Climate of Fear in Cyber-Security

In Dec. 30, 2016 – Jan. 2, 2017, Mark Maunder, CEO of the security company Wordfence, was among many vocal critics of the wrong and incompetent FBI-DHS report GRIZZLY STEPPE, which purported to provide technical indications of “Russian hacking.” A month and a half later, he was afraid to criticize the new version of the same report, citing the political nature of this issue, ostensibly because he feared the repercussions of such criticisms. The danger was coming from Big Tech, which, triggered by the travel ban, joined the “resistance” and had zero tolerance for anybody and anything not opposing President Trump.

Dec. 30, 2016. “US Govt Data Shows ‘Russia’ Used Outdated Ukrainian PHP Malware”

Mark Maunder suggested that ‘Russia’ be put in quotes in his next post on the subject.

Jan. 2, 2017. Mark confirms the results he had published. Mark and two other security researchers from Wordfence analyzed and compared to the real world the data from the GRIZZLY STEPPE report (FBI & DHS, Dec 29, 2016). They concluded (emphasis is mine):

“On Friday we published an analysis of the FBI and DHS Grizzly Steppe report. The report was widely seen as proof that Russian intelligence operatives hacked the US 2016 election. We showed that the PHP malware in the report is old, freely available from a Ukrainian hacker group and is an administrative tool for hackers. We also performed an analysis on the IP addresses included in the report and showed that they originate from 61 countries and 389 different organizations with no clear attribution to Russia.”

The post also quoted the opinions of Jeffrey Carr (founder of the Suits and Spooks conference and a lecturer at the Army War College and the Defense Intelligence Agency) and Robert M Lee (CEO and founder of the security company Dragos) who independently analyzed the same report and arrived at similar conclusions.  The article also references general media articles, using the same researchers: White House fails to make case that Russian hackers tampered with election (Ars Technica) and Grizzly Misstep: Security Experts Call Russia Hacking Report “Poorly Done,” “Fatally Flawed” (Fortune.com).

Feb. 13, 2017. A post on the freshly cooked “Enhanced Grizzly Steppe Report” entirely avoids criticizing or even analyzing its data or methodology. Why? The author was intimidated by Big Tech.

“Final note regarding comments: Please note that due to the political nature of this issue, we won’t be publishing any comments with political overtones. Our focus is simply on the data that DHS released and the data we are seeing ourselves and our analysis of it. Thank you.”

Many cyber-security companies are forced to use doublespeak, similar to that of many climate related research papers in the first decade of this century. For example, ESET Sednit paper, dated by October 2016, starts with and uses a definition, consistent with the CrowdStrike-DNC:

“The Sednit group —  also known as APT28, Fancy Bear and Sofacy —  is a group of attackers operating since 2004 if not earlier and whose main objective is to steal confidential information from specific targets.”

Only in one place it acknowledges that neither the narrative nor the definition is true:

“As security researchers, what we call “the Sednit group” is merely a set of software and the related network infrastructure, which we can hardly correlate with any specific organization.” (emphasis is in the source)

A 2018 paper LOJAX First UEFI rootkit found in the wild, courtesy of the Sednit group shows the same contradiction. It even refers to authorities blaming Sednit for multiple security breaches:

“Sednit also known as APT28, Sofacy, Strontium and Fancy Bear – has been operating since at least 2004, and has made headlines frequently in the past years: it is believed to be behind major, high profile attacks. For instance, several security companies [1] as well as the US Department of Justice [2] named the group as being responsible for the Democratic National Committee (DNC) hack just before the US 2016 elections. The group is also presumed to be behind the hacking of global television network TV5Monde [3], the World Anti-Doping Agency (WADA) email leak [4] and many others.”

Only in one place it acknowledges that the Sednit group is not a group of persons, but software and network infrastructure:

“What we call “the Sednit group” is merely a set of software and the related network infrastructure, which we can hardly correlate authoritatively with any specific organization.”

Congressional investigations did not look at these issues. The House Intelligence Committee has not asked independent network security experts. 

Breitbart, Mar 7, 2017: Fix Is In: House Committee on ‘Russian Hacking’ Includes Only DNC-Hired Tech Experts

“A list of witnesses scheduled to appear at a House Permanent Select Committee on Intelligence Open Hearing on “Russian Active Measures” contains a glaring problem: the only technical experts scheduled to testify are from CrowdStrike. CrowdStrike is a firm hired by the Democratic National Committee (DNC) and has become the primary source of the narrative about “Russian hacking” of the 2016 election and has acted as a mouthpiece for the Democrats since last June.”

Even then, CrowdStrike refused to testify before the Committee; they provided some input behind the scene, but not under oath with the penalty of perjury.

Climate of fear in cyber-security today is similar to the climate of fear in the climate sciences a decade back.

(updated)