Cybersecurity

The Consequences of Credible Doubt About the USG Attribution in the Sony Hack

By Jack Goldsmith
Tuesday, December 30, 2014, 8:15 AM

A few weeks ago I wrote critically of the FBI's statement that it had “enough information to conclude that the North Korean government is responsible" for the Sony hack:

First, the evidence” is of the most conclusory nature – it is really just unconfirmed statements by the USG.   Second, on its face the evidence shows only that this attack has characteristics of prior attacks attributed to North Korea.  We know nothing about the attribution veracity of those prior attacks.  Much more importantly, it is at least possible that some other nation is spoofing a North Korean attack.  For if the United States knows the characteristics or signatures of prior North Korean attacks, then so too might some third country that could use these characteristics or signatures – “specific lines of code, encryption algorithms, data deletion methods, and compromised networks,” and similarities in the “infrastructure” and “tools” of prior attacks – to spoof the North Koreans in the Sony hack.

I made these two points mainly to set up a third point about the difficulty (and importance) of publicly verifiable attribution even if the government is confident in secret – based on technical analysis combined with other forms of intelligence – about the attribution.  I didn’t think that the FBI, in this high-stakes context, would say without qualification that North Korea was responsible unless it was certain about this conclusion.

And yet with increasing volume, “a chorus of well-qualified skeptics . . . say[s] the evidence just doesn’t add up.”  On Monday the security firm Norse briefed the FBI on an alternate theory of an insider job.  Shane Harris says that the FBI is sticking to its guns.  But one detects a softening in its certainty about the North Korea attribution.  As Harris reports:

“We think it’s them,” referring to the North Koreans, an FBI spokesperson told The Daily Beast when asked to respond to reports from private investigators that other culprits were responsible. The latest evidence, from the cyberanalysis firm the Norse Corp., suggests that a group of six individuals, including at least one disgruntled ex-Sony employee, is behind the assault, which has humiliated Sony executives, led to threats of terrorist attacks over the release of a satirical film, and prompted an official response from the White House.

The FBI said in a separate statement to journalists on Monday that “there is no credible information to indicate that any other individual is responsible for this cyberincident.” When asked whether that left open the possibility that other individuals may have assisted North Korea or were involved in the assault on Sony, but not ultimately responsible for the damage that was done, the FBI spokesperson replied, “We’re not making the distinction that you’re making about the responsible party and others being involved.”

If the FBI mis-attributed the Sony hack, it will be more than an embarrassing mistake.  Such a mistake might have led the United States to take action against the wrong target, and going forward it will significantly weaken U.S. attribution credibility.  Indeed, even if the FBI’s attribution turns out to be right – will we ever know for sure? – its hesitation in the face of credible questions about its very thin public evidence will exacerbate the demand for publicly verifiable attribution before countermeasures (or other responses) are deemed legitimate.  In this small but significant sense, the United States has lost a battle in the early days of cyber conflict.