The FBI said today of the Sony hack:
As a result of our investigation, . . . the FBI now has enough information to conclude that the North Korean government is responsible for these actions. While the need to protect sensitive sources and methods precludes us from sharing all of this information, our conclusion is based, in part, on the following:
* Technical analysis of the data deletion malware used in this attack revealed links to other malware that the FBI knows North Korean actors previously developed. For example, there were similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks.
* The FBI also observed significant overlap between the infrastructure used in this attack and other malicious cyber activity the U.S. government has previously linked directly to North Korea. For example, the FBI discovered that several Internet protocol (IP) addresses associated with known North Korean infrastructure communicated with IP addresses that were hardcoded into the data deletion malware used in this attack.
* Separately, the tools used in the SPE attack have similarities to a cyber attack in March of last year against South Korean banks and media outlets, which was carried out by North Korea.
Following the FBI’s statement, President Obama announced that the United States “will respond proportionally” and “at a place and time we choose.”
Today’s events demonstrate two huge problems for the government in addressing cyberattacks of this sort.
Attribution. One hears a lot in cybersecurity circles that the government has "solved" the attribution problem. The evidence presented today shows why it has not come close to solving it.
First, the “evidence” is of the most conclusory nature – it is really just unconfirmed statements by the USG. Second, on its face the evidence shows only that this attack has characteristics of prior attacks attributed to North Korea. We know nothing about the attribution veracity of those prior attacks. Much more importantly, it is at least possible that some other nation is spoofing a North Korean attack. For if the United States knows the characteristics or signatures of prior North Korean attacks, then so too might some third country that could use these characteristics or signatures – “specific lines of code, encryption algorithms, data deletion methods, and compromised networks,” and similarities in the “infrastructure” and “tools” of prior attacks – to spoof the North Koreans in the Sony hack.
Third, the most significant line in the FBI statement is this: “While the need to protect sensitive sources and methods precludes us from sharing all of this information, our conclusion is based, in part, on the following.” Let us assume that the United States has a lot of other evidence, including human or electronic intelligence from inside Korea, that corroborates its attribution conclusion. This might give the USG confidence in the attribution and might support the legality of a proportionate response. But if protection of “sources and methods” prevents the United States from publicly revealing a lot more evidence, including intelligence beyond mere similar characteristics to past attacks, then there is no reason the rest of the world will or, frankly, should believe that a response on North Korea is justified. (Compare Adlai Stevenson and Colin Powell before the United Nations.) And if the United States’ response is significant, and has wider geo-political implications, this inability to prove attribution could be a huge problem. The important point: Even if the attribution problem is solved in the basement of Ft. Meade and in other dark places in the government, that does not mean the attribution problem is solved as far as public justification – and defense of legality – is concerned.
Porous Defenses, and the Surveillance Debate. The FBI’s statement about this attack resembling past ones from North Korea should be hugely embarrassing for the government. For the government is in effect admitting that it knew about the tools and signatures that North Korea used in past attacks and exploitations and yet still was either unwilling or unable to stop the attack on Sony. (Imagine the uproar if North Korea had used kinetic tools for failed kinetic attacks in the past and then used known, similar tools for a successful and devastating kinetic attack.) This is a major national security failure. And this failure relates, uncomfortably, to the debate over domestic surveillance in the network. Last year I wrote:
The fate of domestic surveillance is today being fought around the topic of whether it is needed to stop Al Qaeda from blowing things up. But the fight tomorrow, and the more important fight, will be about whether it is necessary to protect our ways of life embedded in computer networks.
There are many, many steps the government will need to take to keep our networks more secure, and after the Sony attack we can hope to have a more serious debate about what is needed and perhaps some more aggressive action. Before he retired, General Alexander is reported to have said: “I can’t defend the country until I’m into all the networks.” The Sony attack will now make this point more salient. For a natural question now is: How should the U.S. government do a better job of taking intelligence about known prior attacks and using that intelligence proactively to stop future ones? And that in turn will require a conversation about whether, how, and how deeply the NSA and related government agencies should be in the domestic network -- not for purposes of catching Islamist terrorists, but rather for purposes of protecting our networks from other adversaries.