Watch this episode on YouTube.
Reasonably Accurate 🤖🧠 Transcript
Morning everybody. How are you doing today? Welcome back to another episode of mornings with Mark. Um It is a sensitive one today and we're going to talk politics, well, at least politics in the realm of cybersecurity and attack attribution. Now I've tackled attack attribution several times on the show before and for those of you that are newer to the audience or just as a quick reminder, my educational background is in forensic science.
I was a practicing uh investigator for a number of years. This is an area I know inside note on the technical side as well as obviously dealing with the overall ramifications of investigations. What I thought was really fascinating was we're one day from the US midterm election. So that's obviously high stakes in the world of us, politics and the impact on the US and you know, by extension on the world that can change a lot of the political landscape down there.
Now, interestingly enough yesterday Sunday morning, so two days before voters head to the polls, the state of Georgia in the state of Georgia, there was a um, statement issued from one of the people who was running who was also, I believe the Secretary of State and in charge of the elections, don't ask me how that flies.
Um, that their voter registration site was um, potentially breached by the opposing party. So there's two things that's really interesting here. It was uh multiple things really interesting here, but a few things jumped out to me as a forensic investigator, the timing of the announcement. Um, so that you can argue both sides that you want to know.
Uh it's in the public's interest to know before they head to the polls. Um But the immediate attribution. So unless this has been investigated for a while having an attribution right out of the gate, um just isn't possible. So this happens all the time and the reason why I wanted to talk about it this morning and what I mean by all the time is at quick attributions or weak attributions happen all the time.
And why I wanted to tack a little on the show today was that I think it's absolutely critical because especially here, this is being used as a political weapon. Now, I'm not going to come down on either side of that. But I think looking at it from a technical issue is really important.
But also we're seeing that more and more at the nation state level. And you know, like we used to see with celebrities, remember two or three years ago, celebrities always used to say something after they tweeted something else. They regretted. They were like, oh, I was hacked. It was somebody else who tweeted out that I don't like my rival.
No evidence provided. And I think this is the underlying theme of today's show is going to be we need to see some evidence and we've seen it time and time again at nation state level over the last year and a half, two years where people are making direct attributions and accusations saying it was this nation state actor who was perpetrating various cyber attacks and don't get me wrong.
It is possible to make a confident attribution, but you need a ton of evidence and even then there's a variant and there's a level of confidence, it's not 100% it's I am highly confident, right? So this comes back to my years working as investigator. You need to be very careful in how you phrase things.
And this is what was interesting with uh Sunday morning's report coming out. Now, obviously, there's a huge amount of political motivation here, but it was an unequivocal statement as to who made this attack, no evidence of the attack, no explanation of the extent of the attack, but also an unequivocal statement of blame.
Now, any time you hear that as an informed or at least now informed reader or consumer of news, you should be very concerned, unequivocal statements in the with respect to a cyber attack are extremely difficult to make outside of a situation where there's a confession. Obviously, if I say I hacked you, that's pretty straightforward.
You can make an almost unequivocal attribution of blame because I could be trying to steal somebody else's thunder and take credit for a hack. But attribution itself requires evidence, not only from the breach system, it requires evidence from the system that was breaching and some intermediary intermediary points as well.
You need all of this evidence to gather together to be able to connect the dots to say this happened here and this is the result, this is the attack and it was started by this person or this group when you're making just a claim like, oh, I think it was so and so that's fine.
You can speculate you have theories. But when it's a statement of attribution, unless you're saying it is our hypothesis and we are working to prove or disprove that hypothesis, you can't make these claims. It's just not, you don't have the evidence or the technicality to back them up.
Now, I could be wrong. In this case, there could be a mountain of evidence. They could have been investigating for a while and they could have it but nothing's been released. So as you consume news, whether it's this particular one about this attack in the State of Georgia or any other corporation or nation state that says, you know, it was so and so that hacked us, you need to take that with more than a grain of salt with a full shaker of salt or a grinder if you're fancy and you need to be able to say, hey, what is the actual evidence presented?
Because until the evidence is presented, you can't actually make that assessment. You're relying on somebody who obviously, especially this case is a great example that has an agenda. And when you have an agenda, investigations go awry. This is one of the things you always see in cop dramas, which they do pretty decently.
But people have a conflict of interest or when people have an agenda or too close to a case, they pull them off the case. The reason for that is that you tend to read into evidence, what you want to read into the evidence and that will sully your investigation, that will point you in wrong directions.
That's not how you go about it. So I guess my takeaway today is read everything with a grain of salt when it comes to cyber attack, attribution, make sure you see evidence, ask yourself what the motivation behind the people making the attribution would be. It may not be wrong, but you need to be clear, confident in the unbiased results of the or unbiased data gathering and the conclusions of the investigation.
And it's really, really hard, that's a key takeaway. It's absolutely difficult to make an attribution to a group or person. It's far easier to attribute to a system or an IP space. But even then that doesn't tell you who is sitting there doing the work. So what do you think?
Let me know, hit me up online at Mark NC for those blogs in the comments down below. It is always by email me at Mark N dot C A. Again, ignoring the politics behind this particular one. I don't want to dive into politics that never ends well. Um And I don't have a horse in that race so it's not like it doesn't directly impact me.
But what do you think about an attribution? Um, have you made an attribution? Uh, how do you read and consume this news if you're not in the field? Um, you know, do you see this and go? Oh, ok. Yeah, that's, that's what happened or do you start naturally asking questions?
I'm really curious here. Um, let's keep the discussion going online and I will see you, uh, on the show tomorrow. Have a great one.
