Dear Congress: You will not solve the Attribution problem by creating a temporary Committee to Investigate the DNC Hack

According to CNBC, the latest news from Washington indicates that long-time Senators John McCain (R-AZ) and Charles Schumer (D-NY) are pushing for the creation of a select committee to ensure that congressional focus is directed at investigating the hacking of Democratic Party emails during the Presidential campaign.

This is fascinating. Two years ago we witnessed the Office of Personnel Management (“OPM”) as it tried to perform damage control in the aftermath of a large-scale exfiltration that affected upwards of 22M records.  Then, as now, the problem is exacerbated by attribution or rather the lack thereof.  For the non-technical types, attribution is “figuring out who the bad guys were (or are).”  In the case of high-profile incidents such as the Sony Hack or the OPM data breach, we may hear rumors here and there, some coming from unnamed sources, providing cryptic comments such as “most likely the hacking originated from a nation-state” or other such similar verbiage.  What that really means is that either the methods employed or the ability to operate undetected for a given period of time indicates that the level of sophistication required could only have been performed by a large state-based actor with significant resources and expertise (and patience).

So, going back to the OPM data breach, do we know who did it?  There have been the usual suspects but nothing definitive stating where the attacks originated from and who carried them out.  We are talking about sensitive information related to background investigations (e.g. SF-86 forms), very detailed and potentially damaging intelligence that was exfiltrated from within the government itself.  So, we still have not ascertained who was responsible and certainly have not launched public counter-strikes. Even after a lengthy investigation and committee hearings and testimony from OPM personnel, yet we should somehow infer that the DNC investigation will bear more fruit?

the-opm-data-breach-how-the-government-jeopardized-our-national-security-for-more-than-a-generation

When you look at the OPM hearings and see the level of subterfuge employed by OPM to attempt to diminish the magnitude of the breach you begin to realize that these committee hearings become a lengthy and arduous process. In the end these hearings produced reports such as the “OPM Data Breach: How the Government Jeopardized our National Security for More than a Generation” which took a year to compile and which comes in at just over 240 pages.  In the final analysis after all the hearings, the testimony, and this voluminous report, it still seems that we cannot definitively say exactly “who” did this.  However, we are led to believe that if we put together a special “single-purpose cyber committee” whose sole mandate is to investigate the DNC hack and “put focus on it” we will somehow get answers to our questions?

How about this Senators: form a committee to determine why cybersecurity hygiene continues to receive short-shrift.  To determine why sensitive data continues to remain unencrypted and transmitted over insecure mediums.  To determine why the human element continues to be the weakest link in the cybersecurity chain and yet we continue to put time and effort into forming committees instead of allocating money to training and educational efforts.  If I thought this “committee” was going to get to the bottom of the DNC hack and tell us once and for all exactly “who” was behind this and develop meaningful recommendations to prevent future breaches then it would seem worthwhile; however that is highly unlikely.

The analogy I draw is this: if society developed special investigative teams that had no actual lawful authority. If these same teams investigated crimes on a one-off basis, then drafted verbose reports that discussed what they discussed and talked about, what they then hoped to learn and included a very brief section which indicated what they actually learned (if anything).  Would there be any value in establishing such teams?  No!  This is the current “special” committee; it exists as a feel-good placebo to show we are “doing something”. All the while we are actually doing nothing.  This approach won’t provide meaningful input to understanding breaches or preventing breaches, it will simply look at a very specific incident and since the attribution problem remains ongoing we will end up knowing a little more about the “what” and little if anything about the “who.”

Certainly, when we discuss engaging in offensive cyber operations to put the perpetrators on notice, using offensive cyber as a form of deterrence is only effective if we can figure out who the perpetrators are.  Just as we should not engage in kinetic operations without a certain confidence level so too should we not engage in cyber operations just based on popular opinion or an “I think they maybe could have been responsible” approach.

So, skip the committee and spend the time bringing some people to the Senate floor that actually have a clue about cybersecurity and can help you craft legislation that will protect data instead of wasting your time building committees to tell us what we already know (there was a breach and we can’t say definitively who did it).

Share:

Tags: , ,

Authors

Untitled Document
Professor William Snyder

Professor William C. Snyderis a member of the faculty of the Institute for National Security and Counter-terrorism at Syracuse University after fifteen years with the United States Department of Justice.

Christopher w. FolkChristopher W. Folk

is a second year student at SU College of Law. Christopher is a non-traditional student, returning to academia after spending nearly twenty years in the high tech industry. Christopher served in the Marine Corps, graduated from Cornell University with a B.S. In Applied Economics and Business Management, attended Northeastern University’s High-Tech MBA Program and received a M.S. In Computer Information Systems. Christopher previously worked in Software Engineering and in addition to being a full-time student, Christopher is currently serving his second term as Town Justice for the Town of Waterloo. Christopher externed with a Cybersecurity firm in the Washington, D.C. area between his first and second year at SU College of Law. Full biography

Ryan D. White

Ryan D. WhiteRyan is currently a second year law student at Syracuse University College of Law, and is also pursuing a Master of Public Administration degree from Syracuse’s Maxwell School of Citizenship and Public Affairs. Ryan spent time with Homeland Security Investigations while pursuing his undergraduate degree at Wesleyan University, and spent his first summer of law school as clerk for the U.S. Attorney’s Office in the Western District of New York. He is a member of Syracuse Law Review, the Journal on Terrorism and Security Analysis, and participates in the Veteran’s Legal Clinic.Full biography

Anna Maria Castillo

is a third year law student at Syracuse College of Law. She is also pursuing a Master of Arts in International Relations at Syracuse University's Maxwell School of Citizenship and Public Affairs. She has interned at a London-based think-tank that specializes in transnational terrorism and global security and at the legal department of a defense contractor. She currently serves as an executive editor in the Syracuse Law Review. Full biography

Jennifer A. CamilloJennifer A. Camillo

is a third year student at Syracuse College of Law. She has served as a law clerk in the United States Attorney’s Office for the Northern District of New York and the Cayuga County District Attorney’s Office and as an extern in the Oneida County District Attorney’s Office. She is a member of the Syracuse National Trial Team and was recently awarded the Tiffany Cup by the New York Bar Association for her trial advocacy achievements.

Tara J. PistoreseTara J. Pistorese

holds Juris Doctor and Masters of Public Administration degrees from Syracuse University's Maxwell School of Citizenship and Public Affairs and its College of Law. She has served as a law clerk in the United States Attorney's Office for the Western District of New York and the Public Defender Service for the District of Columbia and as an extern in the United States District Court for the Western District of Washington. Full biography

Benjamin Zaiser

is both a scholar and a Federal Agent of the Federal Criminal Police Office of Germany. (Opinions expressed here are his own and not any part of official duty.) Full biography

Categories