Dear Congress: You will not solve the Attribution problem by creating a temporary Committee to Investigate the DNC Hack
According to CNBC, the latest news from Washington indicates that long-time Senators John McCain (R-AZ) and Charles Schumer (D-NY) are pushing for the creation of a select committee to ensure that congressional focus is directed at investigating the hacking of Democratic Party emails during the Presidential campaign.
This is fascinating. Two years ago we witnessed the Office of Personnel Management (“OPM”) as it tried to perform damage control in the aftermath of a large-scale exfiltration that affected upwards of 22M records. Then, as now, the problem is exacerbated by attribution or rather the lack thereof. For the non-technical types, attribution is “figuring out who the bad guys were (or are).” In the case of high-profile incidents such as the Sony Hack or the OPM data breach, we may hear rumors here and there, some coming from unnamed sources, providing cryptic comments such as “most likely the hacking originated from a nation-state” or other such similar verbiage. What that really means is that either the methods employed or the ability to operate undetected for a given period of time indicates that the level of sophistication required could only have been performed by a large state-based actor with significant resources and expertise (and patience).
So, going back to the OPM data breach, do we know who did it? There have been the usual suspects but nothing definitive stating where the attacks originated from and who carried them out. We are talking about sensitive information related to background investigations (e.g. SF-86 forms), very detailed and potentially damaging intelligence that was exfiltrated from within the government itself. So, we still have not ascertained who was responsible and certainly have not launched public counter-strikes. Even after a lengthy investigation and committee hearings and testimony from OPM personnel, yet we should somehow infer that the DNC investigation will bear more fruit?
When you look at the OPM hearings and see the level of subterfuge employed by OPM to attempt to diminish the magnitude of the breach you begin to realize that these committee hearings become a lengthy and arduous process. In the end these hearings produced reports such as the “OPM Data Breach: How the Government Jeopardized our National Security for More than a Generation” which took a year to compile and which comes in at just over 240 pages. In the final analysis after all the hearings, the testimony, and this voluminous report, it still seems that we cannot definitively say exactly “who” did this. However, we are led to believe that if we put together a special “single-purpose cyber committee” whose sole mandate is to investigate the DNC hack and “put focus on it” we will somehow get answers to our questions?
How about this Senators: form a committee to determine why cybersecurity hygiene continues to receive short-shrift. To determine why sensitive data continues to remain unencrypted and transmitted over insecure mediums. To determine why the human element continues to be the weakest link in the cybersecurity chain and yet we continue to put time and effort into forming committees instead of allocating money to training and educational efforts. If I thought this “committee” was going to get to the bottom of the DNC hack and tell us once and for all exactly “who” was behind this and develop meaningful recommendations to prevent future breaches then it would seem worthwhile; however that is highly unlikely.
The analogy I draw is this: if society developed special investigative teams that had no actual lawful authority. If these same teams investigated crimes on a one-off basis, then drafted verbose reports that discussed what they discussed and talked about, what they then hoped to learn and included a very brief section which indicated what they actually learned (if anything). Would there be any value in establishing such teams? No! This is the current “special” committee; it exists as a feel-good placebo to show we are “doing something”. All the while we are actually doing nothing. This approach won’t provide meaningful input to understanding breaches or preventing breaches, it will simply look at a very specific incident and since the attribution problem remains ongoing we will end up knowing a little more about the “what” and little if anything about the “who.”
Certainly, when we discuss engaging in offensive cyber operations to put the perpetrators on notice, using offensive cyber as a form of deterrence is only effective if we can figure out who the perpetrators are. Just as we should not engage in kinetic operations without a certain confidence level so too should we not engage in cyber operations just based on popular opinion or an “I think they maybe could have been responsible” approach.
So, skip the committee and spend the time bringing some people to the Senate floor that actually have a clue about cybersecurity and can help you craft legislation that will protect data instead of wasting your time building committees to tell us what we already know (there was a breach and we can’t say definitively who did it).