Why You Should Demand Proof Before Believing The U.S. Government On North Korea and Sony

Yesterday evening the New York Times reported that un-named American intelligence officials have concluded that the North Korean government was "centrally involved" in the massive breach against Sony (NYSE: SNE), and that the White House hasn't yet decided how it will respond.

Such a claim, if true, requires that two things should be done immediately:
  1. The identities of the intelligence officials need to be revealed, or at least the agency that they work for.
  2. Point to the proof that supports that finding.
Chances are better than 50/50 that the agency is DHS; the agency which since its inception has redefined the word incompetent.
Over the past four years, employees have left DHS at a rate nearly twice as fast as in the federal government overall, and the trend is accelerating, according to a review of a federal database. 
A parade of high-level departures, on top of other factors, has meanwhile helped slow the rollout of key cybersecurity initiatives, including a program aimed at blocking malicious software before it can infiltrate civilian government computers, former officials say.
The Inspector General's DHS report that came out last month was highly critical as well.

But even if the NY Times source wasn't DHS, the IC is rarely unified when it comes to intelligence analysis; especially cyber intelligence.The NASDAQ investigation as reported by Bloomberg is a great example.
In early January, the NSA presented its conclusions to top national security officials: Elite Russian hackers had breached the stock exchange and inserted a digital bomb. The best case was that the hackers had packed their malware with a destruction module in case they were detected and needed to create havoc in Nasdaq computer banks to throw off their pursuers. The worst case was that creating havoc was their intention. President Obama was briefed on the findings. 
Later in the investigation, some U.S. officials questioned whether the NSA had pushed the evidence too far. Malware often changes hands—it’s sold, stolen, or shared. And the technical differences between attack code and something less destructive can be surprisingly small. At the time, NSA Director Keith Alexander and his agency were locked in a fight with government branches over how much power the NSA should have to protect private companies from this new form of aggression. Such a brazen attack would certainly bolster its case.
Cyber Intelligence Can Be Contradictory and Unreliable
Federal agencies' demand for cyber threat intelligence is voracious and they pay well. That demand is frequently met by companies like Mandiant, now part of FireEye - the company handling Sony's incident response. The problem is that these companies have no oversight and no standardized vetting of sources.

A recent Carnegie Mellon report on cyber intelligence tradecraft reported:
"Overall, the key findings indicate that organizations use a diverse array of approaches to perform cyber intelligence. They do not adhere to any universal standard for establishing and running a cyber intelligence program, gathering data, or training analysts to interpret the data and communicate findings and performance measures to leadership."
It isn't hard to find examples.

Cylance's last report "Operation Cleaver" claimed that Iran is a sophisticated cyber adversary and pointed to Shamoon as proof. However, technical reporting by both Kaspersky Lab and Crysys Lab noted that Shamoon's author was incompetent; that due to "silly errors" the malware was only 50% effective. If you want to make the case that Iran is a sophisticated cyber warfare actor, you shouldn't point to poorly written malware as an example.

Crowdstrike's "Putter Panda" report made the claim that posts in a Chinese XCar forum were secretly coded messages used to convey information about hacking jobs when it was really just an online forum about cars. This mistake happened because Crowdstrike's researchers used Google Translate instead of native Chinese linguists. When researchers see hidden Chinese hacker messages where none exist, it makes it difficult to accept their analysis of North Korean language peculiarities.

According to Sophos, Dark Seoul malware is not particularly sophisticated and easy to detect. Symantec referred to Dark Seoul not as malware but as a hacker group responsible for four years of attacks against South Korean websites including the DDoS attack against some U.S. government websites over Independence Day weekend in July 2009.
McAfee referred to Dark Seoul as an operational name but then changed it to Operation Troy, extended the attack to a four year campaign and, unlike Symantec, added the claim of espionage as the campaign's purpose.

Names Are Collections Of Technical Indicators, Not People
Names given to hacker groups by cyber intelligence companies don't refer to actual people (with a few notable exceptions). Instead they refer to technical indicators or TTPs (tools, techniques and procedures) that attacks have in common. There's no way to tell who belongs to any group, or if you can identify one member of a group from a certain year, where that member is today. Further, different companies assign different names to the same groups which is why you end up with names like Comment Crew, APT1, Soy Sauce, GIF89a, Shanghai Group, and Comment Panda on the unclassified side, and "Bravo Charlie" on the classified side.

This feeding of commercial cyber intelligence which hasn't been subjected to any critical scrutiny or source validation to intelligence agencies where it gets a new code name and classification is a disaster waiting to happen.

Challenge Everything
Is North Korea responsible for the Sony breach? I can't imagine a more unlikely scenario than that one, and for many of the same reasons that Kim Zetter detailed in her excellent article for Wired.

My advice to journalists, business executives, policymakers, and the general public is to challenge everything that you hear or read about the attribution of cyber attacks. Demand to see the evidence, not scrubbed "indicators of compromise" that can't be validated. Be aware that the FBI, Secret Service, NSA, CIA, and DHS rarely agree with each other, that commercial cyber security companies are in the business of competing with each other, and that "cyber intelligence" is frequently the world's biggest oxymoron.


"Sony Hacker Language Analyzed" - Language Log article by Victor Mair
"Sony, the DPRK, and the Thailand - Pyongyang Connection" by Jeffrey Carr
"Responsible Attribution: A Prerequisite for Accountability" by Jeffrey Carr - NATO Cooperative Cyber Defense Centre of Excellence  Tallinn, Estonia.