Absence of evidence?

Image: IDGNS

6 January 2017

Paul HearnsThere seems to be an awful lot of hand-wringing going on regarding the attribution of the hacking that went on of the US Democratic party and the subsequent interference in the US election.

On the one hand, director of National Intelligence James Clapper has said fairly categorically that the Russians, at very high levels, did indeed interfere in the elections, many in the information security industry have been very cautious about the conclusions.

“There are more avenues of exploration on this than server logs, traffic analysis and geo-location”

Many infosec professionals say there simply is not enough evidence to confidently attribute the various actions to actors that Clapper identified.

While that may be true, to a certain extent — a mostly technical extent — there are more avenues of exploration on this than server logs, traffic analysis and geo-location.

Indeed, it is absolutely true that any cyberattack is difficult to attribute because at least as much effort generally goes into hiding the origin of an attack, as does into the efficacy of effort. Not only that, when investigators find fairly clear evidence of an origin, they are usually highly sceptical as this can be an obfuscation technique itself, especially where state, or indeed state-sponsored, attacks are concerned.

But, as with any aspect of human endeavour, it is almost impossible to erase all aspects of unique, or at the very least, common characteristics from such actions. Therefore, the old technique of profiling can, and is, brought to bear on such things.

The techniques look at all aspects of these attacks, such as the target, the type of booty sought, the approach, the routes and techniques used, both for the primary thrust, and the secondary obfuscation.

All of these things can be examined to deduce a likely set of players to whom such actions can be attributed. Now, again, one can counter by saying any given technique can be spoofed, and it can. But the combination of spoofs itself can be a fingerprint, a stamp of identity.

As such, taking all aspects of such incidents in their entirety can produce an altogether different picture to what might be the case on the purely technical data alone.

Not only that, with any matter of grave national and international import will necessarily have some aspects which cannot be released, nor even hinted at, to the general public, or the cybersecurity community. Therefore, there is an unavoidable element of speculation involved where gaps emerge that require reasoned supposition based on past experience and current knowledge. But none of this necessarily adds up to knowing the full story when the main actors are intelligence agencies, espionage outfits and nation states, especially nations states with the kind of record of relations as that between the US and Russia.

While on the one hand, it could be argued that the Obama administration is trying to make a point in its dying days regarding the overt distrust expressed by the incoming administration in relation to the intelligence community, another equally valid argument would be that an administration at odds with its own intelligence gathering organs is in for a bumpy ride.

What can be assured is that if director Clapper was confident enough to go before a senate committee to make such assertions, then there is a weight of evidence available. However, even saying that conjures images of Colin Powell before a UN committee with a certain dossier, and we all know how that ended.

I would never advocate acting without evidence — strong, independently verified evidence, but as with anything, how much evidence is enough?



Read More:

Comments are closed.

Back to Top ↑