Since well before he was elected president, Donald Trump has been casting doubt on the accuracy and integrity of investigations that assign blame for cyberattacks. His statements have created an atmosphere of mistrust around forensic analyses, like the one focused on Russia that three top spy agencies briefed him on last week.
This confusion benefits Trump by deflecting uncomfortable questions about Russia’s role in shifting public opinion about him and his opponent in the election, Hillary Clinton. But it’s also a boon to state-sponsored hackers, for whom uncertainty is the ideal camouflage.
That’s why the Obama administration made a habit of publicly attributing cyberattacks, like North Korea’s attack on Sony Pictures Entertainment, or, less formally, China’s theft of sensitive records from the Office of Personnel Management. For the past several years, the Justice Department also has brought charges against a bevy of state-sponsored hackers from places like China, Iran, and Syria, in a name-and-shame campaign aimed at outing the perpetrators of smaller hacks.
In an article published last year in the Harvard National Security Journal, John Carlin—then the head of the Justice Department’s national security division—argued that disrupting cyberattacks and deterring future intrusions both hinge on placing public blame. “To do either, we must first strip hackers of their real or perceived cloak of anonymity through public attribution, because if a hacker is invisible, his actions are cost-free,” Carlin wrote. “Attribution is the lynchpin of our success.”
Trump appears to put far less stock in public attribution. He’s repeatedly called into question the possibility that digital investigators—whether from intelligence agencies or private companies—could piece together a cyberattack after it’s over with enough accuracy to know where it came from, despite the fact that experts regularly track down attackers by gathering digital evidence.
This attitude has trickled down to the general public. Over the weekend, two reporters for The New York Times asked Trump supporters in Louisiana and Indiana for their reactions on the intelligence community’s hacking report. Their responses ranged from skepticism (“It seems silly”) to total rejection (“I don’t believe it”).
This erosion of public confidence in analysts’ ability to identify hackers is dangerous. “Mistrust of attribution would make hacking easier, since it means retribution is harder: You need to have attribution for retribution, both to know that you are retaliating against the right actor and to convince the public you are justified in doing so if it is a public retaliation,” wrote Nicholas Weaver, a professor and security researcher at the University of California, Berkeley, in an email. “The former is unaffected, but the latter is compromised by needless mistrust.”
That mistrust spread quickly. Two years ago, the only people who concerned themselves with fact-checking cyberattack attributions were top security experts like Bruce Schneier, who wrote an article in The Atlantic arguing that the government didn’t have enough evidence to connect the Sony hack to the North Korean government. (He was convinced later that month, when the Times reported that U.S. intelligence agencies were also relying on secret evidence from the NSA and from sources inside North Korea to back up its claims.) Now, Trump’s public disavowals of hacking analyses have made it popular to question Russia’s involvement.
The increase in public mistrust in cyber-attribution mirrors the way that the language of doubt has taken hold around climate science and the trustworthiness of mainstream news reports. Fewer than half of Americans believe that climate change is the result of human activity—the conclusion of the overwhelming majority of scientists—and just below a third say they have “a great deal” or “a fair amount” of trust in the news media. A third is about the same proportion of Americans who say they believe Russia influenced the 2016 election.
Last week, danah boyd, a scholar of online communications and the founder of Data & Society, wrote that a generation of media-literacy teachings encouraging Americans to question sources and do their own research may have backfired. “Doubt,” boyd says, “has become [a] tool.”
She argues for the necessity of relying on trusted sources of information:
I believe that information intermediaries are important, that honed expertise matters, and that no one can ever be fully informed. As a result, I have long believed that we have to outsource certain matters and to trust others to do right by us as individuals and society as a whole. This is what it means to live in a democracy, but, more importantly, it’s what it means to live in a society.
But people who don’t have the tools to separate bad information sources from good ones may choose unreliable sources, or might be inclined to doubt them all. And when people in power reinforce the notion that experts can’t be trusted—whether it’s climate scientists, journalists for major publications, or medical researchers with advanced degrees—confusion only spreads further. Healthy skepticism turns to toxic, blanket cynicism.
Without a shared basis of facts, climate-change denial and suspicion toward modern medicine flourish. Thorough, fact-based news reporting gets slandered as “fake news” and discounted by large portions of the population. And now, legitimate attributions of blame for cyberattacks are brushed aside as half-baked, untrustworthy, and politically motivated.
These are ideal conditions for malicious hackers looking to strike out at the United States. Foreign businesses can conduct corporate espionage, individuals can dox Americans against whom they hold grudges, and state-sponsored hackers can invade critical infrastructure, all with little worry of retribution. Because even if a cybersecurity company or the U.S. intelligence community finds out what the intruders did, and points fingers publicly—who’s going to believe them?
We want to hear what you think about this article. Submit a letter to the editor or write to firstname.lastname@example.org.