19 December 2014
My Twitter feed has exploded with lots of theorizing about whether or not North Korea really hacked Sony. Most commentators are saying "no", pointing to the rather flimsy public evidence. They may be right—but they may not be. Worse yet, we may never know the truth.
One thing is quite certain, though: the "leaks" to the press about the NSA having concluded it was North Korea were not unauthorized leaks; rather, they were an official statement released without a name attached. Too many major news organizations released their stories more or less simultaneously. To me, that sounds like an embargoed press release. (One is tempted to imagine multiple simultaneous brush passes from covert operatives to journalists, but I suspect that emails and/or phone calls from individuals known to the reporters are much more likely.)
Before going further, let me add a disclaimer: I have no idea if North Korea is actually involved. I also have no idea how the intelligence community actually did come to its conclusions. What follows is speculation, not fact.
Nick Weaver has given a good explanation of how the NSA could have made the determination, just based on SIGINT. However, it wasn't necessarily done by SIGINT alone. Suppose, for example, that the CIA (or perhaps the South Koreans) had an agent in North Korea's Unit 121. In an era when the head of foreign operations for Hezbollah was supposedly a double agent for the Mossad and the CIA had a mole in Cuban intelligence, one can't rule out such scenarios.
There are many more possible ways to do attribution (I like this one), but most are based on sensitive sources and methods. Translation: they're not going to tell us, and they're right not to do so.
It's also very possible that their attribution is simply wrong:
In the words of a former Justice Department official involved with critical infrastructure protection, "I have seen too many situations where government officials claimed a high degree of confidence as to the source, intent, and scope of an attack, and it turned out they were wrong on every aspect of it. That is, they were often wrong, but never in doubt."People can jump to conclusions. Worse yet, in intelligence (and unlike the criminal justice system), you never get proof beyond a reasonable doubt, and that's even if you're being honest. If someone doesn't like your answers and wants better ones— well, think Iraqi WMDs. Besides, there's always the chance that the government is lying.
Let me sum up.
- Drawing positive conclusions from the public evidence is
incorrect. The NSA and the CIA may (or may not) have many other details
they'll never disclose. The much-ballyhooed language setting, for example, is
completely useless. Externally observable behavior and behavioral or
code similarities to other attacks can be more useful.
(See Kim Zetter's
book on Stuxnet
for a description of how some of the forensic analysis was done, e.g.,
don't rely on compilation dates, but do look for when a file was uploaded
to a virus company's database.)
- Similarities (and especially reuse)
of code, infrastructure, and techniques to other
attacks can be a very strong indicator. The FBI
cite exactly these aspects in their overt press release
blaming North Korea.
- There are many other information sources that intelligence
agencies use. We don't know what they are, and they won't tell us.
- They could still be wrong—but we probably won't know why.