Within Motive
Why 'I Only Looked' Is Not Enough
After an unknown login, defenders must assume risk until they know what was accessed, changed or left behind.
On this page
- Uncertainty as a real security consequence
- Forensics, rebuilding and credential resets
- Why defence networks cannot assume curiosity
Page outline Jump by section
Introduction
One of the most persistent misunderstandings in the Gary McKinnon debate is the idea that an unauthorised login becomes relatively harmless if the intruder only viewed information and did not deliberately steal, alter or destroy anything. In sensitive networks, especially military, government and space-agency systems, that assumption does not hold. The security problem begins the moment an unknown person gains access, because defenders cannot immediately know what was seen, copied, changed, planted or prepared for later use. The resulting uncertainty creates costs of its own.
This is why cyber-security professionals, incident responders and defence organisations do not evaluate intrusions solely by the intruder’s stated motive. Whether the explanation is espionage, profit, curiosity or a search for UFO evidence, the organisation that discovers the breach must treat it as a potential compromise until an investigation proves otherwise. That principle helps explain why the “I only looked” defence carries little weight inside sensitive networks. [NIST Publications]nvlpubs.nist.govNIST PublicationsComputer Security Incident Handling GuideApril 3, 2025 — by P Cichonski · Cited by 799 — Computer security incident resp…
Uncertainty Is a Security Consequence
The central problem is not simply what an intruder admits doing. It is what defenders cannot safely rule out.
When an unknown user enters a network, investigators initially face several unanswered questions:
- Which systems were accessed?
- Which files were viewed?
- Were credentials copied?
- Were logs altered?
- Was software installed?
- Was information transferred elsewhere?
- Was access preserved for later use?
Even if the intruder insists that nothing harmful occurred, security teams cannot rely on that claim. They must reconstruct events from logs, forensic evidence and system records. In many cases, that reconstruction is incomplete because logging may be limited, records may have been overwritten, or the intrusion itself may have affected evidence. NIST’s incident-response guidance therefore treats unauthorised access as a security incident requiring analysis, containment and investigation rather than as a harmless curiosity event. [NIST Publications+2NIST Publications]nvlpubs.nist.govNIST PublicationsComputer Security Incident Handling GuideApril 3, 2025 — by P Cichonski · Cited by 799 — Computer security incident resp…
This uncertainty is especially important in the McKinnon case because the disputed issue was never simply whether he believed he was searching for UFO-related information. The systems involved allegedly belonged to the US Army, Navy, Air Force, Department of Defense and NASA. From a defender’s perspective, an unknown individual inside such networks must be treated as a potential threat regardless of motive. [Department of Justice+2Department of Justice]justice.govDepartment of JusticeLondon, England Hacker Indicted Under Computer Fraud…One count charges McKinnon with accessing and damaging witho…
A useful comparison is a stranger found inside a secure military facility. Even if the person later claims they were merely looking around, security staff cannot immediately know whether photographs were taken, keys copied, equipment tampered with or information gathered. The uncertainty itself triggers a response.
Why Investigation Costs Appear Even Without Proven Theft
Many readers assume that cyber damage means deleted files or broken systems. In reality, a large share of the cost often comes from determining whether those things happened.
Incident-response frameworks require organisations to investigate suspicious access, preserve evidence, analyse affected systems and determine the scope of compromise. That work consumes staff time, specialist expertise and operational resources even before any direct damage is confirmed. [NIST Publications+2NIST Publications]nvlpubs.nist.govNIST PublicationsComputer Security Incident Handling GuideApril 3, 2025 — by P Cichonski · Cited by 799 — Computer security incident resp…
In sensitive environments, investigators frequently need to:
- Review authentication records.
- Examine affected machines.
- Analyse network activity.
- Compare system states against known baselines.
- Determine whether privileged accounts were exposed.
- Verify the integrity of critical data.
