Why doubts still cloud Russian hacking allegations
how people think
Evidence that the government has presented so far linking Russian operatives to the DNC hack is questionable, fueling skepticism and doubt about Moscow's role.
—Since the White House blamed Russia for hacking US political organizations to undermine the presidential election, administration critics, skeptics, and cybersecurity experts have pushed the government to reveal its evidence.
But so far, much of what has come out of Washington regarding Moscow's suspected digital tampering has only raised more questions about the government's claims.
A joint analysis of recent hacking activity by the FBI and Department of Homeland Security (DHS) released Dec. 29 generated confusion about the scope of the political hacking campaign, leading many experts to doubt the agencies’ abilities to investigate sophisticated, multilayered digital attacks.
“At this point, we don’t know what is a trusted source and what isn’t,” says Bob Radvanovsky, cofounder of the security research firm Infracritical. “It really confuses people. Is the government of Russia behind these things, or is it some hacker kids in Ukraine?”
Even as Director of National Intelligence James Clapper and National Security Agency Director Michael Rogers said at a Senate hearing Thursday they are more certain than ever that Russia orchestrated the political hacking campaign, critics seem to be unconvinced.
Earlier this week, WikiLeaks founder Julian Assange told Fox News that Russians did not provide hacked political documents from John Podesta, former chairman of the Hillary Clinton campaign, and other Democratic Party operatives that he published on the antisecrecy site.
President-elect Donald Trump, one of the chief critics of the administration's Russia allegations, reiterated Mr. Assange's claim in a tweet: "Julian Assange said 'a 14 year old could have hacked Podesta' – why was DNC so careless? Also said Russians did not give him the info!"
It remains to be seen whether the US intelligence community will be able to convince Mr. Trump and other skeptics. But time is running out. Trump is set to take office Jan. 20.
After promising and then failing to release his own evidence related to the hacks early this week, Trump said that he'll receive an intelligence briefing on the matter this Friday. Both Congress and the Obama administration are waiting for a full report from the country’s intelligence community on the hacking campaign.
Fog of cyberattacks
US officials’ attempts to grasp the scope of an unprecedented cyberattack speaks to the difficulty of attributing cyberattacks and to the complex nature of the campaign carried out against the US during the presidential election.
The attacks against the Democratic National Committee (DNC), Democratic Congressional Campaign Committee, and the Clinton presidential campaign involved a mix of targeted digital attacks, leaked emails, and the spread of fake news. Unraveling that kind of operation isn't an easy undertaking.
"Russia’s best cyber operators are judged to be as elusive and hard to identify as any in the world," said Sen. Jack Reed (D) of Rhode Island during the Armed Services Committee hearing Thursday on cyberthreats. "In this case, however, detection and attribution were not so difficult, the implication being that Putin may have wanted us to know what he had done, seeking only a level of plausible deniability to support an official rejection of culpability."
Still, cybersecurity experts have expressed frustration with the government's stumbles as it tries to relay what it knows about the attacks and with what many consider ham-fisted efforts to connect them back to the Kremlin.
Since it was released last week, the DHS and FBI analysis of the campaign the agencies dubbed “Grizzly Steppe” has been roundly criticized by cybersecurity professionals as incomplete, outdated, and politicized.
“The Grizzly Steppe report reads like a poorly done vendor intelligence report stringing together various aspects of attribution without evidence,” wrote Robert M. Lee, a former Air Force Cyber Warfare Operations Office and the chief executive of the cybersecurity firm Dragos Security.
Even though Lee has said he believes Russian operatives hacked the DNC, he says the government has stumbled making its case. His criticism, and those of other cybersecurity professionals, centers on the decision by DHS and FBI to characterize an extensive catalog of hacker groups, as well as tools, tactics and characteristics – what the industry refers to as “indicators of compromise” – and attribute all of it to the Russian government.
But the government's laundry list of evidence also includes common families of malicious software with names like BlackEnergy and Havex that are widely known and used by state actors and cybercriminals alike. While some of that software may have been created in Russia and found in prior Russian government campaigns, it doesn't prove the government's case that Russian operatives carried out the US political hacks.
“[The Grizzly Steppe report] is full of garbage,” wrote security expert Robert Graham on his blog. “It contains signatures of viruses that are publicly available, used by hackers around the world, not just Russia. It contains a long list of IP addresses from perfectly normal services, like Tor, Google, Dropbox, Yahoo, and so forth.”
By equating such commonplace online threats with Russian hacking, the government's Grizzly Steppe analysis darkens the already muddy waters of attributing cyberattacks, experts say.
And those critics didn’t need to wait long for evidence of how sloppy evidence regarding the suspected Russian hack could go wrong.
The hack that wasn't
Last weekend, The Washington Post published claims that Russian hackers penetrated the US electric grid by way of the Vermont utility Burlington Electric. That report cited unnamed US officials saying that “code associated with the Russian hacking operation dubbed Grizzly Steppe” was detected within the facility. The story prompted a swift response from Vermont Gov. Peter Shumlin, who issued a statement decrying Russian tampering with US critical infrastructure.
But the article was immediately discredited and the Post backed away from the initial story. The Post published a follow up that said the suspicious computer activity identified at Burlington Electric was not connected to “Russian government effort to target or hack the utility.”
Cybersecurity experts pinned the blame for the confusion squarely on the Obama administration’s Grizzly Steppe report. “This misinformation is your fault,” Mr. Graham wrote.
Others such as Mr. Radvanovsky questioned the timing of the report, which DHS and the FBI made public on the same day that President Obama announced sanctions against the Russian government, expelling 35 Russian diplomats from the country in retaliation for the hacks.
“Because the timeliness of the [Grizzly Steppe report] … it leaves some doubt as to whether any of this happened at all,” he says. “This whole thing looks like it was entirely politically based and that raises questions about the merit of the report.”
A history of skepticism
This isn’t the first time the cybersecurity community has cast doubt on the Obama administration and the US Government analysis after cyberattacks.
Following the Sony Pictures Entertainment hack in 2014, the FBI and the Obama administration moved quickly to pin the blame on hackers working for the government of North Korea, citing similarities in the malware used in the attack. That, despite persistent questions from cybersecurity experts about other possible culprits.
Others point to another, older incident of bad intelligence from DHS and FBI. In 2011, the agencies revealed they were investigating a purported Russian hack that caused a water pump to fail in the Curran-Gardner Township Public Water District in Illinois. The news spawned a blizzard of reports about destructive cyberattacks from the US’s Cold War foe.
Like the Burlington Electric hack, however, further investigations soon proved those initial reports were wrong. The pump in question simply reached the end of its life and burned out.
The Curran-Gardner dust-up eventually faded into the background. The administration’s narrative about North Korea hacking Sony Pictures eventually prevailed. But the controversy over the government’s report on Russia’s hacking may be more difficult to recover from, experts say.
The holes in the Grizzly Steppe analysis will give critics more cause to doubt future government claims about Russian hacking or campaigns by other nation-states, say experts. At the same time, the botched intelligence about the Burlington Electric hack will damage already fraught relations between private sector firms, critical infrastructure owners, and the government at a time when cybersecurity cooperation is increasingly important.
“People will point to [Burlington Electric] and to Curran-Gardner and say, ‘This is happening because these people don’t know what they’re looking at,’ ” said Jake Brodsky, a Senior Control Systems Engineer who works for a large, East Coast water utility.
And, with no legal requirement to report cyber incidents, Mr. Brodsky said, companies that own and operate critical infrastructure may hold back on reporting suspicious incidents. “Utilities will not put it out there,” he said. “They don’t need the grief.”