Security pros are their own worst enemy
- 06 January, 2017 04:31
This should be security professionals’ moment, but we don’t seem capable of enjoying it.
For years we’ve wanted people to listen to us and to give cybersecurity the attention it deserves. We’ve screamed that cybersecurity failures can have real-world consequences. We were ignored when we called out the U.S. government for inadequate security after Russia hacked the Pentagon, the State Department and the White House.
Now that Russian hackers had a hand in the U.S. presidential election, though, the world is ready to listen to us. And what they’re getting is an earful as we mock each other, confusing everyone in the process by acting as if Russia never hacked a thing in the past, never used disinformation as a top strategy, and is just an innocent victim of politics.
We have security professionals questioning the findings of the top commercial organizations in the field, all of which agree with the conclusion that Russia hacked the political organizations and people in question. The entire U.S. intelligence community, the Senate leadership and Speaker of the House Paul Ryan go even further in concluding that Russia did this to try to influence the outcome of the election in favor of Donald Trump. The critics say they want to see proof. But security professionals have always understood that not everything in these situations can be released. We have always trusted our peers and the experts in the field who work the problem 24/7 to do what needs to be done.
That’s why security professionals didn’t second-guess those earlier reports about Russian hacking and never challenged the 2009 Wall Street Journal article about Russia, China and others hacking the power grid. We didn’t question the reports from SecureWorks, Mandiant, Fidelis (IBM) and CrowdStrike, which have hundreds of years of combined experience in tracking, investigating and responding to advanced attacks from nation-states against governments and other organizations.
Now, though, there are doubts aplenty. Doubts themselves aren’t a problem; good security professionals should always cast a dubious eye toward reports and findings. But they also need to recognize when misgivings are misplaced. In the case of Russian intrusion into the election, no organization that actually investigated the hacks has dissented from the opinion that Russia was involved, and there is even bipartisan consensus on that in the political realm. It’s worth noting, since intelligence failures ahead of the Iraq invasion have been mentioned, that on the question of Iraq’s possession of weapons of mass destruction, there were many dissenting opinions — and unlike in this case, they were from people with firsthand knowledge.
Look, for example, at the efforts to discredit the analysis of CrowdStrike concerning the hack of the Democratic National Committee. Some security professionals are saying, “Anyone could have found and used the malware.” But if they read the report from CrowdStrike, they would see that there were significantly more indicators than a single piece of malware. Very thorough analysis was performed.
Then there is the reaction to the Joint Analysis Report issued by Department of Homeland Security and the FBI on the election. Critics say that the JAR does nothing to prove that Russia committed the attacks and that the data is not clear. But that’s not the point. The report specifically says, “This JAR provides technical indicators related to many of these operations, recommended mitigations, suggested actions to take in response to the indicators provided, and information on how to report such incidents to the U.S. Government.” It does not say it is providing any proof about who perpetrated the hack. It is intended to provide information to help people determine whether they might have also been a victim of a compromise.
Many people said the data in the JAR was unusable, and for them it is. To properly use the report, you need to understand that it is more a tool for threat hunting than a direct indicator of a hack. For example, many critics say the list of IP addresses provided in the JAR is not a clear indicator of an attack. That’s true, but there is no claim that the list is supposed to do that; it is merely intended to provide a way for administrators to narrow down a search for potential attacks. Minimally, the publication of the IP addresses will cause adversaries to change their infrastructure, thus disrupting some of their activities.
I completely agree that the JAR could have been a better tutorial. It states that it provides details of how Russian intelligence agencies commit their hacks, but it is a trivial description of those attacks at best. Nonetheless, it’s still valuable, and it was instrumental in finding the presence of malware on a laptop owned by Burlington Electric in Vermont.
But that story has become just another bone of contention.
Many security professionals are downplaying the reports, saying the laptop wasn’t connected to the power grid and the malware was detected on a single system. These are the same people who have always bemoaned how “stupid users” infect their computers with malware and then go onto infect the rest of the network. It seems like collective amnesia.
Some security professionals seem to believe that in the absence of a personal briefing from the FBI, all claims of Russian involvement should be disbelieved. But if they’re not going to accept the word of the organizations that do such analysis for a living and have access to the actual data, if they’re going to discount the opinions of the top Republicans in government who have access to the classified data, and if they’re going to doubt every agency in the U.S. government with access to the information, then they are unlikely to be convinced even if Vladimir Putin were to inform them personally that he ordered the attacks.
Questioning is good, but cynicism and being publicly dismissive by default is dangerous. This is especially true given the complete unity of opinion by all of the established organizations in the security field, that have reached the conclusion with full access to the data and their decades of combined experience. It calls the whole profession into question. And the world, suddenly interested in what security professionals have to say, doesn’t know who is right or wrong and instead stops listening. Ironically, this is what Putin wants: a population that doesn’t know what to believe or whom to turn to. Well played, President Putin.