Then there is the reaction to the Joint Analysis Report issued by Department of Homeland Security and the FBI on the election. Critics say that the JAR does nothing to prove that Russia committed the attacks and that the data is not clear. But that’s not the point. The report specifically says, “This JAR provides technical indicators related to many of these operations, recommended mitigations, suggested actions to take in response to the indicators provided, and information on how to report such incidents to the U.S. Government.” It does not say it is providing any proof about who perpetrated the hack. It is intended to provide information to help people determine whether they might have also been a victim of a compromise.
Many people said the data in the JAR was unusable, and for them it is. To properly use the report, you need to understand that it is more a tool for threat hunting than a direct indicator of a hack. For example, many critics say the list of IP addresses provided in the JAR is not a clear indicator of an attack. That’s true, but there is no claim that the list is supposed to do that; it is merely intended to provide a way for administrators to narrow down a search for potential attacks. Minimally, the publication of the IP addresses will cause adversaries to change their infrastructure, thus disrupting some of their activities.
I completely agree that the JAR could have been a better tutorial. It states that it provides details of how Russian intelligence agencies commit their hacks, but it is a trivial description of those attacks at best. Nonetheless, it’s still valuable, and it was instrumental in finding the presence of malware on a laptop owned by Burlington Electric in Vermont.
But that story has become just another bone of contention.
Many security professionals are downplaying the reports, saying the laptop wasn’t connected to the power grid and the malware was detected on a single system. These are the same people who have always bemoaned how “stupid users” infect their computers with malware and then go onto infect the rest of the network. It seems like collective amnesia.
Some security professionals seem to believe that in the absence of a personal briefing from the FBI, all claims of Russian involvement should be disbelieved. But if they’re not going to accept the word of the organizations that do such analysis for a living and have access to the actual data, if they’re going to discount the opinions of the top Republicans in government who have access to the classified data, and if they’re going to doubt every agency in the U.S. government with access to the information, then they are unlikely to be convinced even if Vladimir Putin were to inform them personally that he ordered the attacks.
Sign up for CIO Asia eNewsletters.