There’s a certain well-rehearsed theater to publicly accusing a country, or group, or person of perpetrating a cyberattack. First, a government official or industry source will leak anonymously to a few reporters that, say, North Korea was behind the 2014 breach of Sony Pictures, or the Russian government meddled in the 2016 elections, or the Chinese government is responsible for the theft of data belonging to 500 million guests of the Marriott hotel chain. Those initial, vague rumblings of blame quickly crystallize into generally accepted wisdom about who is responsible for the attacks, sometimes with the government going so far as to issue public press briefings and indictments, but sometimes just because no other explanation is offered.
All of these accusations—whether anonymous or issued from a press briefing podium, whether backed up by persuasive, corroborating details in an indictment or merely supported by vague allusions to known IP addresses and familiar code snippets—are political acts.
And while I’m generally inclined to believe that most of them are based on solid, supporting evidence, even when that evidence is never made public, it’s also important to remember how easy it is to simply invent these accusations out of thin air. That seems to have happened as recently as November, during the run-up to the Georgia governor’s election, when then–Georgia Secretary of State Brian Kemp (who has since been elected the state’s governor) accused the Democratic Party of Georgia of trying to breach a voter database based on absolutely zero evidence, according to a recent report from the Atlanta Journal-Constitution.
Soon before the governor’s election in November, a Georgia man named Richard Wright identified security vulnerabilities in the secretary of state’s website, and media site WhoWhatWhy contacted the secretary of state’s office for comment. On Sunday, Nov. 4, Kemp’s office posted a statement on its website under the headline “AFTER FAILED HACKING ATTEMPT, SOS LAUNCHES INVESTIGATION INTO GEORGIA DEMOCRATIC PARTY.”
The two-paragraph statement read:
ATLANTA—After a failed attempt to hack the state’s voter registration system, the Secretary of State’s office opened an investigation into the Democratic Party of Georgia on the evening of Saturday, November 3, 2018. Federal partners, including the Department of Homeland Security and Federal Bureau of Investigation, were immediately alerted.
“While we cannot comment on the specifics of an ongoing investigation, I can confirm that the Democratic Party of Georgia is under investigation for possible cyber crimes,” said Candice Broce, Press Secretary. “We can also confirm that no personal data was breached and our system remains secure.”
In its way, it’s a masterwork of terrible, strategic cyberattack attribution—no evidence, no details, but a clearly identified perpetrator. Moreover, there wasn’t enough time before the election for any conclusive investigation—but there was plenty of opportunity for voters in Georgia to hear the unfounded, inflammatory allegations. A spokesman for Kemp’s gubernatorial campaign also told the AJC at the time, “Thanks to the systems and protocols established by Secretary of State Brian Kemp, no personal information was breached. These power-hungry radicals should be held accountable for their criminal behavior.” There’s a lot going on in there, but perhaps most outrageous is the idea that the campaign would have any idea who the “power-hungry radicals” were. Serious attribution of any kind of online intrusion takes time and relies on circumstantial digital evidence that has to be pieced together and assessed carefully. Since Kemp’s initial accusation was made in November, the AJC has conducted an investigation involving interviews, court filings, and public records, only to conclude that “no evidence supported the allegations against the Democrats at the time, and none has emerged in the six weeks since. … It appears unlikely that any crime occurred.”
There’s a whole column to be written just about Kemp and the ways in which he is quite possibly the single greatest threat to U.S. elections integrity (see: ignoring repeated warnings of voting systems’ vulnerabilities, denying the existence of those vulnerabilities, refusing assistance from the federal government to secure those systems, and destroying election data to prevent audits). It’s easy to look at his history with voting technology and ascribe those mistakes to profound incompetence and technological ignorance. But Kemp’s decision to deflect attention from his state’s insecure elections infrastructure by blaming an attempted attack on his political rivals was not an act of ignorance or incompetence. It was malicious and manipulative, no question, but it was also, in its way, profoundly savvy.
Kemp understood that accusing people, groups, or even entire governments of cybersecurity breaches requires no real evidence. For years, political leaders have been setting a precedent of making big, public accusations that rest on little more than their repeated reassurances that they know what they’re talking about. Those accusations often allude to extensive, classified investigations that can’t be discussed with the public, or vaguely explain that the malware or IP addresses used by the attackers are similar to those used in other, previous attacks.
In fairness, we do occasionally get to see behind the curtain, especially when the government ends up filing detailed indictments—as it has now done in incidents involving the Chinese, Russian, Iranian, and North Korean governments. But those indictments actually laying out the evidence the government has collected are still relatively few and far between. When the New York Times first reported that the Marriott breach had been linked to the Chinese government, for instance, the only evidence provided for the accusation was that “a range of firms brought in to assess the damage quickly saw computer code and patterns familiar to operations by Chinese actors.”
Those “patterns” may indeed be very compelling evidence, but without any further detail it’s difficult to know just how damning they really are. The Times’ (anonymous) sources explicitly said that “American intelligence agencies have not reached a final assessment of who performed the hacking.” But the idea that the Chinese government is responsible for this breach has already taken hold in the minds of everyone who read one of the many, many articles about how China was responsible.
Even if the accusation was made on the basis of a stockpile of secret evidence, it was also made deliberately as part of a larger political agenda in the ongoing struggle between the United States and China around trade and technology. That doesn’t mean it’s not true, of course, but, like Kemp’s story, it is a reminder that government officials can have lots of different reasons to publicly accuse someone of an online breach. Those accusations can serve as a way to turn popular opinion against the perpetrator, a way to deflect blame from the party responsible for securing the data, a way to signal that the investigators are very on top of the situation and know exactly what is going on and who is responsible, or a way to warn would-be perpetrators that any future attempts will be detected and punished accordingly.
It’s difficult and time consuming to do the kind of forensic work that’s required for thoughtful, compelling attribution. But as Kemp figured out from years of watching the U.S. government make those accusations without releasing any significant supporting evidence, it’s not at all difficult or time consuming to make an accusation and count on everyone else to trust you as the expert.