How Should U.S. Respond to Sony Breach?
Weighing in On How U.S. Should Retaliate Against North KoreaPresident Obama last week, citing an FBI investigation, says the North Korean government was behind the hack against Sony Pictures Entertainment and that "we will respond proportionately, and we will respond in a place and time and manner we choose."
See Also: Webinar | Identity Crisis: How to Combat Session Hijacking and Credential Theft with MDR
But the U.S. government's proportionate response to the Sony cyber-assault must be done cautiously.
"Saber rattling over an incident that affects a U.S. company, a subsidiary of a Japanese company, I think frankly is ill-advised," says Jim Harper, a senior fellow at the libertarian think tank Cato Institute.
The U.S. government declines to say whether the nearly half-day Internet outage in North Korea on Dec. 22 was the United States retaliating for the Sony hack (see Who Disrupted Internet in North Korea). "We aren't going to discuss publicly operational details about the possible response options or comment on those kind of reports in any way except to say that as we implement our responses, some will be seen, some may not be seen," says State Department spokeswoman Marie Harf.
The government's retaliation to a hack of an entertainment company, if and when it comes, must be measured and not as strong of a response to an attack on a critical-infrastructure enterprise, such as an Internet service provider or energy company, says Chris Bronk, a University of Houston academic and former diplomat who studies the intersection of cybersecurity and international politics. "This is not a target that merits the full sweeping response of Homeland Security or Cyber Command," he says.
Balancing Act
And any retaliation aimed at North Korea, which has nuclear weapons, must avoid escalation, says Allan Friedman, research scientist at George Washington University's Cybersecurity Policy Research Institute. "A response that is perceived as too weak could drive further action if interpreted as a failure of American resolve, while a response that was very powerful could force North Korea's hand to respond in another, more dangerous domain to balance the scales," he says.
Adam Segal, Council on Foreign Relations digital and cyberspace policy program director, on the U.S. response to Sony attack.
White House Cybersecurity Coordinator Michael Daniel tells Politico that the U.S. government's response will "send a deterrence message to North Korea ... and others that might be tempted to follow the same path." Some of the response might be made public or "at least knowable to the North Koreans," he says. "We also may want to be able to just diminish their capacity to carry out these kind of attacks in the future, in which case we may not want them to know everything that we have done to do that."
Legal Justification
If North Korea is behind the attack, there's legal justification that would give the United States the right to retaliate. A nation-state attacking a business within another nation's borders constitutes an "internationally wrongful act," which would allow the attacked nation to take countermeasures, such as hack-back, says Michael Schmitt, chairman of the international law department at the U.S. Naval War College, writing in the online forum JustSecurity.org.
"It may still enjoy the right to conduct countermeasures, either because it is reasonable to conclude that the operation is but the first blow in a campaign consisting of multiple cyber-operations or based on certain technical rules relating to reparations," Schmitt writes. "It must be cautioned that the right to take countermeasures is subject to strict limitations dealing with such matters as notice, proportionality and timing. Moreover, they are only available against states and the prevailing view is that a countermeasure may not rise to the level of a use of force."
Schmitt says it would be illegal for Sony to conduct a hack-back.
Case Against Retaliating
But even if a nation has the right to retaliate, it doesn't mean it should.
Bruce Schneier, who has written extensively about cybersecurity policy, characterizes as "absurd" the retaliation for a cyber-attack against a non-critical infrastructure company, especially considering that the U.S. didn't retaliate when North Koreans axed to death an American Army officer during a 1976 incident over cutting down of a tree in the Korean demilitarized zone. "Have we ever gone to war because one of our companies was inconvenienced or lost money?" asks Schneier, chief technology officer at Co3 Systems, a provider of incident response management systems. "This isn't terrorism, this isn't war; this is hacking. ... What is the threshold for our national response to a private hack?"
Cato's Harper, embracing his libertarian values, says a response from the government could weaken businesses from defending themselves against cyber-adversaries. "If the government steps in here to respond to Sony's problem for it, Sony and other companies will recognize that it's not necessary to secure their infrastructure; the government will fix things for them," he says. "Another way of phrasing it is: 'too-big-to-fail' type concept. If you are a big, interesting U.S. company, the government steps in and helps you. That's just the wrong message to send."
Defining Proportionality
Obama, in calling for a "proportional" response, didn't define the term. One response could be placing North Korea on a list of terrorist states that could limit its financial dealings with other countries. Former House Speaker Newt Gingrich, in an article he wrote posted on CNN.com, suggests the United States confiscate North Korean ships until it pays triple damages to Sony and the theaters for the cost of the attack resulted in the cancelation of the movie "The Interview," a screwball comedy depicting the assassination of North Korean leader Kim Jong-un.
Retired Air Force Major General and former Cyber Command Operations Director Brett Williams, appearing Dec. 23 on MSNBC's Last Word with Lawrence O'Donnell, said other possible responses could include making it difficult for North Korea's elite to conduct financial transactions outside of their homeland or disrupting its military's command and control.
Regardless of the response, the impact on North Korea might be minimal. "All of the sanctions the West can apply have been exhausted" says Richard Stiennon, author of "Surviving Cyberwar" and chief research analyst at the advisory firm IT-Harvest. "Retaliation would be as bad as a spanking delivered by a frustrated parent. The recalcitrant child would only gain by the attention it garnered."