There are too many experts on who did the Sony Hack, and I wouldn't give too much credibility to any of them over the combined resources of the U.S. Intelligence Community.
Politico carried a story yesterday [Tal Kopan, FBI Briefed on Alternate Sony Hack Theory] that said one such group of experts had briefed the FBI on an alternate theory that the attack was done by disgruntled ex-employees of Sony. The CEO told Politico that his company "didn't see" the data points that led to the conclusion that the hack was done by North Korea and, if there were some, they should "be shared with the community" to help draw accurate conclusions. That isn't going to happen, and he knows it. But, attribution is a big business, and accurate attribution can be a bigger one.
The business model of some security companies depends on accurate assessments of who does what in the hacker world. Is it a company hacking a company, a government hacking a company, or a hacktivist group hacking one or the other? Can we prove that we know who did it? Can we write a report that will show who did it and have that report hold up on peer reviews?
The profitability of such an approach has been demonstrated over and over. The small security business correctly identifies an attack, shows who did it, and after a suitable time, sells itself to the highest bidder. It profits from its expertise in accurate attribution. Big companies like BAE, Symantec, HP, and McAfee, and IBM do the same thing to prove they have the capabilities that others want in a security vendor. They sell services by accurately doing what companies cannot do for themselves, without spending a lot of money. But, can they do it more accurately than the combined resources of the Federal government, especially the Intelligence Community? I don't think so.
This is about the distinction between the kinds of attribution that goes on every day in counter terrorism operations, and the kind that goes into a hacking incident. Can we say that the Taliban blew up that bridge or was it a stray bomb from an airstrike? Did ISIS kill those people or did someone seeking family revenge? There are physical things to look at, like holes in the ground and bodies, but they don't really say who did the deed, just what happened to the innocent victims. There are intelligence reports that give indications that this or that group was preparing to do something, or that a person known to be a terrorist was in the area when the bombing took place. There are spies that tell our government what they see. Other governments tell us things that their spies see. Analysts pour over thousands of reports to get a picture of what is going on. They have to account for dis-information given out by people trying to hide who they are or what was done. When they make an assessment of who is responsible, they are not following bread crumbs; they are collecting evidence, deciding on the credibility of that evidence, and drawing conclusions.
What the briefers to the FBI are looking at in Sony's hack is just a small part of the information available to an Intelligence service anywhere in the world. They may share this information with other governments, maybe even with Sony, but they aren't going to say much about what they did or didn't do. How they knew what they know is not something they share with the public. Too many people say, "I want proof that it was North Korea" . What they are really saying is they don't trust the conclusions of the Federal government, the President, his National Security staff, and the Intelligence Community that supports them. The President doesn't go on TV and name names very often, and he certainly doesn't do it on a whim. We might want to give some weight to the White House conclusions since they were based on a good deal more than a code analysis and IP map.
No comments:
Post a Comment