When your government greenlights criminal activities against their enemies it helps a lot. Many* cyber criminals act as mercs for hire, and are in fact hired for official government operations against the US.
It's simply not true that political boundaries don't factor in. They're a massive part - most obviously, consider extradition or whether the attacker's government will cooperate with the US.
* I say many, but it's more like "it happens", but it feels important to point out.
I always thought it would be fun, if one had enough pull, to get a Letter of Marque and Reprisal issued to oneself snuck onto one of the giant omnibus bills that nobody in the Congress reads in its entirety before voting on it. It could easily be interpreted to cover cyberprivateering.
It is absolutely trivial for an attacker in the US or anywhere to make their ransomware attack appear to come from Russia (to someone who doesn’t know that).
I don't see how that's relevant to the incentives of foreign enemies attacking us. As I said, there are many. It basically stops being criminal activity.
Do you really think that's not the case, or that that isn't going to considerably skew where these attacks come from?
I think he's making the point that the attributions of "This came from <insert geopolitical enemy here>" are without any evidence. How exactly do you determine that a hack originated in Russia when Russian ips will not hand over their traffic to US authorities? Just because a lot of illicit web traffic originates from Israeli servers, for example, does not mean that it originated in Israel. In reality, our cyber security agencies have no idea where these guys are coming from: it COULD very well be from Russia, sure, but it could also be from your neighbor next door who vpn'd in through a chain of servers starting in france and ending in mali.
> I think he's making the point that the attributions of "This came from <insert geopolitical enemy here>" are without any evidence.
Badly, I guess, because no one has mentioned evidence or a lack of evidence anywhere in the thread.
> How exactly do you determine that a hack originated in Russia when Russian ips will not hand over their traffic to US authorities?
There are a lot of different ways. GEOIP is just one method. Examining the artifacts for code-reuse from other malware is another big one. Looking at the types of attacks is another ie: "this malware uses these techniques, and these are favored by groups 1,2,3".
There's a lot more to it than that, and not all of it is public. I've seen attribution done through backdoor channels that were not strictly legal.
> In reality, our cyber security agencies have no idea where these guys are coming from
It's simply not true that political boundaries don't factor in. They're a massive part - most obviously, consider extradition or whether the attacker's government will cooperate with the US.
* I say many, but it's more like "it happens", but it feels important to point out.