Opinion: United States dependence on private firms to apply attribution could lead to private security firms labeling other states and firms within target states as bad actors.
While reading an old article from vice.com (exact article escapes me at present), I was presented with a rather troubling reality. The United States, despite having a formidable Department dedicated to Cybersecurity, relies on private firms to apply what is called Attribution.
It is argued that the United States does this to conceal and obfuscate it’s cyber defensive and offensive capabilities. However, this presents a number of possibilities, most in my opinion are on a sliding scale of not good to bad to terrible.
The not good: during the 2016 election year, the DNC was hacked. Most likely a phishing turned whaling . The Special counsel investigation would go on to implicate the GRU, Which if you were to draw a direct comparison to the US, would be the US Defense Intelligence Agency .
The GRU’s involvement was assessed and attributed by several private Cybersecurity firms including (quoted directly from wiki) CrowdStrike, FidelisCybersecurity, FireEye‘s Mandiant, SecureWorks,ThreatConnect, Trend Micro, and the security editor for Ars Technica.
It is my personal opinion that there was a little bit of insider complicity within the DNC in addition to and beyond the phishing, But the point is, private cybersecurity firm assessment were validated by the US federal government. How far can this actually go?
The bad: The vice article bought up an interesting point. In this increasingly growing industry, how far will cybersecurity firms go to get their klout (aka their name in lights)? Of course I’m paraphrasing, but it’s a legitimate concern. Hackers, private and state sponsored, are a mixed breed. White hats want the credit, black hats of course want to conceal their identities. Yet how easy would it be to create a piece of malware, distribute it and lay the blame on someone else?
The terrible: Nations will categorically deny all cyber attacks. There are notable exceptions like the Turkish nationalist hacker group AYYILDIZ TIM and the Syrian electronic army, Who clearly stand by their attacks. However, even Iran doesn’t claim APT33, and North korea continues to deny involvement in cyberattacks including the Sony Pictures hack.
If 2016 to 2020 has taught us anything, it taught us to affirmation our belief in the power of information, knowledge and to an extend the truly viral pandemic of public opinion, especially when cosigned by celebrity or people of influence. It is this recipe that has labelled an elderly billionaire as 2020 Cobra Commander. By that same token, United states’ freedom of information has allowed entire swaths of communities to be driven to division. People are being targeted individually, Their lives and livelihoods destroyed.
In my opinion, if the world has the misfortune of seeing a 3rd world war, Cyber warfare will have had a hand in causing it as well as an essential part in the ongoing of it. More close to immediate however, what would stop a less than honest cyber security firm from creating a scenario where a rival firm is made to be the perpetrator of a malware distribution, DDOS attack or even a high profile phishing campaign?
If the federal government and news media get behind such a frame up, the dishonest firm is validated and legitimized while the victim firm is reduced to cinder. Ergo, Salem witch trials, but for cyberfirms.
Do I truly believe that cybersecurity firms are going to resort to throwing each other to the wolves for recognition and career advancement? The answer would be Not really, with a touch of cautious maybe. At the end of the day, 90 percent of the IT men and women I personally know are good people with decent lives. Granted, I do know a few weirdos with some rather screwy squirrelly blackhat ideas. However, these aren’t programmers, these are script kiddies confined to low level griefing attacks on secondlife and other local server gaming environments. All of whom I keep around to remind myself to not be an idiot.
Real skill, the skill that truly makes headlines, call for a mind mature enough to know when they’re in over their head. And you’re not going to run a Cybersecurity firm as a moron. The political and media environment, however makes a state sponsored frame up easier than ever. A viral tweet or Facebook live of an event, staged or authentic, can destroy decades of a well built life in minutes.
The battlefield is your mind, Arm yourself.