It's a story more bizarre than any Hollywood script about out-of-control hackers, but it turns out the North Koreans actually were behind the hack against Sony Pictures.
President Obama said Friday that we will “respond proportionately and in a place and time and manner that we choose.” What this really means for now is that the administration will keep the issue quiet, continue the focus on Cuba, and allow DC to take a year-end vacation.
Mr. Obama’s punt is not a big surprise as there simply are no good options for responding to North Korea. How do you calibrate a “proportional response” when not countering a military attack but one that targets freedom of expression? How do you penalize a dangerous pariah state that might strike out even more dangerously and has been nearly undeterred from far more dangerous behavior?
To start with, the US government does not need to respond as if this is a cyberwar: no one has died from the digital assault on Sony (and it doesn’t appear that anyone has ever died from any cyber attack ever). And though it is tempting to unleash our own cyber forces, the seemingly mighty US Cyber Command is not likely to offer many promising options. If the assault were still continuing, then US military cyberattacks might have been able to disrupt the adversaries, but now the attack is over and the damage is done.
Likewise, it would be worse than useless for “proportional” to mean a law-enforcement investigation which may or may not result in an indictment, as the Department of Justice did against Chinese officers involved in corporate espionage. The Sony attack has gone beyond spying and needs a stronger response.
So in order to have a “proportional response,” the US must go beyond just an increase in sanctions and publicly release the specific evidence. Vague assertions won’t cut it. The US cannot create the global norms it wants by keeping information classified and only discussing the issues behind closed doors with diplomats, generals and spies.
If the last two administrations had been more public and transparent with those denunciations, such adversaries might feel less emboldened. It took 10 years for the US government to tell the Chinese that aggressive commercial espionage against companies was unwelcome and despite leaking that Iran was responsible for denial-of-service attacks against US banks, the government never went public with the evidence or the allegations.
Better yet, Washington learn from the response to past North Korean atrocities, such as in 2010 when a submarine torpedoed and sank the Cheonon, a South Korean naval corvette, an attack which killed 46 sailors. Then, a group of forensic and other experts examined all the evidence to produce a comprehensive report which helped cement the facts and Pyongyang’s responsibility. As described in a recent Atlantic Council report on cyber confidence-building measures, the US should convene a similar group to examine the Sony hack, perhaps led by a world-class technologist such as Internet-founders Vint Cerf or Steve Crocker.
Transparency of all sorts, and especially a public investigation, would be a strong step to prove that attribution is possible and help create stronger international norms.
In addition to transparency, the White House should start by convening a high-level meeting with its allies Japan and South Korea to discuss next steps to deal with North Korea’s cyberthreat.
The main strategic result of Russia’s 2007 attacks on Estonia was that NATO wakened to the Russian cyber threat and established plans, capabilities and purpose-built organizations. The allies which routinely face North Korean cyber threats should similarly form a regular working group to stand together and improve defenses and common responses.
Of course, the US must also raise the matter in the UN Security Council. Even if it cannot get consensus to condemn the North for a threat to the peace, perhaps it can still obtain a Presidential Statement, as it did after the Cheonan.
Most importantly, and as I have written previously, “[w]hen it comes to preventing the regime of Kim Jong Un from lashing out with cyberattacks, the path must begin not in Pyongyang but Beijing.”
With the new “reset” of China and US relations, the administration must re-engage the Chinese to rein in their unruly ally. China could probably stop this directly and immediately if they wanted, as many if not most North Korean hackers work from inside China.
But an even more important reason to enroll China is to get President Xi Jinping’s personal buy-in that Sony-style attacks are unacceptable. The president probably can’t deter North Korea from these kinds of attacks, but perhaps he can convince Beijing.
Without strong steps now, perhaps it won’t just be a North Korean attack against a film company next, but a Chinese or Russian attack on Google, CNN, or The Christian Science Monitor for featuring investigative journalism the carrying unflattering stories on corruption. The long-term chilling effect on free speech could be the most important long-term aspect of this attack and this should be the center of the administration’s concerns, not the specific North Korean behavior.
Cyberattacks are still neither particularly dangerous nor deadly. The Sony attack is embarrassing and severe, but not an act of war. But it demands a response, else it encourages a new form of conflict where nations feel enabled to attack companies or individuals across borders for practically any reason.
Without norms against such behavior as this North Korean attack on Sony, the Internet simply won’t be as open or free for our grandkids and their grandkids as it was for us.
Jason Healey is the Director of the Cyber Statecraft Initiative at the Atlantic Council of the United States and author of the first history book on cyber conflict, A Fierce Domain: Cyber Conflict 1986 to 2012. You can follow his comments on cyber cooperation, conflict and competition on Twitter, @Jason_Healey