Ben Buchanan is a postdoctoral fellow at Harvard Belfer Center’s Cyber Security Project and author of “The Cybersecurity Dilemma: Hacking, Trust, and Fear between Nations.”
When WikiLeaks dropped its latest trove of documents on Tuesday — this time revealing CIA hacking operations — it highlighted an effort code-named “UMBRAGE.” A WikiLeaks tweet said, “CIA steals other groups virus and malware facilitating false flag attacks.” The group described how the program “collects and maintains a substantial library of attack techniques ‘stolen’ from malware produced in other states,” as a way to “misdirect attribution” of a break-in. Attribution was once the subject of spirited academic debate, yet figuring out who is behind a computer hack has never been as essential a topic as it is now.
The stakes here are high. If attribution were impossible, it would call into question the investigations into many major cyber incidents, including most prominently the 2016 hack of the Democratic National Committee. Some have suggested that this leak warns of the possibility of “CIA-created counter-espionage designed to implicate Trump” — in effect alleging that it wasn’t the Russians who hacked the DNC, but the CIA. At a time of tension between the intelligence community and the White House, and with ongoing investigations into illicit Russian influence on the 2016 election, the usually technical matter of attribution has acquired great political importance.
The reality of attributing cyber attacks is more complex than the conspiracy theories suggest. Instead of undercutting the attribution of previous hacks, a closer look at UMBRAGE and its limits underscores the strength of the evidence in the DNC hack investigation.
Along with Thomas Rid at King’s College London, I spent a year examining what goes into attribution. Our study included interviews with major cybersecurity companies and current and former members of multiple intelligence services. It quickly became apparent that attribution rarely rests on one piece of data alone. Rather, it is a process of assembling and analyzing a wide range of evidence, similar to criminal investigations, especially in the days before DNA technology. In a vital forensic investigation, an attribution conclusion rests on many factors.
The tools used by the hackers are one part of the analysis, to be sure. So is the pattern of life. The Justice Department’s indictment of five Chinese hackers noted that they worked 9-to-5 Shanghai time and took an hour off for lunch, while previous FBI scrutiny of a group of Russian hackers concluded that they worked Moscow hours and paused for Orthodox Christmas. The computers used to launch a hacking operation comprise another key factor in forensic investigations, as they are often reused between operations. And intelligence agencies often rely on their own hacking efforts, as well as human sources, to get a better read on the intentions behind an attack. It is reported that this kind of intelligence collection was one of the reasons the United States was so confident that it was North Korea that attacked Sony Pictures Entertainment in 2014.
All this brings us back to UMBRAGE. From the leaked documents, it is not even clear that the CIA was reusing entire hacking tools; it may just have used snippets of code to borrow certain techniques. At most, UMBRAGE could be an effort to throw off one factor in the attribution investigation that would inevitably follow if a CIA hacking operation were exposed. If investigators relied only on that one element, UMBRAGE might have enabled successful misdirection. For intelligence analysts and reporters writing about hacking, the program is another good reminder about the importance of corroborating evidence.
But such a hypothetical one-dimensional analysis is what poor attribution looks like. It’s also implicitly a reminder of how solid the evidence is that Russia hacked the DNC. In that case, there’s strong substantiation not just of the reuse of tools and techniques between operations, but also of the reuse of hacking infrastructure. It seems the same computers that were used to break into the DNC were also used against other targets, such as the German Parliament — all cases attributed by a variety of investigators to Russia. The computer security community has been following these particular Russian hacking groups for years, and the DNC hack easily fits the pattern. The U.S. intelligence community’s “high-confidence” assessment adds still greater weight to this view.
In fields as nebulous as cybersecurity and intelligence, it’s tempting to conclude that everything is uncertain and nothing is knowable. One piece of data should never carry an entire investigation, and we now have more evidence that the CIA tries to mislead forensic analysts. But when a full pattern of evidence emerges with only one clear conclusion, disregarding it is nothing more than willful ignorance.