The Russians Aren't Coming.

The Russians Aren’t Coming – Much Ado About Nothing

What happens when you combine [a] a Corporate America that is in such denial that it seems unwilling to spend even $5,000/month to protect itself from cyber-attacks, [b] a Federal government that is in such disarray that it publishes a 13 page cyber-security analysis of alleged hacks by a foreign government in support of a specific claim of a direct cyber-attack without a shred of evidence to support its claims, and [c] a runaway asymmetric economic and information gap between cyber-attackers and defenders?

You get what we have right now.

A disastrous state of readiness to defend a growing cyber-conflict that has been festering in both the private and public sector for more than five years. The recent tale of a “Russian cyber-aggression” toward the US is but one example of how precarious our preparedness and competency has become.

We have held from the moment this story broke that this allegation of Russian hacking is nothing more than politics at its worse, and dangerous saber-rattling at its worsest.

But what it does underscore is our continued inability or unwillingness to take these threats seriously and to get real about mounting a grown-up cyber defense strategy and capability.

As the White House and Treasury Department announced new sanctions against Russia over the alleged hacking of US elections, the FBI and Homeland Security released a report that offered supposed proof amid an abundance of disclaimers. Interestingly the NSA, the branch of US intelligence which has presumably the greatest expertise in the area, and which has the most information about it – is not a co-author of the report. I wonder why that might be.

The Joint Analysis Report (JAR) on “Russian malicious cyber activity” issued by the FBI and the DHS National Cybersecurity & Communications Integration Center (NCCIC) last Thursday contained 12 pages of elementary school mitigation suggestions and something like 478 words that actually addressed the hack and used that couple of paragraphs to conflate a style of attack with the actual malware used and the alleged identity of the hackers in a way that suggests our own government agencies who are supposed to be protecting the country from cyber-attacks has fundamental categorical definition problems. Someone should tell the analysts at Homeland Security that threat actors and malicious code are two different things.

https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf

Note that the report is solely concerned with hacking. It does not discuss who provided the DNC or Podesta material to Wikileaks, it does not say that Russian Intelligence carried out the hacking to influence the outcome of the US Presidential election, and nor does it say that Russian intelligence did this in order to swing the election to Donald Trump.

The report provides no evidence that the hacking was the work of Russian intelligence agencies. It merely states it as a fact and it also states that two different RIS actors [Cozy Bear and Fancy Bear] participated in the intrusion into a U.S. political party. As I have pointed out previously, the claim that these two groups of hackers act for Russian intelligence has so far been based purely on inference, with no hard facts behind it. There is nothing in this report that substantiates this claim or anything that remotely resembles a hard fact to support it. 

Security experts have gently criticized the report as "overly simplistic" with Jonathan Zdziarski, a highly regarded security researcher, going a bit further by comparing the report to a child’s activity center and Tom Killalea, the former vice-president of security at Amazon suggesting that the Russian attack on the DNC is similar to so many other attacks in the past 15 years, and that we have to ask ourselves why was there such poor incident response to begin with?

If this is the sum total of the evidence upon which the current administration is claiming that the Russians were behind the leak of the DNC and Podesta emails, and that they did this to swing the election to Donald Trump, then this “evidence” in no way does that. Indeed if anything, what the report shows is how confected this whole set of claims actually is.

The hysterical media attention and Congressional uproar around this cyber-non-event is disturbing and it kindles unfortunate parallels between the lead-up to the U.S. invasion of Iraq and these current unsupported claims of Russian election interference. Like the Bush administration's claims of Iraqi weapons of mass destruction, it is clear that these current charges have not been established beyond supposedly classified and secret intelligence sources, none of which of course are revealed.

Even when detailing the efforts of the two purported hacker groups, the report uses vague and noncommittal language nor is the actual political party allegedly hacked by the two groups ever even identified:

“In summer 2015, an APT29 spearphishing campaign directed emails containing a malicious link to over 1,000 recipients… In the course of that campaign, APT29 successfully compromised a US political party. In spring 2016, APT28 compromised the same political party,” the report continues. “Using the harvested credentials, APT28 was able to gain access and steal content, likely leading to the exfiltration of information from multiple senior party members. The US Government assesses that information was leaked to the press and publicly disclosed.”

This reference is likely to emails and documents of the Democratic National Committee, which were made public by Guccifer 2.0 and WikiLeaks – both of whom have categorically rejected any claim of Russian hackers being responsible. It could also refer to WikiLeaks publishing emails from the private account of Hillary Clinton’s campaign chairman John Podesta, over the course of a month prior to the November 8 election. The JAR does not actually say so, however.

Nor does the JAR note anywhere that it was CrowdStrike, a cybersecurity company hired by the DNC to investigate the June 2016 data breach, that accused APT28 and APT29 – which they referred to as their aka’s “Cozy Bear” and “Fancy Bear” – of being Russian government entities. CrowdStrike has never offered any proof for this assertion, which the JAR merely repeats without attribution.

The second half of the report is focused on mitigation strategies, from backing up one’s data and changing passwords to information-sharing with the government and giving Homeland Security access to networks for “voluntary assessments” of vulnerabilities.

An appendix to the report lists hundreds of IP addresses and code the authors say are “used by Russian civilian and military intelligence services.” While some of the addresses are in Russia, others are in the US, and none of the data actually points to Russian involvement.

So, as John McAfee just said, “the report is a “fallacy,” explaining that hackers can fake their location, their language, and any markers that could lead back to them, in case anyone at Homeland Security needed that explanation. You never know.

“Any hacker who had the skills to hack into the DNC would also be able to hide their tracks,” he said recently in an interview with Larry King (of all people). “If I was the Chinese and I wanted to make it look like the Russians did it, I would use Russian language within the code, I would use Russian techniques of breaking into the organization,” McAfee said, adding that, in the end, “there simply is no way to assign a source for any attack, but if it looks like the Russians did it, then I can guarantee you it was not the Russians.”

But unlike Saddam Hussein and his alleged WMD, trifling with Vladimir Putin and his 8,000 some odd nuclear warheads, is a recipe for a different sort of war than the one we waged so brilliantly in the Iraq desert over the last 15 years.

I for one am hoping that this new administration can hold back the barking Congressional dogs long enough to bring some common sense to the party and build an actual cyber-security defense strategy that might work.