A common social media refrain in technology circles is the complaint of becoming “too political” – that content producers should focus on technical or professional subjects while avoiding charged, politically-tinged areas. This sentiment has always rung somewhat hollow to me as the concept of the political can be viewed as any public conflict which creates a distinction of “friend” and “enemy”. This concept can be as implicitly violent as a Hegelian dialectic or classically liberal and constructive as with Habermas’s communicative action. In either case, much of public discourse becomes an inherently political act as it delineates opposing sides and views ranging from the notional and philosophical to the more visceral and personally impactful.
Under this conception, cyber threat intelligence (CTI) – especially when entering into the public sphere of discourse – undoubtedly becomes a politically discursive act. Often this is masked through technical language, feigned objectivity, and deadpan assessment, but occasionally an example emerges that lowers the mask of impartiality just enough to reveal the politically charged views underneath.
Such is the case with a recent public intelligence assessment from Chinese security vendor Qihoo 360. The report describes activity targeting Venezuelan government and military interests, but does so in a colorful manner to say the least:
While the language in the above passage may be an artifact of translation from Chinese to English, the use of terms such as “reactionary government” and emphasis on APT-C-43’s “political background” is quite striking. Certainly the situation in Venezuela remains distressing and unsettled, but this very partisan – and political – language within a technical threat report is shocking compared to typically anodyne reporting from CTI providers. Given Qihoo 360’s perceived links to the Chinese state, adopting this line in the Venezuelan conflict is unsurprising as China remains one of the steadfast supporters of the Maduro regime clinging to power.
Our initial, visceral reaction to a report using language such as the above is that it is at minimum unprofessional. Further thought may dwell on Qihoo 360’s links to Chinese state interests and possible requirement to echo Chinese Communist Party (CCP) positions. Yet truly dispassionate analysis of Qihoo’s work in this case – along with other operations such as claims concerning US-sponsored cyber operations – will identify the example as being merely an extreme value on a continuum of politically-shaded activity within the realm of CTI reporting.
As a one-party authoritarian state run by the CCP, Chinese entities such as Qihoo will face unique pressures in their work to echo (or at least not violate) party line stances. Yet what is overt in China may also occur in other regions albeit far more discreetly, and shaped more by access to contracting dollars from government entities than explicit censorship. A quick look at major US-domiciled firms shows entities such as FireEye, CrowdStrike, and Dragos receiving federal funds for contracts, grants, or other items. On its face such activity may seem like simply good business sense given the massive amount of federal money available for cybersecurity services and products. But such relationships can foster a closeness that may yield more problematic arrangements, such as this observation from 2018 when documenting FireEye CEO Kevin Mandia’s comments to the Cyber Threat Intelligence Forum:
“We find malware that sometimes has a time to live and then it doesn’t run anymore. I wonder who would do that.. Probably [the U.S.] because we’re the nicest hackers in cyberspace, besides maybe China… We see guardrails on malware from nations like the United States, but do we see guardrails on malware from Russia? No.”
The use of the term “we” in this instance as well as value statements implying greater care (or justification) in operations for US cyber entities can be viewed as extremely problematic. However, I think such a view is too much hand wringing over simply making an assumption explicit: the production and dissemination of threat intelligence (especially in widely public form) is an inherently political act, with political repercussions. FireEye or any other US-based company taking some action such as disclosing an active US counter-terrorism cyber campaign (which Russia-based Kaspersky did in 2018) would almost certainly face repercussions in terms of future contract awards and access to information (through sharing arrangements) and other penalties.
Note: this is a hypothetical assessment as we do not (publicly) know the consequences of crossing the US government for US-based or -operating entities. Kaspersky, Qihoo, and similar entities were already banned or not seriously considered for federal work, so it remains possible (if unlikely in my assessment) that such actions would have no repercussion or impact whatsoever.
Yet even moving away from inherently controversial subjects such as counter-terrorism operations or US-China relations, information security actions and CTI especially are rife with political implications. One need look no further than the 2016 Democratic National Committee breach, its public documentation by CrowdStrike, and subsequent political fallout for an excellent example. There are many cases of bad-faith, uninformed “takedowns” of CrowdStrike’s analysis despite subsequent US government documentation supporting the company’s claims – yet the very act of publishing the results of a high-profile, very significant incident response engagement can be construed as political in that it immediately took place in a very active, divisive US political discourse.
This represents an extreme example as it touches directly upon the political process, but at the same time it serves as a highlight for how CTI reporting inherently addresses political subjects. At minimum, CTI reporting contains an adversary – that entity responsible for the actions documented. That an adversary exists already places us within the realm of Schmittian conceptions of politics, but when this is further extended to cover how such adversaries are often representatives or actors on behalf of some nexus of state power, the connection becomes even more explicit. A report emphasizing Russian or Chinese state interests breaching private organizations for intellectual property theft certainly serves a purpose to inform stakeholders and defenders, but it also is a political action casting the malicious actors as thieves versus the virtuous, blameless owners of such intellectual property. The victim-perpetrator dichotomy as it overlays upon state relationships (which extends even to criminal realms as most reporting emphasizes the “foreign” nature of most cyber criminal operations relative to their victims) calls out the fundamentally political assessments made in CTI disclosures.
By wading in to a field of opposing state (and non-state) interests, CTI providers interject themselves into a realm full of political implications – yet somehow feel that a dispassionate recital of facts (which seldom is the case, with the Qihoo report serving as an extreme example) allows for a shade of neutrality. Ultimately, the ecosystem of “Western” (plus Japan) security companies have implicitly aligned against Chinese, Russian, Iranian, North Korean, and related criminal interests. Their reporting, even when couched via weasel words as “related to APT28” or “assessed by the US government as related to Russian state interests”, nonetheless details fundamental operational behaviors and fingerprints related to the entities in question.
Attempting to remain aloof from the fray by making spurious claims such as “we don’t do attribution” can be construed as cowardice at best given the political implications of even a neutral assessment, and cynicism at worst when such entities are primarily worried about limiting their access to certain government procurement vehicles or national market access. While it may seem disconcerting, engaging in CTI reporting is an inherently political act in that we embrace a viewpoint (that of an intrusion victim) opposed to the entity responsible for a given breach – either a state-controlled or -sponsored entity, or a criminal entity operating with impunity within a given state. Shying away from the implications of CTI reporting is intellectually disingenuous and only serves to muddle messaging by attempting to navigate some artificial, non-existent “middle ground”.
Rather than feign objectivity, CTI providers should instead broadcast their own political stance in conjunction with their reporting. In examples such as the Qihoo report, this would be simply aping the policies of the CCP. In situations allowing for greater freedom, this could be expressed through meaningful mission statements such as outright decrying any and all intrusions into civilian infrastructure, or emphasizing support for basic liberal-democratic principles and their implications. But such statements must be followed through with action not just in terms of words and publication, but contracts and commitments as well.
Ultimately, many entities within the CTI space attempt to occupy some notionally objective middle ground, when such space simply does not exist. Instead, every action within the CTI and even the information security space writ large has inherently political overtones. Rather than shying from such responsibilities and implications, organizations must recognize them and decide where their values truly exist. Failure to do so will only result in continued, pseudo-objective, semi-rationalist reporting on items that have meaning far beyond the bits and bytes of technical details.