These activities are necessary because a network owner cannot responsibly assume that an unauthorised visitor behaved exactly as claimed. NIST’s guidance emphasises detection, analysis, containment and recovery precisely because organisations must establish what actually happened rather than accept assumptions. [NIST Publications+2NIST Publications]nvlpubs.nist.govNIST PublicationsComputer Security Incident Handling GuideApril 3, 2025 — by P Cichonski · Cited by 799 — Computer security incident resp…
For that reason, an intrusion can generate substantial operational costs even when the ultimate conclusion is that little information was taken.
Forensics, Rebuilding and Credential Resets
One of the least visible consequences of unauthorised access is the possibility that credentials have been exposed.
A login account is valuable because it can provide future access. If investigators cannot prove that passwords, authentication files or administrative credentials remained untouched, they may need to assume compromise and replace them. Modern incident-response guidance frequently recommends credential resets and related protective measures when unauthorised access is suspected. [Exabeam+3CISA+3Enzoic]cisa.govCISA Releases Guidance on Credential Risks Associated…Apr 16, 2025 — CISA recommends the following actions to reduce the risks ass…
That process can become extensive in large organisations. Passwords may need to be changed, privileged accounts reviewed, access rights revalidated and monitoring increased. Systems may require rebuilding or reimaging to ensure no hidden software remains.
The key point is that these actions occur because defenders lack certainty. A security team cannot confidently say, “The intruder only looked,” unless it can prove exactly what happened. Until then, protective measures are often necessary regardless of the intruder’s stated intentions. [NIST Publications+2csf.tools]nvlpubs.nist.govSP.800 61r3NIST PublicationsNIST.SP.800-61r3.pdfby A Nelson · 2025 · Cited by 79 — This publication seeks to assist organizations with incorporating…
Why Defence Networks Cannot Assume Curiosity
The McKinnon story is often discussed through the lens of UFO beliefs, but defence organisations face a different problem. They cannot distinguish a curious seeker from a hostile actor simply by observing an unauthorised login.
The same techniques used by someone searching for hidden information could also be used by:
- Foreign intelligence services.
- Criminal groups.
- Saboteurs.
- Future ransomware operators.
- Individuals preparing later attacks.
At the moment of discovery, defenders usually do not know which category applies. Consequently, security procedures require them to treat the event as potentially serious until evidence suggests otherwise. This logic is reflected across government and critical-infrastructure incident-response practices, which emphasise rapid investigation, containment and assessment of risk following unauthorised access. [CISA+2Internet Crime Complaint Center]cisa.govfederal incident notification guidelinesFederal Incident Notification GuidelinesApr 1, 2017 — This document provides guidance to Federal Government departments and agencies…
That is particularly true where national defence systems are concerned. The potential consequences of underestimating an intrusion are so large that organisations are incentivised to assume risk first and reduce that assessment only after investigation.
The Lesson Behind the McKinnon Debate
The enduring significance of the McKinnon case is not simply the dispute over UFO motives. It is the gap between how an intruder may view an action and how a network owner must respond to it.
A person who believes they are merely searching for information may see their conduct as passive observation. Security professionals see something different: an unauthorised actor whose capabilities, intentions and activities are not yet known. That uncertainty forces investigations, forensic work, credential reviews and operational disruption. In sensitive networks, those consequences arise before anyone can determine whether information was stolen or systems were damaged.
For that reason, “I only looked” is not a complete answer in cyber-security. The problem is not just what the intruder remembers doing. The problem is that defenders must establish what happened independently, and until they do, they must assume that the network may have been compromised. [csf.tools+3NIST Publications+3NIST Publications]nvlpubs.nist.govNIST PublicationsComputer Security Incident Handling GuideApril 3, 2025 — by P Cichonski · Cited by 799 — Computer security incident resp…
Amazon book picks
Further Reading
Books and field guides related to Why 'I Only Looked' Is Not Enough. Use these as the next step if you want deeper reading beyond the article.
eBay marketplace picks
Marketplace Samples
Example marketplace items related to this page. Use the search link to explore similar finds on eBay.
