This is a guest post from Clifford Bob, Professor and Chair of Political Science at Duquesne University.
A free press is a major check on shoddy government policies and bad ideas, but if journalists refuse to think critically about government pronouncements, that civic function fails. Worse yet, if the media magnifies and exaggerates official errors, a veneer of objectivity is cast onto poor quality or biased government information.
We have learned this lesson many times in U.S. history, notably in the lead-up to the Iraq War. Robert Wright’s excellent Intercept article of last week makes this point regarding current New York Times’ reporting about Iran. Similar “media-abetted perceptual distortion” has been occurring with respect to Russia and especially “Russiagate,” as Wright suggests. A case in point is an article in Friday’s Times which included this scary headline near the top of its website: “Russia Could Have Switched Off U.S. Power, Officials Say.” The article itself is titled, “Cyberattacks Put Russian Fingers on the Switch at Power Plants, U.S. Says,” and in the print edition, the title of the frontpage article was “U.S. Says Hacks Left Russia Able to Shut Utilities.”
But even a cursory read of the governmental and corporate reports underlying the article makes the situation far less dire than it first appears–and easily preventable. Start with the headlines. They give the impression that Russia could have darkened the U.S. and that this is a major new threat. Yet the DHS and FBI report focuses on “small commercial facilities’ networks.” It also appears to be little more than a routine alert to the private sector, similar to many in the recent past. And it provides a range of “detection and prevention guidelines” to minimize any threat.
Nor does DHS say anything about Russia “switching off US power.” In the Times article, only spokespersons for various cybersecurity companies are quoted as suggesting that—but of course they have good financial reasons to fearmonger for their products. The DHS report itself, issued by the United States Computer Emergency Readiness Team (US-CERT), comes with a major disclaimer: a Notification that the information it provides is “‘as is’ for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding this information.” Taken at face value, this statement calls into question how confident US-CERT is in any of the information provided in its reports. At minimum, some discussion of confidence levels is needed to give the report context.
This is particularly the case with regard to the most sensational charge, that “Russian government cyber actors” attacked U.S. government entities and critical infrastructure including utilities. On one hand, it is hardly surprising that the Russian government or cybercriminals of diverse nationalities might engage in the kinds of low-level activities mentioned in the report. Many governments do so, no doubt including the U.S.
But is the DHS’s conclusion about Russia’s incursion into American utilities based on anything more than this surmise? The report provides no evidentiary basis on which to support its most important point: that DHS and the FBI “judge the ultimate objective of the [Russian government ] actors is to compromise organizational networks” of its targets.
Without noting this omission, however, the Times hypes the assertions in the DHS report. Some of this involves simple exaggeration. Consider this sentence from the report, which is followed by a full-scale diagram of a power generator: “DHS was able to reconstruct screenshot fragments of a Human Machine Interface (HMI) that the threat actors accessed.” In the Times’ version this becomes “ a screenshot taken by Russian operatives that proved they could now gain access to their victims’ critical controls.”
Another disturbing aspect of the Times coverage is its sourcing. The named sources work for the cybersecurity industry and clearly have a monetary interest in making the situation appear dire. Only one of them, Eric Cornelius of Cylance, raises questions about the broader implications of the seemingly scary cyber “reconnaissance” ostensibly conducted by the Russians. “It is unclear what their perceived benefit would be from causing damage on U.S. soil, especially given the retaliation it would provoke.”
More disturbing, DHS itself appears to rely heavily on research by cybersecurity firms with a clear profit motive to exaggerate threats. The report links to only one external source which DHS uses in an attempt to strengthen its own conclusions. This is an October 2017 Symantec report, “Dragonfly: Western Energy Sector Targeted by Sophisticated Attack Group,” issued for its customers by the company’s Security Response Attack Investigation Team.
This Symantec report, part of its “8 Min Read: Threat Intelligence” series, is more cautious than DHS and the Times about attribution of the cyber attacks: “Conflicting evidence and what appear to be attempts at misattribution make it difficult to definitively state where this attack group is based or who is behind it.” More specifically, Symantec notes that “some code strings in the malware were in Russian. However, some were also in French, which indicates that one of these languages may be a false flag.”
DHS and the Times however throw caution to the wind. They assert that the Russian government is behind the incidents, apparently basing this definitive attribution on “distinct indicators and behaviors”—although these are not provided to the public.
The Symantec report is important for another reason. It shows the real scale of the threat: minuscule. According to Symantec the Dragonfly “group now potentially has the ability to sabotage or gain control of these systems should it decide to do so.” Note the word “potentially.” Even if we accept all the assertions in the Symantec document, any threat is only potential—a point downplayed in the Times. Nor are we told by Symantec (or DHS ) whether this potential is a near certainty, for instance a greater than 95% probability of control and/or sabotage, a 50% coin toss—or less than a 1% risk.
This glaring hole in the Symantec report is explainable, however, if we understand one of its obvious purposes: to sell Symantec products. The report makes no secret of this goal. Immediately after warning of the potential threat, it advertises that “Symantec customers are protected against the activities of the Dragonfly group.”
Imagine: All that the “Western energy sector” needs to do to protect itself from the Russians is to buy Symantec products! What an elegant, easy, and profitable solution to the scary Russian threat! DHS scrupulously states that its reports are not an endorsement for the products of any private company. But Symantec must be pleased with its product placement–even if the hyperventilating Times neglected to mention how effortlessly the Russian cyberbear can be tamed.
All of this doesn’t merely raise concerns about the Times’ reliability. It also raises questions about just how fearful we should be about Russian government cyberthreats—or presumably threats from less formidable state adversaries such as North Korea or Iran. If an off-the-shelf Symantec product can completely foil the F.S.B., the G.R.U., and their vaunted troll farms and bots, the Russian government’s cyber capabilities must be pretty pathetic. By the same token, victims of recent attacks attributed to state actors, such as WannaCry and NotPetya, bear much of the blame for not updating their antivirus software. If you leave your door open in a crime-ridden neighborhood, you can’t expect the family silver to be around when you return.
By all means individuals and corporations should protect themselves from cyberattacks. There is no question such attacks occur, even if their impact is often exaggerated. It is certainly possible that states such as Russia are to blame in some cases. But journalists worth their salt should not simply broadcast the statements of government agencies or corporate offices without critically evaluating them for mistakes, exaggerations, and self dealing.