As the fallout from the November 2014 cyberattack on Sony Pictures Entertainment continues, with Sony co-chairman Amy Pascal stepping down this month, it’s still not clear how the story will end, either for Hollywood luminaries or US national security. In the meantime, though, we can learn from the incident and start to formulate responses for the future attacks that will inevitably occur.
The attack, which according to the US government was launched by North Korea, compromised unreleased films, private correspondence, and other sensitive information, and trashed hard drives on the Sony Pictures Entertainment computer network. It did not, however, bring financial gain to the perpetrators, nor does that appear to have been their intention. This reinforces a lesson learned from recent cyberattacks against Aramco and South Korean banks, specifically that theft of intellectual property for profit is not the only possible outcome of a hack. All three attacks involved malicious destruction rather than “just” theft.
We should also take note that government authorities are not able to attribute responsibility for a hostile cyber-operation on a time scale that is satisfying to the public, and they may even change their minds in the course of an investigation. In the Sony case, it took several weeks—not hours, not days—for Washington to ascertain North Korea’s culpability. This does not mean that there is good reason to doubt the findings. Some of the public—including security experts who are unfamiliar with the ways of government—may insist that the only evidence that should count in government determinations is evidence that would be admissible in a court of law, and that the relevant standard should be “beyond a reasonable doubt.” Since the United States spends billions of dollars a year on obtaining information through classified sources, though, this stance is hardly persuasive.
Deciding how to respond. There is not yet an agreed appropriate response to politically motivated cyberattacks. Part of the challenge in figuring out what to do next is that we don’t have a clear understanding of how old rules should be interpreted in light of new technology. So what might provide some direction? One easy guideline is that a cyberattack producing effects comparable to those a kinetic attack (one involving bullets and bombs) would have caused should be judged in the same way. That is, if a cyberattack against an electric power generation facility produced the same damage a cruise missile could cause, we should judge the cyberattack in the same way we would judge the cruise missile attack.
There are some kinds of damage, though, that can only be caused by cyber means. Incidents might include an electronic takedown of the stock market, which could have economic effects comparable to the financial crisis in 2007, or a foreign cyberattack on electronic voting machines that thwarts the will of the citizenry. Policy makers would be justified to regard such actions as acts of war. If they did, they might choose to exercise the inherent right of self-defense that all nations have under the United Nations Charter—which could involve a kinetic military response. (Of course, having the right to respond militarily does not necessarily mean that it would be wise to do so, a fact policy makers would surely consider.)
The Sony incident doesn’t qualify as an act of war. Sony Pictures Entertainment is an important company, but no one can seriously argue that the nation’s economy will collapse if it goes under. Still, some kind of response is necessary. On December 22, 2014 and again on December 23, the North Korean Internet was attacked severely enough to disconnect it from the rest of the Internet. If the US government was responsible (which it denies), the act would probably qualify as a good-faith attempt to respond in a way that is not itself an act of war. US responses, of course, may not yet be complete.
Planning for the next one. Unfortunately, the US government does not seem prepared to deal with future cyberattacks. Getting its house in order will involve addressing at least two questions.
First, Washington needs to understand that its credibility isn’t what it used to be. Gone are the days of the Cuban missile crisis, during which US Secretary of State Dean Acheson offered to show French President Charles de Gaulle the photos of Soviet nuclear missiles in Cuba, and de Gaulle replied, “the word of the president of the United States is good enough for me. Please tell him that France stands with America." With such trust having eroded, the US government needs to decide in advance what kinds of evidence it is willing to release to defend its attribution assessments. Washington often knows a lot more about the sources of cyberattacks than it lets on, but there is always a tension between releasing information to persuade a skeptical world and alerting an adversary about the methods intelligence agencies may have used to obtain it. It is up to national leaders to resolve that tension reasonably.
Second, the US government also needs to decide what thresholds it is willing to observe. If it calls the North Korean attack on Sony an unjustified act of war against the United States, is it willing to ignore similar attacks on foreign corporations that may hurt US interests? Deciding in advance will avoid time-consuming ad-hoc decision making when an attack occurs.
Companies also need to plan. How will they protect their most critical assets against cyber intrusions? Every boardroom should be contemplating the possibility that its company’s computer systems will be destroyed and private email, salary information, and much more publicly revealed. Executives need to decide what it’s worth to defend against these outcomes.
The most important lesson of the Sony affair to date is that we can be surprised. In October, 2014, few policy makers or business executives anticipated that a nation state might mount a direct destructive cyber assault on an individual corporation that was not part of the target country’s critical infrastructure. Cyberattacks can occur in entirely unexpected contexts, and the claim of “that would never happen” is not an adequate basis for either corporate or government policy planning.
Editor's note: A longer version of this piece appeared on the Lawfare Institute blog on January 23, 2015.