December 30, 2014

Obama Gambled, Lost U.S. Credibility On Cyber Claims

The Obama administration claims that North Korea was responsible for the Sony hack even though early analysis already pointed to an insider attack by a disgruntled former Sony employee.

The Obama claim is supported by some FBI mumble which includes a lot of conjecture but no real evidence. This FBI mumble, likely ordered by the White House, came after the FBI earlier said that it had no evidence, zero that is, which was pointing to North Korea.

We said early on that claims of North Korean involvement are likely false. This is by now supported by many experts. A Politico piece from yesterday lists some of them:

Security expert Bruce Schneier called the evidence “circumstantial at best” and considered a number of other possible explanations. CloudFlare principal researcher and DefCon official Marc Rogers wrote that the FBI’s indicators seem to rely on malware that is widely available for purchase and IP addresses easily hijacked by any bad guy. Errata Security’s Robert Graham also noted the hacker underground shares plenty of code, calling the FBI’s evidence “nonsense.”

The above folks are some of the best in the information security business.

Security company Norse yesterday briefed the FBI on the results of its own investigation which clearly point to the insider responsible for the attack and to her helpers. But even after being briefed on real evidence the FBI is not taking back its false claim. Obama has publicly used the FBI subterfuge to blame North Korea and changing the story now would be too embarrassing for him.

It is for this reason that some anonymous "official" is now changing the story - again without any evidence - from "North Korea did it" to "North Korea hired someone who did it":

U.S. investigators believe that North Korea likely hired hackers from outside the country to help with last month's massive cyberattack against Sony Pictures, an official close to the investigation said on Monday.

This is even more laughable than the original claim.

The White House, likely the National Security Council under Susan Rice, screwed up on this issue. It wanted to pressure China by blaming its client North Korea for a hack which had only in media phantasies to do with that country. It ordered the FBI to come up with some "evidence" to support its attempts.

But attribution in cyberspace is a difficult if not hopeless issue and private researchers found indications in the real world that show that the alleged North Korean culpability is very unlikely.

It is not the first time that the U.S. is bringing itself into such an awkward position. The Politico story quoted above includes as second paragraph:

Even the unprecedented decision to release details of an ongoing FBI investigation and President Barack Obama publicly blaming the hermit authoritarian regime hasn’t quieted a chorus of well-qualified skeptics who say the evidence just doesn’t add up.

Pulling on the same comparison to the Saddam WMD claims we made Billmon reformulates that graph into:

Even the unprecedented decision to declassify details of Saddam's efforts to purchase Yellowcake Uranium ore and Secretary of State Colin Powell publicly blaming the crazed Iraqi dictator hasn’t quieted a chorus of well-qualified skeptics who say the evidence just doesn’t add up.

Hardly anyone serious will ever again believe the U.S. on Weapons of Mass Destruction claims after the Bush administration lied about WMDs in Iraq. Hardly anyone serious will ever again believe the U.S. on cyber attack claims after the Obama administration lied about the "Sony hack by North Korea".

This White House screw up has, as law professor Jack Goldsmith writes, important consequences (emph. add.):

If the FBI mis-attributed the Sony hack, it will be more than an embarrassing mistake. Such a mistake might have led the United States to take action against the wrong target, and going forward it will significantly weaken U.S. attribution credibility. Indeed, even if the FBI’s attribution turns out to be right – will we ever know for sure? – its hesitation in the face of credible questions about its very thin public evidence will exacerbate the demand for publicly verifiable attribution before countermeasures (or other responses) are deemed legitimate. In this small but significant sense, the United States has lost a battle in the early days of cyber conflict.

This was not even a "battle" as there was no "enemy", just a disgruntled former Sony employee and some hacker folks who do not like Sony's harsh anti-piracy policies.

Obama risked - for no good reason - and lost U.S. credibility on anything it might ever want to, rightly or not, claim about cyber.

Posted by b on December 30, 2014 at 16:27 UTC | Permalink

Comments