Trump Is Wrong That Investigators Have to Catch Hackers in the Act

Assigning blame for cyberattacks is difficult, but experts do often identify the culprits.

President-elect Trump watches the Army-Navy football game.
Andrew Harnik / AP

The difficulty of knowing who launched a cyberattack has become a refrain for President-elect Donald Trump. It could be Russia, he says, or it could be China, or it could be “some guy in his home in New Jersey.”  It could be “someone sitting on their bed that weighs 400 pounds.”

On Monday, after a tumultuous three days of revelations about a new probe into election-related hacking, and the results of a secret CIA investigation that determined that Russia tried to interfere in the election in Trump’s favor, the president-elect struck back with a tweet:

It’s not quite clear whether “this” in Trump’s question refers to the difficulty of attributing cyberattacks to their perpetrators or to Russia’s election-related meddling. But both were brought up before the election.

When Trump questions experts’ abilities to sniff out the culprits behind cyberattacks, he’s picking up on a strand of truth and twisting it out of proportion. In general, yes, when computers come under attack, it’s not always immediately clear who’s behind it. In the case of the data breach at Sony Entertainment, for example, the cybersecurity expert Bruce Schneier wrote about his doubts that the North Korean government was behind the hack. The evidence in that particular instance was questionable and open to several interpretations, Schneier said.

But the specifics around this year’s election-related hacking are very different. In early May, the Democratic National Committee asked CrowdStrike, one of many cybersecurity companies that identifies and defends against hacking attacks, to investigate a potential intrusion into the organization’s network. Using a program called “Falcon,” the company’s security researchers soon determined that the cyberattack came from Russia.

An October Esquire feature about CrowdStrike’s investigation unpacked some of the evidence that the analysis uncovered:

Falcon had detected malicious software, or malware, that was stealing data and sending it to the same servers that had been used in a 2015 attack on the German Bundestag. The code and techniques used against the DNC resembled those from earlier attacks on the White House and the State Department. The analyst, a former intelligence officer, [said] Falcon had identified not one but two Russian intruders: Cozy Bear, a group CrowdStrike’s experts believed was affiliated with the FSB, Russia’s answer to the CIA; and Fancy Bear, which they had linked to the GRU, Russian military intelligence.

The DNC agreed to go public with CrowdStrike’s findings, and the company’s executives shared the details with The Washington Post in June.

CrowdStrike did in fact “catch the adversaries in the act,” said Dmitri Alperovitch, the company’s co-founder and CTO, in an email. “We were able to watch everything that the adversaries were doing while we were working on a full remediation plan to remove them from the network.”

A few months later, in October, CrowdStrike’s conclusions picked up a major endorsement: A joint statement from 17 intelligence agencies said that the intelligence community was “confident” that intrusions into political organizations like the DNC were “consistent with the methods and motivations of Russian-directed efforts,” and were “intended to interfere” with the presidential election.

So if Trump was complaining that Russia’s attempts to disrupt the U.S. election didn’t come up before Election Day in November, he’s ignoring announcements from the DNC and CrowdStrike about their findings, as well as an official declaration from the U.S. intelligence community about its own investigation. And just in case Trump didn’t catch either of those announcements, Hillary Clinton brought up the intelligence agencies’ statement during the third presidential debate, standing at a podium just yards from him. Information about Russia’s role also reportedly came up in Trump’s intelligence briefings before the election.

The Obama administration has shown a willingness to publicly name the perpetrators of cyberattacks against U.S. organizations, pointing fingers both at individual hackers and at the governments that sponsor their attacks. But Trump’s campaign to create confusion around experts’ ability to understand cyberattacks suggests that he’ll reverse the trend of increasing transparency and tamp down on official reporting about hacking.