Forensics , Next-Generation Technologies & Secure Development , Security Operations
Beyond a Reasonable Doubt? Assessing Kremlin's Role in Hack
Does Enough Evidence Exist to Justify Sanctions Against Russians?Under U.S. law, you don't need a smoking gun to convict a suspect of committing a crime. An accumulation of evidence could persuade a jury to find the defendant guilty beyond a reasonable doubt.
See Also: Webinar | Prisma Access Browser: Boosting Security for Browser-Based Work
Using that same logic, the Obama administration and the American intelligence community have released documents and other evidence that they contend - and many cybersecurity experts agree - show a high possibility (beyond a reasonable doubt) that hackers tied to the Russian government breached Democratic Party computers in an attempt to influence the outcome of last year's presidential election (see Russian Election-Related Hacking Details Declassified).
Voice of Skepticism
Yet the lack of a smoking gun - absolute certainty - has some experts not entirely convinced that the Russians or their backers did it. At best, the Obama administration's evidence shows the Kremlin was likely involved in the breaches. In legal parlance, that's known as a preponderance of evidence, not enough to convict in a criminal court but good enough to bring a judgment against a defendant in civil court.
But is the evidence presented convincing proof that the Kremlin was involved, and if so, to the degree that the sanctions brought by the U.S. - including the expulsion of 35 Russians diplomats - are justified and appropriate?
"Our intelligence community is strong and firm on it being Russia; there's a good probability that they are accurate," says David Kennedy, senior principal security consultant at the security consultancy TrustedSec.
But Kennedy remains unconvinced, at least based on the evidence the government has provided, that the Russians directed the hacks against the Democratic National Committee. "I am skeptical still since there is no evidence to prove either way," he says.
Along with President Barack Obama's announcement of the sanctions, the Department of Homeland Security and FBI released last week a joint analysis report on Russian malicious cyber activity, known as Grizzly Steppe, that includes declassified information on computers Russian intelligence services had co-opted without the knowledge of their owners. Though the report documents how the U.S. government believes Russian operatives hacked the DNC, it does not contain the smoking gun. But that doesn't mean U.S. intelligence services lack definitive proof of the Russian government's involvement.
Classified Evidence?
Perhaps the Obama administration has definitive proof of Russian involvement but hasn't released it because the information is classified. The government might withhold such information because it doesn't want to disclose the identity of individuals who provided details about the breaches or reveal the tactics used to collect the evidence.
"It's a difficult balance," Kennedy says. "Do you release intelligence sources and blow implants and methods for getting the information such as spies and HUMINT [human intelligence]? Or do you release little bits of information to try to let the U.S. population know something occurred? Or do you not go public at all and respond covertly? It's difficult and not something that's easy to answer on the best approach."
Cybersecurity expert Herbert Lin offers a hypothetical scenario in which an individual in Russian President Vladimir Putin's Kremlin office tipped off the CIA that Putin directed the hacking. "That would be very good evidence, but do you think we would publicize that? That's absurd," says Lin, senior research scholar for cyber policy and security at Stanford University's Center for International Security and Cooperation. He published an academic paper on attribution in September. "If you just looked at what was made public, I could understand why [doubts exist]. But that doesn't mean the [intelligence services] are wrong and doesn't mean they haven't done a responsible job."
Construing Putin's Denial
Putin has repeatedly denied his involvement in the DNC breaches. But in a Sept. 2 interview with Bloomberg News, he said: "Listen, does it even matter who hacked this data? The important thing is the content that was given to the public.''
Such a statement seems to support the argument that the Kremlin was involved in the hacks.
"It's consistent with longstanding Russian intelligence practices, where in similar incidents they routinely denied any involvement [and] ... with Russian policy, which is to attack the Western values that threaten the Putin regime," says James Lewis, a cybersecurity expert at the Center for Strategic and International Studies, a Washington think tank. "This is a more complicated story about undermining a democratic election, in part, because the Russians expected Clinton to win."
Circumstantial evidence in the DNC attack includes identifying known methods of a particular hacking group gathered from previous investigations that mirror techniques discovered through a forensic probe of the newer attacks. "Clues such as what keyboards are used, what time zones the hackers work from, or what expressions are used to name modules can tell us which country they are likely from," says Martin Libicki, the think tank Rand Corp.'s expert on Russian and Chinese cyberspace activities.
Indeed, Strategic Cyber Ventures CEO Tom Kellermann, reviewing government evidence, points out that hackers used the same type of Cyrillic keyboards to breach DNC computers that were used in previously orchestrated attacks by Russian hackers against the financial sector.
Trump's Doubts
Still, President-elect Donald Trump - who's earlier in the week said he'd be meet with the intelligence community on Tuesday or Wednesday to discuss the breaches. But on Tuesday, he tweeted: "The 'Intelligence' briefing on so-called 'Russian hacking' was delayed until Friday, perhaps more time needed to build a case. Very strange!"
The "Intelligence" briefing on so-called "Russian hacking" was delayed until Friday, perhaps more time needed to build a case. Very strange!
— Donald J. Trump (@realDonaldTrump) January 4, 2017
Several media outlets report, citing top intelligence officers, said that meeting was not scheduled to occur until later in the week.
During the presidential campaign, and in recent days, Trump has raised doubts about the veracity of the intelligence community's analysis. He has repeatedly made the point that members of the intelligence community said that in 2002 Iraq had weapons of mass destruction, and they were wrong. He asks: Why should they be believe them now?
Those who accept the intelligent community's assessment on the breaches contend no equivalency exist with the weapons of mass destruction appraisal.
Iraq at one time possessed weapons of mass destruction but destroyed them. "Saddam played a misinformation campaign that convinced the West - including the U.S. - that he still had them," says retired CIA CIO Robert Bigman, referring to then-Iraqi leader Saddam Hussein. "Even during the Iraq weapons of mass destruction debate, members of the intelligence community" - such as the State Department's Bureau of Intelligence and Research and Defense Intelligence Agency - "were not entirely convinced of the evidence."
But in the hacking of the DNC, all 17 U.S. intelligence agencies reviewed the evidence and agreed with an analysis by the cybersecurity firm CrowdStrike that the Russians were involved (see Democratic National Committee's Computers Breached). "This is good enough for me," Bigman says. "Trump is simply wrong."
Imposing Sanctions
Yet, without absolute certainty, should the U.S. have imposed sanctions on Russia? "It is a big deal to impose sanctions on another country and accuse them of severe attacks without being 100 percent factual and accurate," TrustedSec's Kennedy says.
Bigman, however, contends enough proof exists to justify the sanctions. "Yes, there is always the slight chance that the quacking duck is something else - but not in this case," says Bigman, now an independent cybersecurity consultant. "It is also important to understand that the intelligence community has other sources and methods that give them a high degree of confidence that they truly have the guilty party."