North Korean hacker indictment sparks attribution debates

With help from Eric Geller, Martin Matishak and Cory Bennett

THE STATE OF ATTRIBUTION — Last week’s indictment of a North Korean hacker has reignited old debates about the quality of attributing cyberattacks, the value of attribution and the consequences. Cybersecurity companies that long ago blamed North Korea for the Sony hack, speaking to BuzzFeed, claimed vindication against the “charlatans” who previously cast doubt that the hermit kingdom was behind the the 2014 attack. The data is better now, the companies who believed North Korea was behind the attack said, and many of those who questioned Pyongyang’s responsibility are no longer working in the industry. Four years later, it’s no longer implausible to imagine a poor nation like North Korea carrying out cyberattacks.


But who needs to know, exactly, who’s responsible for a cyberattack? “The attribution can matter to some folks with intelligence requirements for it; that is generally not defenders,” tweeted Dragos’ Robert Lee. “Threat modeling, assessed/perceived intent, etc. don’t change with attribution. Attribution can be misleading as well compared to perceived intent.” The other perspective: “Attribution matters for defenders especially where it speaks to intent,” tweeted JD Work, Bren Chair for Cyber Conflict and Security at the Marine Corps University. “In this case, understanding adversary allowed for assessment of re-attack. Recovery prospects & plans would look very different under sustained campaigns at anything like a persistent op-tempo.”

Even if the U.S. is right about the hacker it charged, it’s problematic, contended Jake Williams, a former U.S. government hacker. “Charging Park Jin Hyok, (or any North Korean government hacker) as an individual is a human rights issue,” wrote Williams, the founder of Rendition Infosec. “Even assuming that the intrusions have been correctly attributed to Park, it’s important to note that Park had no choice in his actions.”

HAPPY MONDAY and welcome to Morning Cybersecurity! Your MC host will soon depart for vacation to New Orleans. Send food and fun recommendations, please, in addition to your thoughts, feedback and especially tips to [email protected], and be sure to follow @POLITICOPro and @MorningCybersec. Full team info below.

The Next Generation 5G network promises more than blazing fast wireless broadband. Join POLITICO on 9/20 for a high-level discussion on the state of play for 5G in the U.S. We’ll discuss where the U.S. is along the path toward 5G installation and explore the innovations that 5G networks are expected to bring. RSVP here.

FIND THOSE VULNERABILITIES — The ever-busy House Homeland Security Committee is back at it this week, marking up a pair of cybersecurity bills on Thursday. One (H.R. 6735), sponsored by Majority Leader and House Speaker aspirant Kevin McCarthy, would direct DHS to develop a vulnerability disclosure policy for people, companies and organizations that report security vulnerabilities on public department websites. DHS’s policy would include guidance on how to report security vulnerabilities, such as the legal structure under which they can be reported and how DHS will respond. The bill also says DHS must report to Congress annually on how many unique vulnerabilities it logs, and how swiftly the vulnerabilities were fixed. The second bill (S. 1281) comes over from the Senate, where Sen. Maggie Hassan has proposed creating a bug bounty program at DHS.

‘FEAR’ OF A CYBER PLANET — Bob Woodward’s new book, “Fear,” has more anecdotes on cybersecurity beyond President Donald Trump saying, essentially, “Go away, stop getting me into cyber wars while I’m watching golf.” One section goes into the evidence of Russia’s meddling in the 2016 election. The CIA believed it had six human sources that supported the conclusion Russia interfered, but another official that reviewed the intelligence estimated that only two of them were solid, Woodward reported.

Other sections shed light on the Obama administration’s approach to North Korea in cyberspace. President Barack Obama authorized several highly classified initiatives, including one permitting cyberattacks on the "command, control, telemetry and guidance systems before or during a North Korean missile launch," but the results were “mixed,” according to “Fear.” Some in the administration considered cyberattacks a “below-the-radar magic wand” to mitigate North Korea’s nuclear program. But according to Woodward, one senior Cabinet official told Obama that if the U.S. got aggressive, there were no assurances the U.S. could withstand a counter cyberattack, prompting administration lawyers to protest and stymying further options.

CLOSE BUT NO CIGAR — Democrats’ and Republicans’ House campaign committees recently failed to reach an agreement on a prohibition against using hacked documents in campaigns. The deal fell apart, according to media reports, after the National Republican Congressional Committee accused its Democratic counterpart of breaching confidentiality rules by prematurely discussing the agreement. (In fact, the NRCC chairman had already discussed the talks three months ago.)

