Mandiant’s China Hacking Claims Draw Criticism
Maybe it wasn’t China. Maybe it was, but suppose it wasn’t. That’s the reaction of at least one computer security consultant to yesterday’s blockbuster report from the security firm Mandiant, which accused a unit of China’s People’s Liberation Army of carrying out a series of hacking attacks against companies in the U.S., Canada, the U.K. and elsewhere over a series of years.
Jeffrey Carr, CEO of Taia Global, writes today in a blog post that he thinks Mandiant’s report is full of holes.
“In summary, my problem with this report is not that I don’t believe that China engages in massive amounts of cyber espionage,” he writes. “My problem is that Mandiant refuses to consider what everyone that I know in the Intelligence Community acknowledges — that there are multiple states engaging in this activity; not just China.”
Carr explains that Mandiant’s report doesn’t include a thorough analysis of alternative explanations, the purpose of which would be to exhaust the alternatives and thus narrow down the range of possible conclusions. He says that intelligence agencies like the Central Intelligence Agency routinely engage in a vetting process known as Analysis of Competing Hypotheses (ACH). This is something, Carr argues, that Mandiant didn’t do. Thus its rather explosive allegation isn’t ironclad.
“This [ACH] is rarely if ever done by information security companies, and it’s the single biggest objection that I have when it comes to individuals making claims of attribution to nation states,” he writes.
There are, Carr notes, more than 30 countries that have military hacking capabilities who may or may not have the capabilities noted by Mandiant. Also, one of Mandiant’s primary claims has to do with the attacks being traced to a certain area of outer Shanghai, an area where there are a lot of people and a lot of computers. And if the attackers are indeed in China, why wouldn’t they take greater care to cover their tracks?
In the academic world, research papers go through a process called peer review before they’re published. Carr suggests that Mandiant’s report should be subjected to the same thing. He suggests that students at the Mercyhurst College Institute of Intelligence Studies (Mercyhurst, in case you didn’t know, is sort of a feeder school for the intelligence community) take Mandiant’s findings and run them through a thorough review.
“If you’re going to make a claim for attribution, then you must be both fair and thorough in your analysis and, through the application of a scientific method like ACH, rule out competing hypotheses and then use estimative language in your finding,” he writes. “Mandiant simply did not succeed in proving that Unit 61398 is their designated APT1 aka Comment Crew.”