Endnotes
-
Source: nvlpubs.nist.gov
Link: https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-61r2.pdfSource snippet
NIST PublicationsComputer Security Incident Handling GuideApril 3, 2025 — by P Cichonski · Cited by 799 — Computer security incident resp...
Published: April 3, 2025
-
Source: nvlpubs.nist.gov
Title: SP.800 61r3
Link: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r3.pdfSource snippet
NIST PublicationsNIST.SP.800-61r3.pdfby A Nelson · 2025 · Cited by 79 — This publication seeks to assist organizations with incorporating...
-
Source: csf.tools
Link: https://csf.tools/reference/nist-cybersecurity-framework/v1-1/rs/rs-an/rs-an-3/Source snippet
RS.AN-3: Forensics are performedNIST Cybersecurity Framework v2.0: · RS.AN-03: Analysis is performed to establish what has taken place du...
-
Source: justice.gov
Link: https://www.justice.gov/archive/criminal/cybercrime/press-releases/2002/mckinnonIndict.htmSource snippet
Department of JusticeLondon, England Hacker Indicted Under Computer Fraud...One count charges McKinnon with accessing and damaging witho...
-
Source: justice.gov
Title: Department of Justice British National Charged with Hacking Into N.J
Link: https://www.justice.gov/archive/criminal/cybercrime/press-releases/2002/mckinnonIndict2.htmSource snippet
seven-count Virginia [Indictment]({{ 'indictment/' | relative_url }}) charges McKinnon for intrusions into 92 computer systems belonging to the U.S. Army, Navy, A...
-
Source: cisa.gov
Link: https://www.cisa.gov/news-events/alerts/2025/04/16/cisa-releases-guidance-credential-risks-associated-potential-legacy-oracle-cloud-compromiseSource snippet
CISA Releases Guidance on Credential Risks Associated...Apr 16, 2025 — CISA recommends the following actions to reduce the risks ass...
-
Source: enzoic.com
Link: https://www.enzoic.com/blog/compromised-microsoft-accounts/Source snippet
CISA Warns of Compromised Microsoft AccountsThe directive mandates agencies to probe potentially impacted emails, reset any compromised c...
-
Source: exabeam.com
Link: https://www.exabeam.com/explainers/insider-threats/compromised-credentials-causes-examples-and-defensive-measures/Source snippet
ss to a system by using valid login credentials...
-
Source: cisa.gov
Title: federal incident notification guidelines
Link: https://www.cisa.gov/federal-incident-notification-guidelinesSource snippet
Federal Incident Notification GuidelinesApr 1, 2017 — This document provides guidance to Federal Government departments and agencies...
-
Source: justice.gov
Link: https://www.justice.gov/archive/usao/nj/Press/files/pdffiles/Older/edva_mckinnon_indictment.pdfSource snippet
IndictmentDefendant GARY MCKINNON was an unemployed computer system administrator... The computers accessed and damaged by the defendant...
-
Source: cisa.gov
Link: https://www.cisa.gov/Source snippet
Home PageThreat actors are abusing enterprise, cloud, and DevOps tools to gain unauthorized access and exfiltrate sensitive data. R...
-
Source: cisa.gov
Link: https://www.cisa.gov/stopransomware/ransomware-guideSource snippet
StopRansomware GuideCreate, maintain, and regularly exercise a basic cyber incident response plan (IRP) and associated communications pla...
-
Source: cisa.gov
Link: https://www.cisa.gov/topics/cybersecurity-best-practicesSource snippet
Cybersecurity Best PracticesCISA provides information on cybersecurity best practices to help individuals and organizations implement pre...
-
Source: time.com
Title: hack attack 2
Link: https://time.com/archive/6943962/hack-attack-2/Source snippet
Hack Attack30 Jul 2008 — 2001 and March 2002 McKinnon hacked into 81 U.S. armed forces computers and another 16 belonging to NASA, compro...
