When you hear “Attribution Problem” in infosec spheres you naturally think of the fact that there was a phase where everything was blamed on China, and then everything was blamed on China.
And a lot of it was marketing crap, or people blaming sophisticated attackers when they lacked even the most basic security.
[ NOTE: Even worse, lacking basic security doesn’t mean you won’t be targeted by advanced adversaries. ]
So that’s definitely an issue, but it’s not the worst one.
There’s another attribution problem under the thin ice layer of this one, and that’s the problem of using the above to question all attribution.
There are a lot of people in infosec who have never been in the military, never studied intelligence operations, never been exposed to the complexities and tradeoffs of what’s known, what can be released, etc.
I’m no intelligence expert, but I did serve in an intelligence role for a short amount of time in the 101st. I read a lot of manuals, I read a lot of books on the topic, and I’ve generally been interested in the space for a long time.
This doesn’t make me an expert, but what it does do is give me the perspective to at least see when I don’t have all the information, or even a tiny percentage of it, and it prevents me from saying certain things are for sure, certain things are impossible, etc.
What’s currently happening is unprecedented. We have essentially the entire U.S. government agreeing that Russia hacked the shit out of us, and there are thousands of infosec professionals—many who are extremely well-konwn—who completely disregard the narratives and evidence presented.
This is really bad. It’s bad for our industry. It says that we fundamentally lack the ability to tell the difference between good and bad signal.
One of the most important things for a thinking adult to be able to do—especially in this new world of fake news and attribution soup—is to be able to look at multiple streams of information and filter the decent sources from the garbage.
It’s understandable for some regular Joe or Jane who does gardening and doesn’t follow the news or technology to be clueless about this. But for the infosec profession—a field that requires (or should require) a constant re-evaluation of variables and situations on the ground in order to dynamically adjust risk when making decisions—it’s unspeakably bad.
If we as security professionals aren’t good at this, then who can we expect to be?
- Again, just because I’m better at doing this than the average person doesn’t mean I’m good at it. What it means is that I a) know I’m bad at it, b) know it’s hard, and 3) know it matters a whole lot. So I try.
- Even after you pick your good streams from the bad, there is still deception within that as well. Every lead could be false, every story could be planted. But this does NOT mean that looking at all the evidence available you can’t often make an informed decision.
- As I wrote about earlier this month, if you constantly ignore the best evidence available, you end up basically Gaslighting yourself into questioning everything.