The outrage over the hack of Sony Pictures, and the widespread difference of professional opinion about who actually did it has neatly illustrated one of the biggest challenges for US military officials who spend their days thinking about cyberwarfare and its implications: How do you figure out who, precisely, is responsible for an attack and, equally important, what is the appropriate response?
“Though the FBI has seen a wide variety and increasing number of cyber intrusions,” the “destructive nature” of the attack made it particularly egregious, the agency statement said.
North Korea’s actions were intended to “suppress the right of American citizens to express themselves,” the statement notes. “Such acts of intimidation fall outside the bounds of acceptable state behavior.”
On Monday, the Internet-monitoring group Dyn Research reported broad Internet outages across North Korea, though the cause was not immediately known.
Interestingly, many cyber specialists still weren’t convinced that North Korea was the culprit in the Sony hack.
North Korea denied the attack, and yet they normally revel in poking the US in the eye, many cyber analysts point out.
Mark Rogers, who is part of a jury that decides who gets to present papers at DEF CON, the premier hacking conference, calls the FBI’s evidence “weak” and “at best, speculation.”
The FBI cites IP addresses matching those used in the past by North Korea, but proxy addresses “could be used by just about anyone” to hide their location, Mr. Rogers notes in a blog post.
This is a point that Pentagon officials, too, grapple with in the cyberwarfare realm. Former Deputy Secretary of Defense William Lynn noted as far back as 2010, for example, that “traditional arms control agreements would likely fail to deter cyber attacks because of the challenges of attribution, which make the verification of compliance almost impossible.”
In other words, “If you don’t know who to attribute an attack to, you can’t retaliate against that attack,” he said. “You can’t deter through punishment, you can’t deter by retaliating against the attack.”
The complexities of cyberwarfare even caused Mr. Lynn to lament the good old days of “nuclear missiles, which of course come with a return address.”
But in the several years since then, the Pentagon and the FBI have learned a few things, says James Lewis, a cyber expert and director of the Strategic Technologies Program at the Center for Strategic and International Studies in Washington.
“The United States realized that figuring out who was doing an attack was going to be crucial to a defensive response and put immense capabilities into it,” he says. When it comes to attribution, North Korea, Iran, and China have become particular areas of focus for the US intelligence community, he adds.
This likely helped them determine that North Korea was the culprit in the Sony hack, Lewis says – a determination with which he concurs.
“You have people who have no trouble believing everything [former National Security Agency-employed leaker Edward] Snowden says about NSA surveillance of the American people, and yet they question” the FBI’s statements about North Korea carrying out the Sony attack.
“The USA spies on some people all of the time,” Lewis says. “North Korea is a place that gets lots of attention.”
But the threats that prompted theaters to refuse to release the Sony film that sparked the hack – namely, that North Korea would carry out a 9/11-style attack as a punishment for those who did – are more ridiculous, Lewis says.
“You can turn out lights and erase data, but no one can do a ‘cyber-9/11’ – not even us,” he says.
“The North Koreans are famous for making these bombastic threats – you can see them on YouTube – threatening to blow up L.A., New York, the White House,” he adds. “They love making these threats.”
The proper response to the hack, and these sorts of bombastic threats, is not a military or even an equivalent response, Lewis argues.
“I don’t think the Pentagon has a role here, but we need to send a message to North Korea that they can’t get away with it," he says. Pentagon officials tend to feel the same way.
“I mean, clearly if you take down significant portions of our economy we would probably consider that an attack,” Lynn said. “But an intrusion stealing data, on the other hand, probably isn’t an attack. And there are [an] enormous number of steps in between.”
To this end, US law enforcement agencies could bore into the front companies and criminal networks that support North Korean leadership by their funneling of hard currency into the country, he adds.
This might also involve pumping information into the country by decidedly less high-tech means. In a country so notoriously cut off from the Internet, it might involve DVDs smuggled in from China or “Voice of America” style broadcasts, letting North Koreans know that there is a movement from the rest of the world, through the United Nations, to bring their leadership to trial for war crimes.
“The fact that they respond so violently to attacks on their ‘dear leader,’ ” Lewis says, “also tells us exactly where we should be pushing."