Wednesday, October 03, 2012

The fog of cyber and government lies

This story by Kim Zetter explains what happened last year when the DHS claimed that Russians had hacked a utility in Illinois. There are three lessons here.

The first lesson is that cyber has become the null hypothesis. Right now, your large organization has machines infected with viruses and has evidence of attack in firewall and IPS logs. When something unusual happens, it becomes impossible not to draw a connection between the two. That's what happened in Illinois: when a pump failed, they found a five month old login from Russia, and drew a (false) connection.

The second lesson is that experts pass on rumors, too. Just because a guy is from the DHS or CIA doesn't mean you should believe them. Sure, sometimes what they say is fact, but most of the time, they are just passing on rumors they've heard. That's what happened in stories like the Brazilian hacker power outage that was actually caused by forest fires, or another case of hackers causing blackouts for extortion revealed by the CIA. They had no evidence, they were just passing on rumors they heard, there was no special reason to believe them.

Which leads to the third lesson: the government serves a higher truth. By "higher truth" I mean "lies". That's what Zetter documents in her story: the DHS considers the mistake a "success" because it "generated interest" in cyber attacks. The DHS, the CIA, and the NSA believe they are doing a good thing passing on lies, half-truths, and uncorrected information. What that means to the public is that we cannot trust them.


Richard Steven Hack said...

This applies to most of foreign policy as well.

Polls show the US electorate thinks Iran already HAS nuclear weapons, let alone a nuclear weapons program. In fact, Iran does not have a program and does not appear to have ever had one except perhaps a "feasibility study" back when they were afraid Saddam had one.

Almost everything one reads about Iran in the main stream media, directly from people like Obama and Clinton (or the Republican wannabes), is completely bogus - on a par with the lies about Iraq's "WMDs" by the Bush administration.

decius said...

I would add to these comments that it is imperative for security analysts to apply Occam's Razor to the analysis of security incidents. Generally speaking, things that happen in a computer system that are unexpected are mostly likely to have an non-malicious explanation. Computer systems break on their own all the time. People who are quick to jump to conclusions like "it must be the Russians" do not make good analysts.

People have a natural tendency to ignore evidence that contradicts the conclusions that they prefer to reach. It is imperative to keep an open mind until the evidence clearly indicates an explanation. Otherwise you end up wasting resources chasing ghosts. Maintaining that objectivity is a professional analytical skill that is unusual and that security analysts should work to develop.