Read the article, pretty fair and well written to be honest, actually objective.
Russian cyber espionage against American political targets has dominated the news in recent months, intensifying last week with President Barack Obama’s announcement of sanctions against Russia.
Cyber espionage is, of course, nothing new. But using data collected in cyber espionage operations to interfere in the U.S. election process on behalf of one of the candidates — one who appears to be smitten with Russian President Vladimir Putin — is a brazen and unprecedented move that deserves a firm political response from the U.S. government on behalf of the public interest.
The expulsion of 35 Russian diplomats, the shutting down of two Russian-owned estates the US claims were used for intelligence activities, and the targeted financial sanctions on Russian individuals and organizations all show the Obama administration understands at least part of what such a firm response should entail.
Unfortunately, the White House was unable to produce the most critical part for the credibility of their action: that to be politically effective in today’s Internet age, such a response also needs to be backed up with solid evidence. Here, the administration failed miserably, but also predictably. And it’s not necessarily because it doesn’t have the evidence. Instead, the U.S. government simply failed to present it.
The DHS/FBI Joint Analysis Report on Russian information operations, which the administration refers to as “Grizzly Steppe,” is a disappointing and counterproductive document. The problems with the report are numerous and have been well documented by professionals in the computer security area. But the culture of secrecy and the lack of independent sources of verification that gave rise to it are far more pervasive.
Among the problems in the report: Instead of clearly mapping out the evidence linking the cyber espionage operations to Russia, the report provides generic charts on tradecraft and phishing techniques that apply to just about every cyber espionage campaign I and others have ever studied.
At the centre of the report (page 4) is a table that unhelpfully lumps together, without explanation, several different names attributed to Russian-associated cyber espionage campaigns alongside names of malicious software and exploits that have little or no direct link to Russia.
An appendix includes a spreadsheet meant to provide “Indicators of Compromise,” long lists of technical details supposedly associated with the espionage campaign. These include IP addresses, malware signatures, and command and control infrastructure, which network defenders are supposed to use to ward off Russian-backed espionage, and which would ostensibly be used to “fingerprint” Russia as the culprit. Unfortunately, many of these are out of date or irrelevant, or are used by multiple cyber espionage campaigns and not ones exclusively associated with Russia. To give just one example, journalist Micah Lee analyzed the IP addresses contained in the appendix, and found over 40 percent of them are exit nodes of the anonymizer Tor (meaning anyone in the world using Tor could be associated with these IP addresses). It is a disservice to both the general public and expert researchers to not clarify the degrees of confidence associated with each indicator. Without proper categorization or context, the indicators satisfy neither aim of helping network defenders or proving attribution.
The report’s shortcomings have led to predictable results. President-elect Donald Trump and his “truthiness” supporters can continue to peddle inanities, like “no computer is safe” and anyone, even “someone sitting on their bed that weighs 400 pounds” could be responsible for the breaches.
Meanwhile, Russian leadership can continue to smirk and shrug it all off, biding their time until January 20th.
There has even been a false alarm about Russian “hacking” of a Vermont utility grid based on what turned out to be a faulty supposition made on the basis of one of the IP addresses in the report. No surprise there, given the inclusion of Tor exit nodes and other irrelevant IP addresses among the indicators. Poorly presented data will produce poor results. I’ve already received several media requests asking for my comments about the significance of Canadian IP addresses listed in the report, wondering if Canadian institutions were victims of Russian cyber espionage too. Sigh…