weak. (“Everybody else knew Putin was nefarious, What took you so long?”).
Six months from now? Maybe. He’ll have cover to say, “I know more now than I did in December.”
Do not be fooled by Trump’s hints that he has some inside information on the matter he’ll reveal this week. I think he’ll just repeat what he’s said before: “I know a lot about hacking. And hacking is a very hard thing to prove. So it could be somebody else.”
It could have been somebody else, at least on the evidence presented publicly so far. The Homeland Security/ FBI report released Dec. 29, flatly says two Russian intelligence groups it has long tracked, which the government calls APT28 and APT29, penetrated “a U.S. political party” through targeted spearphishing.
Despite listing indicators of compromise, the report gives no forensic evidence — and, arguably it shouldn’t in public — on why the finger points at Russia. Perhaps to no one’s surprise, a number of cyber security experts immediately dismissed it.
Among those skeptics is Sam Biddle of The Intercept, who on Dec. 14 (before this report came out) suggested some of the clues gathered from a number of security vendors — particularly CrowdStrike, which was hired by the Democrats to investigate what was on its servers — that point back to Russia may be strong but aren’t conclusive enough for foreign policy. Similarly John Reed Stark at Cybersecurity Docket says some of the clues — like poor spelling, clock times and IP addresses — don’t necessarily implicate Russia.
The confusion even lead last month to a Washington Post report about an alleged Russian hack of a Vermont electric utility, which quoted U.S. officials saying one of those indicators of compromise in the Homeland/FBI report was found them in the utility’s system, leading to the implication that the national grid had been infiltrated. Not quite. The code was found on a PC, but one that wasn’t connected to the grid, according to reports. However, because the code was attributed to the Russians the story got big play.
Still, President Obama used the federal report and other information to impose a number of sanctions at the year-end, including tossing out a number of Russian diplomats.
On the other hand, there’s a good reason why the 13-page Homeland/FBI report should be read by CIOs: It includes a long list of things the private sector must do to defend itself from cyber attacks. Small Canadian organizations that haven’t thought deeply about cyber security would do well to print pages 6 to 11 and use them as a guideline.
Which brings us to the crux of the issue: Attribution of an attack. Long before the allegations of Russian attempted influence on the U.S. election experts were warning not to dwell too much on attribution — or at least warning the private sector. Governments are a different matter, because they have the ability to strike back at attackers with a number of tools, from trade sanctions to cyber warfare. Donald Trump may say it’s more important for the U.S. government to get its cybersecurity act together than worry about attributing an attack, but that’s just slight-of-hand. Any government is obliged to devote considerable resources to identifying threat actors. And Trump knows it.
In preparing risk assessment plans private sector organizations should consider all possible threat actors, including nation-states. And they should consider subscribing to threat intelligence services, which offer a number of valuable services, including finding warning signs on the Dark Web of an impending attack. But those signs rarely have the fingerprints of a nation-state.
In that sense Trump is right: For the private sector strengthening cyber defences rather than attribution is the priority.