I’ve been trying to figure out why the U.S. government thought it was useful to attribute the “WannaCry” attack to North Korea …
… I must be missing something here. Probably what I am missing is that the public attribution sends an important signal to the North Koreans about the extent to which we have penetrated their cyber operations and are watching their current cyber activities. But that message could have been delivered privately, and it does not explain why the United States delayed public attribution at least six months after its internal attribution, and two months after the U.K. had done so publicly. Perhaps the answer to the delay question, and another thing I am missing, is that the public attribution is part of larger plan related to a planned attack on North Korea because of its nuclear threat. Bossert’s unconvincing op-ed and incoherent press conference wouldn’t support either interpretation; and if either interpretation is right, it still comes at a cost to general deterrence. But perhaps, surely, hopefully, there is more here than meets the eye.
This WannaCry Attribution was a head scratcher for me, too. Listeners of the late lamented PVC Security podcast know that I am generally not a fan of attribution, or more specifically see only limited real life usefulness for 97% of companies’ and individuals’ security. For governments, intelligence agencies, the military, and law enforcement there is more value, but how much value so far after the fact?
This piece by Jack Goldsmith lays out pretty much every issue I have with this plus provides something of a timeline for those for whom this is ancient history (in security terms, anyway).
Got a theory or opinion on this?