Thursday, February 28, 2019

RAND Paper: Qualitatively

A new RAND paper came out this morning at 0-dark-thirty on the benefits/issues of private sector attribution of cyber issues to the USG, which is a weird way to frame the topic. Read it here. A few things stuck out at me when I read the paper: First of which is that the conclusion says exactly nothing, which is not a good sign. To quote it in full below:

After analysis and reflection, we believe that the private sector provides valuable capabilities that augment and support USG interests regarding investigation and attribution of malicious cyber activity. The capabilities and reach of the private sector is obviously strong and broad, and it offers additional information and insights that can bolster existing USG capabilities to detect and manage nation-state and criminal threats. 
Specifically, there are opportunities for increased collaboration between public and private sector that can (and should) leverage personal relationships between former colleagues. And there may be more opportunities for more formal, structured, or frequent interactions. However, as was mentioned during our interviews, a collaboration that is too close or structured could well backfire. And so careful and thoughtful, but deliberate interactions will likely produce the best results for detecting and managing malicious cyber activity directed toward U.S. persons and businesses. 
Here is an alternative conclusion: Google, FireEye, and Crowdstrike are both trusted more, and better at, cyber domain attribution than the US Government ever will be. It is almost certain that the future of this space for the USG is to feed information to private companies and let them do the heavy lifting on both the attribution and deterrence side.

The other major issue with the paper is the concept of asking fifteen experts in a survey what they think, and then writing that down and attempting to draw metrics out of it, as detailed on page 15.

Expert Interviews
In order to better understand the significance that the growing capability of private sector attribution may have for the USG, we performed qualitative research by interviewing 15 senior subject matter experts to explore 4 main topics
I love that phrase "qualitative research" because THAT'S NOT A THING. I don't understand how anyone designs a paper like that in 2019. Half the paper is discussing what those 15 SSME's said, which might have made an interesting Washington Post article with unnamed sources, but is not a whitepaper.

Part of the issue when looking at attribution is that trust is often more about personal reputations than institutional reputations. This is why nobody cares what any particular Government agency says (especially today) but if Rob Joyce or Alex Stamos puts their name on it, they pay attention. And it's not especially relevant when a government issues an attribution note, if that information doesn't change anything except to a cyber insurance company that wasn't going to pay out for an incident anyways, or as a speaking indictment for a group of contractors in Russia who now just can't come to DefCon.

No comments:

Post a Comment