False-flag cyberattacks a red line for nation-states, says Mandiant boss
NSA director says he doesn't know of a 'big one' that was successful
False-flag cyberattacks represent a red line that even nation states like Russia and China don't want to cross, according to Mandiant CEO Kevin Mandia.
"It's one of the last rules of the playground that a modern nation may not want to break because they don't want everyone doing false flags," he said, speaking on a panel this week at Vanderbilt University's Summit on Modern Conflict and Emerging Threats.
When you see the US government come out and give attribution, that is a super high level of confidence
In these types of destructive cyber operations, a country launches an attack with the intent of disguising its involvement and pinning the blame on another country.
"People worry about false flags," NSA director of cybersecurity Rob Joyce said, adding that "I don't know of a big one" that has been successful.
While attributing a cyberattack to a particular crime group or nation state with 100 percent confidence "is absolutely hard," any cybercriminal operation has its preferred tactics, techniques, and procedures for breaking and entering as well as its own unique malware, he noted.
"We see how they operate, where they operate and what they do," Joyce said. Combining the technical fingerprints with the larger intelligence gathering capabilities from the NSA and the FBI, "we're able to follow with a pretty good trail," he added.
"When you get a White House podium statement that X did Y, like we did with with everything from Sony Pictures to NotPetya, that's 100 percent" confidence in the attribution, Joyce said.
In 2014, the FBI attributed the Sony Pictures cyberattack to North Korea, and US law enforcement blamed the 2017 NotPetya attacks on the Russian military.
"When you see the US government come out and give attribution, that is a super high level of confidence," Joyce said.
- US Cyber Command shored up nine nations' defenses last year
- Feds offer big rewards for info on suspected Russian Sandworm intel officers
- Russia (still) trying to weaponize Facebook for spying, Ukraine-war disinfo
- Coding in a war zone: A Ruby developer's life in Kharkiv
False flags? Don't need 'em
In addition to sowing general chaos, and ensuring escalation in a cyber conflict, there's another reason why nation states aren't willing to cross the red line of false-flag operations. "Proxies are so much easier," Mandia said. "That seems to be working pretty well right now."
Russia, China, and North Korea are perfectly willing to harbor ransomware gangs and other cybercriminals inside their borders, enjoy financial kickbacks from the crime rings' extortion activities, and then still claim a level of ignorance about the crimes committed, Mandia opined.
Meanwhile, other nations can't pin the blame squarely on the country providing safe harbor to these miscreants — or at least beyond some sanctions, they haven't been willing to as yet.
However, as the US pushes nations including Russia to hold its cybercriminals accountable, having its own vigilantes volunteering in the so-called IT Army to launch cyberattacks against Moscow doesn't help, Joyce added.
"It's illegal," he said. "This certainly isn't going to make the State Department discussions with Russia of 'you need to hold your people accountable' any easier." ®