Modern field guide to security and privacy

Opinion: Before pointing fingers after cyberattacks, Remember the Maine

Without presenting evidence, Justice Department officials have blamed the Iranian government for a digital incursion at a small dam outside Rye, N.Y. But history shows unsupported accusations of that kind are dangerous.

Adrees Latif/Reuters
Officials at the Department of Justice are blaming Iran for a so-called "cyberattack" on the Bowman Avenue Dam outside Rye, N.Y. The dam's reservoir is pictured above.

It's easy to point the finger at China, Russia, Iran, or North Korea and say, "They did it." It's harder to produce real proof.

For instance, in the case of the Sony Pictures hack, the US government blamed North Korea. In the case of the cyberattack against the Office of Personnel Management, the government blamed China. When hackers cut the power in Ukraine, observers blamed Russia. And, now, the Department of Justice is blaming Iran for an intrusion that can hardly be described as a cyberattack at a small dam outside Rye, N.Y.

It's not entirely clear what actually happened at the Bowman Avenue Dam. But this is what we know for certain: The dam doesn't have electrical generation capability and its only electronically controlled item is a flood control sluice gate. And dam officials said that has never been fully operational.

We still don't know what evidence the Justice Department has to blame the Iranian government for whatever incursion happened at the dam. And that certainly doesn't instill confidence in the its ability to accurately identify the true culprits. 

In many cyberincident responses in the corporate world, there is tons of evidence to implicate the perpetrator – reams of log files, Internet protocol (IP) addresses, network traffic, and malware samples. Yet, despite all of this evidence present in most online breaches the US government has not offered even one IP address for any of its international cases of attribution.

Obviously, the investigators at the FBI, National Security Agency, and CIA have access to numerous additional sources of evidence. There are sources that are most likely considered sensitive and if revealed could give an advantage to the opposing side. It's understandable that the government would want to protect those sources and not reveal them.

But to not provide any evidence whatsoever when accusing another nation-state of something that could potentially lead to a shooting war is irresponsible.

In October 1962, President Kennedy faced the greatest challenge of his presidency. He was presented with top-secret U2 spy plane photos showing that the Soviet Union had installed nuclear missiles capable of reaching the continental US States from communist Cuba. This placed nuclear missiles just 200 miles or less from the US border at the height of the cold war.

Kennedy had many choices of how to respond, everything from doing nothing to a full-scale invasion of Cuba. Along with other actions, such as a naval blockade, he also chose to make his top secret U2 photos public, to have them published in newspapers and on TV for the whole world to see.

Publication of these top-secret photos convinced skeptics that nuclear missiles were actually present in Cuba. It also compromised operational security of the U2 program. Publication of the top-secret photographs revealed to the world just how detailed the images from the U2 could be. Kennedy gave up this intelligence advantage to demonstrate the importance of the crisis.

History is rife with examples of attribution gone wrong. The Battleship Maine was supposedly blown up by a Spanish mine and led to the Spanish American War and the "Remember the Maine" battle cry.

However, investigations never conclusively determined the cause of the explosion. The Gulf of Tonkin Incident, which contributed to the start of the Vietnam War, was later blamed on radar anomalies. And the weapons of mass destruction that lead to the US invasion of Iraq were never found.

There are also numerous incidents that have been attributed to a cyberattack that were later proved to be anything but.

Richard Clarke, the counterterrorism coordinator for both Clinton and Bush administrations blamed numerous blackouts in Brazil in 2005 on hackers. These were later confirmed to be caused by soot on electrical insulators, not hackers.

A 2011 water pump failure in Illinois was initially blamed on Russian hackers but was later determined to just be a routine pump failure. Unnamed sources in a Bloomberg story blamed a pipeline attack on a cyberattack even though the valves involved in the blast weren't electronically controlled.

These and other incidents show how easy it is to get attribution completely wrong, especially in the cyber-realm.

Poor attribution happens all the time and attribution without evidence is a dangerous thing. It can start wars and get people killed.

I don't doubt that the government has the evidence to support its claims of various cyberattacks and I support the government's decision to levy sanctions in some cases. I only ask that it shares at least some of that data in its possession proving its attribution claims with the public.

Remember the Maine.

C. Thomas (aka Space Rogue) is a strategist at the cybersecurity firm Tenable Network Security. You can follow him on Twitter @SpaceRog. 


You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to

QR Code to Opinion: Before pointing fingers after cyberattacks, Remember the Maine
Read this article in
QR Code to Subscription page
Start your subscription today