OSINT isn’t Evidence, or Why InfoSec Needs To Take A Step Back
(Re-published from Medium.com | Dec. 4, 2017) The ForeignPolicy.com headline read “Feds Quietly Reveal Chinese State-Backed Hacking Operation.”
But that headline is misleading because the indictment issued by the U.S. Attorney’s office in Western Pennsylvania didn’t name the Chinese government at all. It only named three employees of the Guangzhou Bo Yu Information Technology Company Limited (Boyusec).
“The indictment makes no allegations regarding state sponsorship,” said Justice Department spokesman Wyn Hornbuckle, who added that prosecutors only “included the allegations that we are prepared to prove in court with admissible evidence.”
Elias Groll, who wrote the article, apparently questioned why the DOJ didn’t include the Chinese government like they did in the 2014 indictment that named five Chinese PLA officers, and which also came from the same U.S. Attorney’s office in Western Pennsylvania. Groll contacted FireEye’s John Hultquist and quoted from past research by RecordedFuture in support of his headline that directly refuted what the DOJ said.
So let’s be clear about what FireEye, RecordedFuture, and every other cyber security company puts out in a commercial white paper designed to generate headlines and attract sales, and what the DOJ develops in order to get a conviction. Only one of those two things can properly be called “evidence.”
In 2014, I spoke with William C. Snyder, a former Assistant U.S. Attorney who served in the Western District of Pennsylvania and the District of Columbia and who today is a professor at Syracuse University’s College of Law. My question for him at that time was what must a cyber intelligence report have to deliver in order for an AUSA to pursue an indictment with the intent to prosecute. Here is an excerpt of his response to me.
First, the report by the non-government company is hearsay and is not admissible in court to prove any of the findings in the report. What the U.S. Attorney will be looking for in the report is a path to admissible evidence.
Here is a simple example. Guy opens Yahoo email accounts in names of boss who fired him and cop who arrested him. Guy sends emails from both accounts to the White House, threatening to blow it up. Desk at White House snags both emails and finds that they came from same IP.
For USSS, I issue on behalf of a grand jury a subpoena to the cable company for basic subscriber info for that IP. It comes back to a static IP for an account in the name of Joe Defendant at the address of his house. Ready to indict? No.
Agents interview ex — boss and cop. Both deny sending emails to White House and both have had run — ins with Mr. Defendant.
Agents interview postal carrier and neighbors. Mr. Defendant lives at the house with his wife and small child. Interviews continue, and local pastor and others indicate that wife and child were at church at the time emails to White House were sent. I take agents to a judge, who issues search warrant for Mr. Defendant ’s house and computers …
To read the full article, click here.