Should we be skeptical of government hack attributions?

Earlier this month, the Department of Homeland Security and the Office of the Director of National Intelligence released a rare joint statement accusing the Russian government of having “directed the recent compromises” of email accounts and servers, including “U.S. political organizations” such as the Hillary Clinton campaign and the Democratic National Committee.

While this is far from the first time that U.S. government agencies have laid blame for cyberattacks, many people, including at least two candidates in the current presidential race, have openly contested the government’s conclusions.

“Maybe there is no hacking,” Donald Trump said during the presidential debate on October 9, two days after the DHS-ODNI statement release.

“Whoever says it’s the Russians or the Chinese is either lying to themselves or purposely lying to you,” John McAfee, who founded McAfee Antivirus and dropped out of the race earlier this year, told The Parallax in August.

“At some level, there’s always a conspiracy theory that can account for some misdeed,” says Herb Lin, a computer security policy expert and research fellow at Stanford University’s Center for International Security and Cooperation. “Attribution is fundamentally a government intelligence process. If you’ve got seven indicators that all point weakly in the same direction, that tells you something. And you shouldn’t throw that away. That’s how the intelligence business works.”

“Attribution may be based on more than just [a] digital trail in a specific case. It may also be based on a series of exchanges between a series of humans, and even the broader diplomatic relationship.” — Andrea Matwyshyn, Fulbright Cyber Security scholar

Yet tracking down where a packet of data sent across the Internet came from—let alone the human who sent it—is no easy feat, says Marcus Sachs, senior vice president and chief security officer of the North American Electric Reliability Corporation, a nonprofit company tasked with assuring the reliability of the North American power grid.

“Trying to figure out who is controlling the [command] server [of an attack], where it’s a single packet that activates a system they’ve been building among millions of packets,” he says, “is like trying to identify where a single grain of sand on the beach came from.”

Sachs says that “sometimes a hard confirmation is designed to fool you. The small clues in forensics work are often the better clues. You have to spend time piecing them together.”

Given that the evidence used by government agencies to conclude who is behind a cyberattack is often privileged and privy only to people with proper security clearances, it’s not surprising that many people are skeptical of official pronouncements, says Andrea Matwyshyn, a Northeastern University law professor living in London as a U.S.-U.K. Fulbright Cyber Security scholar.

While computer security experts who work for private businesses may be seeing digital forensic evidence that points in one direction, she says, those who work for government agencies have access to more and different forms of information. In government, “attribution may be based on more than just [a] digital trail in a specific case. It may also be based on a series of exchanges between a series of humans, and even the broader diplomatic relationship” between nation-states, Matwyshyn says.

Questions regarding the veracity and transparency of evidence lie at the center of the debate over whether to trust government accusations of culpability for cyberattacks and computer hacking. And identifying the computer or Internet address from which an attack was committed is not the same as identifying the person who pressed the keys to initiate an attack, Lin wrote in a September 2016 report on cyberattack attribution, nor the same as identifying the organization bankrolling the attack.

At the same time, public trust in government agencies “to do what is right” remains at historic lows reached in 2007, according to a survey the Pew Research Center has conducted annually since 1958, further undermining government conclusions.

Accurately tracing data sent across the Internet and used to commit cybercrime, and then ascribing that action to a particular person, company, or government, is anything but trivial, says Mark Lowenthal, a former assistant director of analysis at the CIA and now president of The Intelligence & Security Academy.

“Part of attribution is always, who benefits? Cui bono? I think the [DNC email hack and leak] case is the really interesting case. The fact that James Clapper, the director of national intelligence, believes that this came from Russia—that’s a pretty big step,” Lowenthal says. “I know [him]. He wouldn’t do this—even if lawmakers pressured him—just to shame Russia.”

The joint statement by the DHS and ODNI on the email server hacks connected “tactics and techniques” committed by the political email server hackers to previous attacks made by Russia in Europe and Asia.

This is notable, Lowenthal says, given that just last year, Clapper delivered a prepared statement on “Worldwide Cyber Threats” to the House Permanent Select Committee on Intelligence, in which he mentioned digital forensics only once, to note how hard they are to complete.

“Even when a cyberattack can be attributed to a specific actor, the forensic attribution often requires a significant amount of time to complete,” Clapper said last year.

The technical side of attribution is difficult because of the very method by which devices connected to the Internet can find each other. Each Internet-connected device, such as a computer or phone, is assigned a number that consumers most often see assigned to and represented by a Web address, such as the-parallax.com and its Internet Protocol address, 45.79.163.229. The Domain Name System, or DNS, essentially serves as the Internet’s phone book by enabling easily understandable website names to connect to IP addresses.

Every time a signal is sent from one IP address to another, it gets recorded. Tracing those “hops” from address to address is at the core of tracing how an attack progresses across the Internet, says Paul Vixie, an Internet and DNS pioneer who is now the CEO of Farsight Security.

However, Vixie cautions, tracing the movement of data across the Internet isn’t easy. “It’s a lovely puzzle game—I love it. DNS requests are sometimes so stylized that they can only come from one place.”

Government agencies and private companies investigating attacks generally look at the size of and time stamps created by data transfers, Vixie says, as both provide clues as to the data content—and as to whether the transfer logs are being faked.

While official pronouncements of culpability almost never go into details, Vixie says, it’s not because they don’t have proof. Investigators just don’t want to tip their hand.

“You don’t want to reveal your capabilities to the public,” he says.