Director of National Intelligence James Clapper.
Photo by Petty Officer 2nd Class Richard Brahm, courtesy the U.S. Coast Guard Academy.
Intelligence agencies and technology experts frequently display a common approach to journalists: saying “take our word for it.”
Unfortunately, journalists frequently do just that.
This tendency explains a lot of the reporting on Russian internet activity, especially related to the recent presidential election. The Department of Homeland Security and the FBI say they have concluded that Russian-sponsored hackers were responsible for the breach at the Democratic National Committee and the leak of John Podesta’s emails, along with a variety of other incidents before and after the election. The House Intelligence Committee says that they’re sure because the intelligence agencies are sure. Many journalists report that the evidence is good, because after all, the intelligence community says so.
Everyday Americans, meanwhile, don’t know much about why the intelligence community thinks they know what they know. But because the agencies think they know it, many people take as a given that they must be correct – and that the Russians are busy on many other fronts to boot.
The recent reaction to an incident in Vermont illustrates how far the tendency to automatically blame Russia has reached. At the end of December, computer code associated with the hacking operation code-named “Grizzly Steppe” was found on the laptop of a Burlington Electric Department employee. The first version of The Washington Post’s coverage of the incident said outright that Russian hackers had penetrated the U.S. electric grid. The corrected version clarified that the malware-infected laptop was not connected to the grid system, as per the statement released by the Vermont utility. Two days later, the paper reported that the employee’s computer had connected to a reportedly suspicious IP address, but although the address had been associated with the DNC hack, traffic with that address is also found across the country and could easily be totally benign. As for the malware, authorities have said the particular package does not appear to be connected to Grizzly Steppe in any way, and it is not yet clear how it got on the laptop.
What the Post called “the murkiness of information” on the technical aspects of the attack illustrates another problem: the balance between providing information basic enough to be broadly useful and not so broad as to create a string of false positives. Robert M. Lee, chief executive of the cybersecurity firm Dragos, released an in-depth critique of the recently released Joint Analysis Report from the DHS and the FBI, which the government intended to give network defenders the tools to combat Russian hacking techniques. “That report offered no technical value for defenders,” Lee said.
For instance, at least 30 of the IP addresses that the joint report flags as potentially malicious are those of commonly used sites, such as Amazon’s servers or public proxy servers used to mask a user’s location. An IP address for incoming traffic in isolation is simply not useful, several cybersecurity experts noted. One security expert compared the report to a child’s activity center.
Even cybersecurity experts who are fairly certain about Russian involvement in the DNC and Podesta hacks talk largely in broad strokes, or focus on motivational clues that point to Russia, in speaking to the press. Of course, this is somewhat reasonable in that the average American lacks the technical knowledge to follow highly detailed explanations. But that also leaves us with little evidence beyond “because I said so” documents, such as the DHS and FBI’s recent joint report.
A similar critique of the too-broad technical details comes from Leonid Bershidsky. Bershidsky is a Russian-born journalist, currently based in Berlin, who writes for Bloomberg. In a recent column, he pointed out that the YARA rule – a bit of code used to identify malware – provided by the joint report is meant to identify a particular piece of software designed to make hacking operations look legitimate. Yet that software was freely available online as recently as a couple of weeks ago. The software was said to be made in Ukraine, though as Bershidsky pointed out, simply saying so on the internet is flimsy evidence in isolation.
Because the U.S. has openly identified this software with Grizzly Steppe, malicious actors elsewhere now have an excellent incentive to download and use it: to make Americans think the Russians are to blame for any of their dirty work. Of course, Russians could use it too – or not. We simply do not know.
Furthermore, even assuming that the Russian government takes advantage of its large pool of homegrown hacking talent, it does not mean Russian hackers are not also busy plying their trade in other markets. Or that the tools they developed are not in use by hackers of all motivations and stripes all over the world. And, as Bershidsky points out, smart Russian intelligence operatives would do well to consider switching to tools developed by people writing in languages other than Russian.
In the absence of much hard evidence, media outlets are left reporting in a circle. As the Vermont utility incident demonstrates, all this circular motion is bound to make us lose our bearings on occasion.