It's easy to point the finger at China, Russia, Iran, or North Korea and say, "They did it." It's harder to produce real proof.
For instance, in the case of the Sony Pictures hack, the US government blamed North Korea. In the case of the cyberattack against the Office of Personnel Management, the government blamed China. When hackers cut the power in Ukraine, observers blamed Russia. And, now, the Department of Justice is blaming Iran for an intrusion that can hardly be described as a cyberattack at a small dam outside Rye, N.Y.
It's not entirely clear what actually happened at the Bowman Avenue Dam. But this is what we know for certain: The dam doesn't have electrical generation capability and its only electronically controlled item is a flood control sluice gate. And dam officials said that has never been fully operational.
We still don't know what evidence the Justice Department has to blame the Iranian government for whatever incursion happened at the dam. And that certainly doesn't instill confidence in the its ability to accurately identify the true culprits.
In many cyberincident responses in the corporate world, there is tons of evidence to implicate the perpetrator – reams of log files, Internet protocol (IP) addresses, network traffic, and malware samples. Yet, despite all of this evidence present in most online breaches the US government has not offered even one IP address for any of its international cases of attribution.
Obviously, the investigators at the FBI, National Security Agency, and CIA have access to numerous additional sources of evidence. There are sources that are most likely considered sensitive and if revealed could give an advantage to the opposing side. It's understandable that the government would want to protect those sources and not reveal them.
But to not provide any evidence whatsoever when accusing another nation-state of something that could potentially lead to a shooting war is irresponsible.
In October 1962, President Kennedy faced the greatest challenge of his presidency. He was presented with top-secret U2 spy plane photos showing that the Soviet Union had installed nuclear missiles capable of reaching the continental US States from communist Cuba. This placed nuclear missiles just 200 miles or less from the US border at the height of the cold war.
Kennedy had many choices of how to respond, everything from doing nothing to a full-scale invasion of Cuba. Along with other actions, such as a naval blockade, he also chose to make his top secret U2 photos public, to have them published in newspapers and on TV for the whole world to see.
Publication of these top-secret photos convinced skeptics that nuclear missiles were actually present in Cuba. It also compromised operational security of the U2 program. Publication of the top-secret photographs revealed to the world just how detailed the images from the U2 could be. Kennedy gave up this intelligence advantage to demonstrate the importance of the crisis.
History is rife with examples of attribution gone wrong. The Battleship Maine was supposedly blown up by a Spanish mine and led to the Spanish American War and the "Remember the Maine" battle cry.
However, investigations never conclusively determined the cause of the explosion. The Gulf of Tonkin Incident, which contributed to the start of the Vietnam War, was later blamed on radar anomalies. And the weapons of mass destruction that lead to the US invasion of Iraq were never found.
There are also numerous incidents that have been attributed to a cyberattack that were later proved to be anything but.
Richard Clarke, the counterterrorism coordinator for both Clinton and Bush administrations blamed numerous blackouts in Brazil in 2005 on hackers. These were later confirmed to be caused by soot on electrical insulators, not hackers.
A 2011 water pump failure in Illinois was initially blamed on Russian hackers but was later determined to just be a routine pump failure. Unnamed sources in a Bloomberg story blamed a pipeline attack on a cyberattack even though the valves involved in the blast weren't electronically controlled.
These and other incidents show how easy it is to get attribution completely wrong, especially in the cyber-realm.
Poor attribution happens all the time and attribution without evidence is a dangerous thing. It can start wars and get people killed.
I don't doubt that the government has the evidence to support its claims of various cyberattacks and I support the government's decision to levy sanctions in some cases. I only ask that it shares at least some of that data in its possession proving its attribution claims with the public.
Remember the Maine.
C. Thomas (aka Space Rogue) is a strategist at the cybersecurity firm Tenable Network Security. You can follow him on Twitter @SpaceRog.