The FBI, North Korea and the future of cyber investigations
Experts questioning the FBI's presentation of evidence against North Korea argue that making an arguably ambiguous case is counter-productive to U.S. efforts to build norms in cyberspace.
New York City -- The FBI is certain North Korea was behind the massive hack of Sony Pictures, and has laid out more evidence to support the allegation this week. But some cybersecurity experts interviewed by FCW, including one working in government, say what they feel is the ambiguous nature of evidence presented by the FBI hurts the credibility of the investigation. North Korea may have very well been behind the hack, they say, but revealing partial evidence only leads to more doubts.
In a Dec. 19 statement, the FBI said it found clues pointing to North Korea as the culprit of the Sony hack in "specific lines of code, encryption algorithms, data deletion methods and compromised networks." The bureau went further this week, with Director James Comey saying that the hackers had disclosed their IP addresses after the hack and those addresses were exclusive to North Koreans.
FBI officials have stressed repeatedly that outside experts are dealing with only a limited pool of evidence rather than the full spectrum of classified information in federal investigators' hands. Some experts are countering by saying: Either show us more or don't share at all.
Whatever evidence the FBI "had up front that wasn't directly classified should have been revealed," Robert M. Lee, a digital forensic specialist and Ph.D. candidate at King's College London, told FCW.
Among the evidence used by the FBI, for example, was analysis from Mandiant, a cybersecurity firm hired by Sony Pictures after the hack. Lee, who is an active-duty Air Force cyber warfare operations officer, believes that the FBI should have made that non-classified analysis public. Were FBI investigators to cite their analysis methods, he said, it would be clearer to independent experts how they arrived at their conclusion of attribution.
The technical evidence laid out by the FBI in its Dec. 19 statement is "convoluted" and not proof of attribution to cybersecurity experts, Lee said in a phone interview. He stressed that he does not necessarily think an actor other than North Korea is responsible, but disagrees with the presentation of evidence.
However, Shawn Henry, president of CrowdStrike Services and a former executive assistant director of the FBI, believes that there is little to be gained from the FBI going beyond the evidence it has presented.
"Quite frankly ... in my opinion, this is a national security matter, and I don't see any reason that the [U.S. government] has to come out [and] emphatically provide the truth to the public," he said.
Henry said that transparency is indeed important, but that total transparency is not practical -- and that in this case the U.S. government need not go further than the evidence already presented to win over skeptics.
Circumstantial vs. SigInt
FBI officials have said U.S. intelligence agencies assisted in the investigation, which raises the possibility that the National Security Agency's vast intelligence-collection capabilities have been brought to bear. Nicholas Weaver, a computer scientist at the International Computer Science Institute, recently speculated that an NSA program to analyze Internet traffic could have been used to track the Sony hackers.
The evidence offered to date, meanwhile, is "all circumstantial" and not very convincing, said Marc Rogers, principal security researcher at CloudFlare Inc. and a former hacker. Attribution in cyberattacks is an immensely difficult thing, he said. "The advantage is to the attacker. There are so many ways that I can disguise my connection and mislead an investigator and apply counter-forensics."
For Rogers, if the FBI indeed drew on the NSA's vaunted signals intelligence capabilities to finger North Korea, they would be better off just saying so rather than citing what he sees as ambiguous evidence like the type of malware used by the hackers.
A cross-agency consensus
Comey and other FBI officials have gone on the offensive this week in blaming North Korea for the hack, speaking at some length at a cybersecurity conference at Fordham University in New York. And while none of them would discuss the signals intelligence question, they did reveal a bit more about the broader investigative methods.
Joe Demarest, assistant director of the FBI's Cyber Division, told reporters Jan. 8 that the investigation included a sub-team of a dozen officials from the CIA, Department of Homeland Security, the FBI, the NSA and the Defense Department. That team was charged with considering various hypotheses about who was responsible for the hack, including nation states, criminal organizations and "hacktivists." The officials, however, came to the unequivocal conclusion that it was "clearly North Korea or a proxy put up by North Korea" responsible for the cyberattack.
In a separate gaggle with reporters, Assistant Attorney General for National Security John Carlin said the Justice Department would consider whether to pursue indictments of North Korean actors they allege are responsible for the hacking. He declined to comment, however, when asked by FCW about the outside experts' questions and concerns regarding the publicly cited evidence.
Clarification: A sentence was added to make clearer Shawn Henry's position on whether the FBI needs to present more evidence to the public.