Cybersecurity professionals are fond of saying that there are two kinds of companies: those that have been hacked and those that don’t yet know they’ve been hacked. Right now, the Republican National Committee appears to fall into a new category: an organization that refuses to acknowledge that it’s even vulnerable.
The CIA, in reporting on Russia’s intervention in the presidential election, determined that the RNC had been breached by Russian hackers during the election, but none of the information stolen from the party had been released, the New York Times reported. Following this report, RNC Chairman Reince Priebus, soon to become White House chief of staff, insisted in two television interviews that “the RNC was not hacked.” He apparently based this analysis on the fact that the FBI had previously reviewed its systems as well as the evidence provided by the “hacking detection systems” that the RNC has in place.
Anyone who confidently, categorically denies that his organization’s computer systems have been breached is either flat-out lying or dangerously delusional. The best-case scenario is the former: If the RNC is, in fact, aware that there are vulnerabilities in its systems (as there undoubtedly are) and is paying attention to whatever evidence the CIA has provided of breaches, then Priebus’ statements could amount to a (perhaps misguided) PR strategy, intended to reassure the public and deter other would-be attackers. (As a general rule, though, boldly claiming that you have never been hacked and trumpeting your infallible “hacking detection systems” is perhaps not the best way to deter potential intruders.)
But if Priebus is telling the truth—if he really has such blind faith in the technical tools that the RNC uses to detect intrusions, and refuses to believe, despite any evidence to the contrary, that those tools could possibly be evaded or that any deeper investigation could reveal things that previous ones had missed—then that’s much worse news. To proudly announce to the world not only that your security monitoring tactics have failed to prevent intrusions detected by other parties but also that you absolutely will not, under any circumstances, ever second-guess or investigate further beyond those tactics is to be ludicrously ignorant of how fallible such tools are.
From a cybersecurity standpoint, the best thing to hope for in a person running a powerful organization—whether it’s a political party or the White House—is someone who will be constantly searching for evidence of breaches and intrusions, someone who understands that the failure to find that evidence is a sign of a weak defense posture, not an absence of adversaries. Blind faith in the protective powers of technical tools is never a good sign—nor is the philosophy that no breach has occurred unless the stolen information has surfaced somewhere else, conclusively confirming a theft.
Many data breaches—especially those directed at governments for the purposes of espionage—do not result in public revelations of stolen information. The only reasons to reveal that you have successfully stolen data are to sell that data, to publicly humiliate or hurt the victims by influencing public opinion, or to extract a ransom from the victims. Often, incidents of political and economic cyberespionage are not motivated by any of these reasons, and the perpetrators therefore sit on their stolen data, quietly using it for their own purposes or waiting until it becomes useful.
Obviously, it’s easier to deny breaches that have no public component and harder to prove definitively that they’ve occurred. But just because the data stolen from the U.S. Office of Personnel Management has not been sold or published online does not mean that breach did not occur, or that it doesn’t matter, or that we should not be thinking about what we can learn from it and how we can better protect government agencies’ networks.
But to do that, you have to be willing to accept that some breaches are determined based on overwhelming evidence, absent any public announcement or confirmation by the perpetrators. Attackers often bypass technical defenses and protection mechanisms, and a slower, more in-depth investigation performed by more sophisticated analysts can reveal things an initial investigation may have missed; the fact that “evidence” of a hack hasn’t been found by the RNC is something to be concerned about, not something to brag about on national television. It’s the kind of thing you brag about when you want to advertise to adversaries not only how poor your network monitoring tools are but also how much false confidence you have placed in them. A government that refuses to accept or believe forensic evidence of data breaches is likely to be a very appealing—and very easy—target.