Published: March 2002
-
Source: GOV.UK
Title: latest on gary mckinnon case
Link: https://www.gov.uk/government/news/latest-on-gary-mckinnon-caseSource snippet
on Gary McKinnon case4 Nov 2010 — Mr McKinnon is accused by US authorities of the unauthorised access of 97 government computers concerne...
-
Source: ic3.gov
Title: Internet Crime Complaint Center#Stop Ransomware Guide
Link: https://www.ic3.gov/CSA/2023/230523.pdfSource snippet
Internet Crime Complaint Center#StopRansomware GuideMay 23, 2023 — Securing networks and other information sources from continued credent...
Published: May 23, 2023
-
Source: Wikipedia
Title: Gary [Mc Kinnon]({{ ‘mc-kinnon/’ | relative_url }})
Link: https://en.wikipedia.org/wiki/Gary_McKinnonSource snippet
Gary McKinnonGary McKinnon (born February 1966) is a Scottish systems administrator and hacker who was accused by a US prosecutor in 2...
Published: February 1966
Additional References
-
Source: idmanagement.gov
Link: https://www.idmanagement.gov/playbooks/pam/Source snippet
Privileged Identity PlaybookThis Privileged Identity Playbook is a practical guide to help federal agencies implement and manage a privil...
-
Source: portnox.com
Link: https://www.portnox.com/resources/compliance/cisa/Source snippet
CISA Cybersecurity Compliance with NAC and ZTNABy identifying compromised devices or unauthorized access attempts, NAC supports the incid...
-
Source: frsecure.com
Link: https://frsecure.com/compromised-credentials-response-playbook/Source snippet
Compromised Credentials Response PlaybookThis response guide gives you step-by-step help in the event of a compromised credentials incide...
-
Source: standard.co.uk
Link: https://www.standard.co.uk/hp/front/crucial-evidence-goes-missing-in-hacker-case-6841040.htmlSource snippet
Crucial evidence goes missing in hacker caseImportant evidence in the case of Gary McKinnon, the north London geek who hacked into the Pe...
-
Source: eccouncil.org
Link: https://www.eccouncil.org/cybersecurity-exchange/incident-handling/what-is-incident-response-life-cycle/Source snippet
NIST Incident Response Life Cycle in CybersecurityLearn the NIST incident response process with EC-Council. Understand key incident respo...
-
Source: medium.com
Link: https://medium.com/%40viresh.garg/ir-playbook-ii-regaining-control-containing-and-assessing-the-impact-of-a-compromised-super-249ed2af45e9Source snippet
IR Playbook-II: Regaining Control, Containing, and...This white paper addresses the urgent steps required to regain control over a compr...
-
Source: eckertseamans.com
Link: https://www.eckertseamans.com/legal-updates/cybersecurity-and-infrastructure-security-agency-cisa-proposed-cyber-security-incident-reporting-requirementsSource snippet
Cybersecurity and Infrastructure Security Agency (“CISA”)...Sep 19, 2024 — A proposed rule that requires certain covered entities operat...
-
Source: searchinform.com
Link: https://searchinform.com/articles/compliance/frameworks/nist/nist-incident-response/Source snippet
NIST Incident Response Framework: Complete GuideThis framework aims to assist organizations in crafting and executing effective incident...
-
Source: quorumcyber.com
Link: https://www.quorumcyber.com/insights/seven-steps-to-take-in-the-event-of-a-valid-account-compromise/Source snippet
· Enable two-factor authentication (2FA). · Check for unauthorised activity: After changing your password and enabling 2FA, check for any...
-
Source: youtube.com
Link: https://www.youtube.com/watch?v=srBiwc9x6dUSource snippet
Understanding Indicators of CompromiseAn indicator of a compromise is basically a clue or a forensic artifact that can be used to indicat...
Topic Tree