A major sticking point, according to The New York Times, was whether candidates and committees should be free to use hacked documents that were first reported by journalists. “Republicans argued that such material had to be fair game and that to ask candidates not to seize on news reports was unnecessarily prohibitive,” the Times reported. “Democrats countered that any agreement would be toothless without such a provision.”

The Democratic Congressional Campaign Committee and its candidates will respect the guidelines that were in the latest version of the stalled deal, according to the committee. Those rules, according to the Times, “included a pledge not to aid hacking efforts, not to seek out hacked or stolen materials, and to report any contacts with foreign actors to law enforcement authorities.”

LEADING THE WAY — Colorado’s election security program is a model for other states, Secretary of Homeland Security Kirstjen Nielsen said late last week during an appearance at the state’s election-day cyberattack tabletop exercise in Denver. “We'd love to continue to use you as an example of what other states can adopt,” she said, according to The Associated Press. On Twitter, Nielsen added that “our elections will be more secure because of the work we are doing together.” Colorado’s tabletop exercise included such simulated crises as “a report that an 11-year-old girl in Los Angeles had managed to hack into Colorado’s election system, flipping votes” and “a ballot machine being hacked and ballots from people whose name end with Z being deleted,” according to the local news source Denverite. More than 200 people attended the exercise, including officials from 63 of Colorado’s 64 counties, plus observers like New Jersey Secretary of State Tahesha Way and New Mexico Secretary of State Maggie Toulouse Oliver.

BRING THE RECEIPTS — The Pentagon’s inspector general and the watchdogs of three service branches have begun an audit of the agency’s new approach to authorizing IT systems, the department’s IG announced last month. “The audit objective is to determine whether DoD Components are leveraging cybersecurity reciprocity to reduce redundant test and assessment efforts when authorizing information technology through the Risk Management Framework process,” the memo states. The Pentagon IG will examine the issue within the department, while the service watchdogs look at their individuals branches. Eventually, every office will publish a “capstone report” with recommendations.

RECENTLY ON PRO CYBERSECURITY — A GOP lawmaker released the text of legislation that would codify federal regulators' data breach notification standards for the financial services industry and preempt state-by-state requirements. … Georgian authorities extradited a Russian hacker to the U.S. to face charges for a wide-ranging hacking campaign.

TWEET OF THE DAY — Sanity: it’s refreshing!

PEOPLE ON THE MOVE

— The National Association of State Technology Directors announced new leadership late last week. John Hoffman, chief technology officer for the Texas Department of Information Resources, will become NASTD president. Brad Steele, director of unified communications for Massachusetts, will take over as vice president. Victoria Wallis, strategic project manager for the Iowa Communications Network, will serve as NASTD secretary/treasurer.

The group also named its executive board: Andy Ogan, network operations manager, South Dakota, Western Region president; Dawnna Pease, director of enterprise hosting, Maine, Eastern Region president; Robert Simms, director networks and telecommunication, Missouri, Midwestern Region president; Pat Snow, acting chief information officer, South Dakota, immediate past president; Ben Venable, director of network engineering, Alabama, Southern Region president.

QUICK BYTES

— Many voting machines in use this fall will run on “ancient software.” NBC News

— Washington, D.C., hasn’t spent any of its election security grant dollars because the City Council hasn’t taken action. WUSA9

— Florida’s secretary of state feels good about election security heading into the general elections. ABC7

— A ransomware attack at the Transportation Department prompted a bug-hunting program. Nextgov

— “Dozens of popular iPhone apps caught sending user location data to monetization firms.” TechCrunch

— “Popular Mac Anti-Adware App ‘Surreptitiously Steals’ Your Browsing History, Researchers Say.” Motherboard

— Italy is worried about Russia as a cyber threat, but doesn’t want to escalate tensions because of its trade partnership. CNBC

— German reinsurance company Munich Re predicts the cyber insurance market will double by 2020. Phys.org

— More from Estonia’s new cyber ambassador. The Wall Street Journal

That’s all for today.

Stay in touch with the whole team: Mike Farrell ([email protected], @mikebfarrell); Eric Geller ([email protected], @ericgeller); Martin Matishak ([email protected], @martinmatishak) and Tim Starks ([email protected], @timstarks).

Follow us on Twitter Heidi Vogt @HeidiVogt



Eric Geller @ericgeller



Martin Matishak @martinmatishak



Tim Starks @timstarks