In between news coverage of Hurricane Matthew and reactions to the leaked Donald Trump videotape, the Department of Homeland Security and the Office of the Director of National Intelligence released a joint statement last week accusing Russia of orchestrating cyberattacks to interfere with US elections.
This marks only the fourth time that the US has formally accused a nation of digital breaches. The first was in December 2014 when the FBI accused North Korea of orchestrating the devastating Sony Pictures attack. In May of that year, the Justice Department formally charged five Chinese military officers for several cyberincidents at US nuclear power, metals, and solar products companies.
Earlier this year, the Justice Department filed indictments against seven Iranians who supposedly carried out distributed denial of service, or DDoS, attacks against US banks and apparently illegally accessing control systems at a small dam in Rye, N.Y.
In all four cases, the US government presented the accusations to the American public without supporting evidence. And, that's a problem. It's something that Mr. Trump has latched onto, casting doubts about Russia's involvement in recent attacks, and raising the level of skepticism whenever the US points the finger following cyberattacks.
"As far as the cyber, I agree to parts of what Secretary Clinton said. We should be better than anybody else, and perhaps we're not. I don't think anybody knows it was Russia that broke into the [Democratic National Committee]. She's saying Russia, Russia, Russia, but I don't – maybe it was. I mean, it could be Russia, but it could also be China. It could also be lots of other people. It also could be somebody sitting on their bed that weighs 400 pounds, OK? You don't know who broke into DNC," Trump said during the first debate.
And even after the US officially blamed Russia for the DNC hack, Trump said this during Sunday's presidential debate: "She doesn't know if it's the Russians doing the hacking. Maybe there is no hacking. But they always blame Russia."
While the idea of the 400-pound hacker has become a pretty humorous meme (see here and here) among information security professionals, Trump is actually onto something. As far as the American public can tell, since the US government hasn't revealed its evidence against Russia, China, or Iran, he might be right.
According to NBC News, a senior US intelligence official called Trump's statements willful misrepresentations, claiming that both candidates had been briefed on the situation. This may be true, but the US public hasn't received any briefings.
There's a long history of blaming "hackers" without evidence. In 1995, the government blamed famed hacker Kevin Mitnick for breaking into North American Aerospace Defense Command (NORAD). At the time, the claims seemed fanciful and were later proven false.
In 1999, British news reports blamed hackers for commandeering a military satellite and holding it for ransom. That turned out to be wrong, too. Richard Clarke, former US cyber czar, once claimed hackers knocked out power in Brazil. Yet, too much soot at an electric utility actually caused the blackout. Hackers have been blamed for everything from pipelines exploding to oil rigs tipping over. And, in case after case, further investigation revealed that hackers weren't involved.
In the corporate world, incident response teams follow up on breaches. They gather tons of evidence to determine how the attackers gained entry and how they siphoned off data. Evidence includes log files, Internet protocol (IP) addresses, network traffic, and malware samples. The experts examine evidence to determine how to fix security loopholes and keep other attackers from getting back into critical systems.
The job of placing blame for cyberattacks is usually left to law enforcement. But it's another matter altogether when it comes to blaming foreign nationals. That's a political maneuver. Formal declarations such as the one that came from Homeland Security and intelligence officials last week give politicians new reasons to rattle their sabers and stoke cybersecurity paranoia. But without evidence backing up these claims, the finger pointing is simply reckless and negligent.
Without facts, the US government is trusting the US public and the rest of the world to take their claims at face value. Yes, there could be tactical reasons not to reveal too much about how adversaries carry out their attacks, and too much information could even reveal how the US carries out similar operations abroad.
President Kennedy faced a similar dilemma in 1962. After military officials showed him top secret U2 spy plane photos that revealed a buildup of nuclear missiles in Cuba, Mr. Kennedy made the photos public, leaving little doubt about Soviet aggression.
Releasing the photos, which was done against the wishes of Kennedy's top national security advisers, compromised the operational security of the U2 program. But Kennedy felt it was a necessary compromise.
While I'm certain the four formal hacking attributions levied by the US government are accurate, facts should still accompany these claims. Otherwise, as far as the US public knows, Trump is correct: "It could also be lots of other people. It also could be somebody sitting on their bed that weighs 400 pounds."