Episode 51 of the podcast features a debate on attributing cyberattacks. Our two guests, Thomas Rid and Jeffrey Carr, disagree sharply about how and how well recent cyberattacks can be attributed. Thomas Rid is a Professor of Security Studies at King’s College London and the author of Cyber War Will Not Take Place as well as a recent paper on how attribution should be done. Jeffrey Carr, the founder and CEO of Taia Global, remains profoundly skeptical about the accuracy of most attribution efforts in recent years.
I question both of them, relying heavily on questions supplied by attribution aficionados via Twitter (@langnergroup, @NateBeachW, @janwinter15, @pwnallthethings, and @marcwrogers, among others).
I ask why cyber attribution is so controversial. Is it a hangover from the Iraq war? Snowdenista sentiment? Or the publicity to be gained from challenging official attributions?
We debate whether using secret attribution evidence is inherently questionable or an essential tool for ensuring successful attribution.
I also call out the security experts who heaped scorn on the FBI for its initial fingering of North Korea as the source of the Sony attack. Which of them recanted as the evidence mounted, and which ones doubled down? Details in the podcast.
In the news roundup, Jason Weinstein and I are joined by Ed Krauland, a partner in Steptoe’s International Department in DC. Ed outlines the likely impact on technology trade of President Obama’s lifting of Cuba sanctions (short answer: not much). I linger over the evidence that Europe has swung from hating US tech firms for being too cozy with government to hating them for not being cozy enough: the EU’s top counterterrorism official wants to prevent firms from selling unbreakable encryption, and the French government wants them to take down more terror-related online speech. Later, I spike the ball, pointing to a Pew poll showing that NSA is holding its own in American opinion since the first Snowden revelations and that young voters have a far more favorable view of the agency than those over 65.
In US privacy litigation, Jason tells us that the class action over CarrierIQ’s storage of phone records has gotten a haircut, as the court throws out wiretap claims against hardware makers, and that LabMD has lost yet another peripheral battle in its campaign to force the FTC to spell out exactly what security measures it expects from private companies. And we debate the significance of the revelations about DEA’s Hemisphere Project.