The FBI is now leading an investigation into a hack into the Democratic National Committee. This is the first acknowledgment from the agency that they are probing the incident, which US officials suspect came from a Russian cyber attack. The FBI said that the suspected Russian hack is part of a wave of Russian cyber attacks aimed at political organizations and academic think tanks in Washington. Over the weekend, Wikileaks began publishing emails from the DNC. The group didn't identify the source but Hillary Clinton’s campaign pointed the finger at Russia, saying the release of stolen emails was intended to help Republican nominee Donald Trump.
The FBI has sent experts to meet with the Republican National Committee, as well as the major campaigns, to discuss their security measures. No similar intrusions have so far been detected at the RNC or the campaigns of the two major party candidates.
Knee-jerk Reaction to Cyber Attacks Is Not an Effective Way to Protect Valuable Data
The “attribution problem” makes it extremely difficult to accurately know who is responsible for an attack. Perhaps the Russians were hacked first by North Korea? Who knows. We will never* know with certainty. And that’s the problem…. Without certainty, there are no options for response.
At the exact same time that every interesting effort is being turned into software, the attackers are becoming more organized, sophisticated, and creative. Yesterday it was about stealing money. Today it’s about influencing an election. Tomorrow, who knows? Maybe it’s about harming groups of people by attacking their healthcare, retail, or government, gaining a marketing advantage by using drones or crashing the electric grid. However, more than likely it will be something that isn’t obvious today.
It’s frustrating to watch this knee-jerk reaction to cyber attacks that focus exclusively on cyber response. We can do so much better at building software that is resilient to attacks. The government should be pushing software producers to create code that doesn’t have well-known obvious vulnerabilities. Like the items in the OWASP Top Ten that haven’t changed for the past 14 years. That’s an embarrassment. Why can’t organizations like the FTC strongly “encourage” organizations to at least follow some basic application security practices: training developers, threat modeling, automated verification, and runtime protection? To me, it is negligence to not put these practices in place when the exposure and damage is obviously foreseeable.