Debating the attribution of cyberattacks
My latest venture in podcasting features a debate on attributing cyberattacks. Two guests, Thomas Rid and Jeffrey Carr, disagree sharply about how and how well recent cyberattacks can be attributed. Thomas Rid is a Professor of Security Studies at King's College London and the author of Cyber War Will Not Take Place as well as a recent paper on how attribution should be done. Jeffrey Carr, the founder and CEO of Taia Global, remains profoundly skeptical about the accuracy of most attribution efforts in recent years.
I question both of them, relying heavily on questions supplied by attribution aficionados via Twitter.
Among the questions we dig into:
- Why is cyber attribution is so controversial? Is it a hangover from the Iraq war? Snowdenista hostility to the US government? Or the publicity to be gained from challenging official attributions?
- Is the use of secret attribution evidence inherently questionable or an essential tool for ensuring successful attribution?
I also call out the security experts who heaped scorn on the FBI for its initial fingering of North Korea as the source of the Sony attack. Which of them recanted as the evidence mounted, and which ones doubled down? Details in the podcast.
I linger over the evidence that Europe has swung from hating US tech firms for being too cozy with government to hating them for not being cozy enough: the EU's top counterterrorism official wants to prevent firms from selling unbreakable encryption, and the French government wants them to take down more terror-related online speech. Later, I spike the ball, pointing to a Pew poll showing that NSA is holding its own in American opinion since the first Snowden revelations and that young voters have a far more favorable view of the agency than those over 65.
In US privacy litigation, Jason tells us that the class action over CarrierIQ's storage of phone records has gotten a haircut, as the court throws out wiretap claims against hardware makers, and that LabMD has lost yet another peripheral battle in its campaign to force the FTC to spell out exactly what security measures it expects from private companies. And we debate the significance of the revelations about DEA's Hemisphere Project.
I'd welcome feedback, either by voicemail (+1 202 862 5785) or email (CyberlawPodcast@steptoe.com).
And special thanks to the Twitterati: @langnergroup, @NateBeachW, @janwinter15, @pwnallthethings, and @marcwrogers, among others.