Why the United States needs a broad, new strategy to prepare for -- and defend against -- the next generation of online warfare.
President Barack Obama may have just been being true to his inner lawyer, seeking more linguistic precision when he characterized the North Korean hack attack on Sony Pictures as being more like “cybervandalism” than an act of war. But he should not have said it.
In the first place, it served no beneficial purpose to minimize what Kim Jong Un’s minions had done — which was nothing less than the first significant state-sponsored destructive cyberattack on the United States — except to attempt to reduce the growing pressure on himself and his administration to take retaliatory action. But more importantly, we are at a critical juncture in the dawning days of the cyber era, and it is a moment when U.S. interests would be better served by a message from the White House that was strong enough to be an effective deterrent against future attacks. Indeed, the Sony hack demonstrates the urgency with which the United States must develop policies that send a clear signal to would-be attackers that they will pay a high price for seeking to strike the United States and that the U.S. government is relentlessly committed to protecting our assets and making it increasingly difficult for future attacks to succeed. And the events of the past few days indicate that we have yet to develop such policies.
To date, the president has sought to send a message that whatever response the United States will undertake in response to the North Korean attack will be proportional. In an era in which the United States has damaged itself through overreaction to past terrorist attacks and threats (from Iraq to torturing prisoners to NSA overreach), such restraint is welcome in terms of its likely intent. But with all due respect to the president, he probably should have limited his comments regarding proportionality to his team internally and then should have publicly delivered an unambiguous message to North Koreans and others that we would be robust in our response.
Equating the attack with vandalism pushes it into the realm of criminal behavior to be left to lawyers and the courts. This is consistent with the U.S. response to a Chinese hack earlier this year in which we identified the perpetrators and indicted five of them on charges that they too hacked U.S. businesses. This action was seen as largely symbolic and toothless because, of course, none of those perpetrators will ever go any place where we would actually be able to apprehend or prosecute them. It was an empty threat. And that’s just the problem. Despite years of discussions of the growing importance of cyber-risks, the United States still does not have an effective or even very clear stance on how it will deal with cyberattacks, particularly those against private targets.
In fact, last week’s events stood as a kind of poignant commentary on U.S. national security policy. We were so busy celebrating a long-overdue milestone in setting aside our failed Cold War relic of a Cuba policy that we neglected to fully address the fact that we were once again caught unprepared at the dawn of what I have previously called the Cool War. The Cold War was a period in which the threat of nuclear catastrophe kept enemies off the battlefield. In the era of Cool War, the absence of effective deterrents could well usher in an era of permanent conflict in which countless adversaries chip away at each other, sometimes with little effect, sometimes with invisible but substantial economic or social costs, sometimes producing calamity and the loss of life.
The problem of developing the right kind of deterrent policies is not an easy one. But it is just the kind of urgent hard problem with which we should be grappling both within the government and in a public-private national conversation. For example, as the North Korean instance reveals, in cyberconflict, asymmetry offers special challenges. Whereas a kinetic attack from a smaller adversary may lead a larger country to also respond kinetically, which, even if “proportional,” can be more devastating to that smaller adversary than the initial attack may have been, in the case of cyberattacks, the smaller actor may be home to many fewer cybertargets, perhaps none comparable — especially if they are a nonstate actor or are supported by a small infrastructure, as in the case of a poor rogue state like North Korea.
Further, we are a free country and, as we hopefully have realized, must be on guard against excessive government interference in the connective tissue, the nervous system, of our information society. That means we must be careful among the limited options we have not to embrace any that might compromise the openness of our society that we are seeking to protect.
In addition, especially in such asymmetric attacks like the Sony hack, our options are pretty limited. Economic sanctions are likely to be ineffective because the North Koreans are pretty much sanctioned up the wazoo already and because the regime in Pyongyang has already indicated it is willing without flinching to pass on economic hardships to its people while preserving the excesses enjoyed by its leaders. Legal options, as discussed above, are unlikely to work.
Global pressure is also tough to wield against an isolated nation. In a well done and revealing exclusive report in the New York Times, David Sanger, Nicole Perlroth, and Eric Schmitt describe how the Obama administration sought Beijing’s help “in blocking North Korea’s ability to launch cyberattacks.” One can only imagine how awkward that exchange was, given the fact that the United States has been beating up on the Chinese for several years now on the same subject. The Times reported: “So far, the Chinese have not responded. Their response would be critical, since virtually all of North Korea’s telecommunications run through Chinese-operated networks.”
The report also noted that the president’s top national security officials spent much of last week engaged in meetings trying to develop options for responding to the North Korean attack. The fact that such an incident was utterly predictable and happens thousands of times a year (though never before on this scale or with such significant consequences) reveals a serious flaw in the planning efforts of the U.S. government in this respect — especially since a quick, decisive response would help send a message to future attackers that the United States was prepared to deal with them too. (The failure to communicate effectively with Sony about the potential consequences of its infamous decision to pull The Interview from theaters was also a problem given the message the action sent. The president was tough on this point after the fact. But given that the CEO of Sony Pictures and his top associate were both big Obama financial bundlers, it would seem logical that the White House could have tried to guide them in a better direction earlier. In fact, given that relationship, I’d love to see the full extent of the communications between Sony’s leadership and its friends in the West Wing.)
Another problem comes with the fact that the attack was on a private company. Some in the media suggested that this meant it was not really the business of the U.S. government. First, the U.S. government has already acknowledged the attack was its business. In meetings with Chinese leaders in California last June, it was just such attacks (by a foreign actor on U.S. private-sector interests) that was the primary focus of cyber-related discussions. Because the United States is the world’s largest and most advanced economy, it possesses many more such targets than anywhere else in the world — tempting for criminals, rivals, and enemies alike. And for those who might suggest that a hack attack by a foreign government or terrorist group should not be a subject for national security officials, ask what might be done if the attack were done with explosives.
In such an attack, particularly if it were very costly, there would be no hesitation about considering U.S. military options among those weighed in response. This is well known. It reduces our risk of such attacks. In fact, it is just such a policy that made the likelihood of North Korean attacks on U.S. theaters showing The Interview so unlikely. If it could be proved the North Koreans were behind it, in fact, there would have been no other option but for the United States to strike back militarily.
I am not suggesting that we should go to war with North Korea over the Sony cyberattack. Nor am I suggesting traditional military action — though I believe that we should send the message that it is always an option that we will consider when it is essential to our national defense. But I do believe that if we do not demonstrate to the hackers and cybergenerals of this world that there are very real consequences to attacking the United States, be it a public or private target, then for all the reasons cited above, such attackers might think they can act with impunity, and we may well enter a period of war without end and permanent national insecurity.
In the New York Times piece, it is reported that the White House has ruled out a “demonstration strike” on a North Korean target that would clearly signal our willingness and capability of responding in kind. That is, I believe, an error. For example, one potential target described in the article is Yongbyon — “the center of North Korea’s nuclear program, where the state has invested huge sums to produce plutonium and uranium fuel for its small arsenal of nuclear weapons.” It is noted that a potential attack on the Yongbyon facility would be more difficult for U.S. cyberwarriors than the one conducted against Iran as part of the Stuxnet operation. But that does not mean it should not be considered, especially since it would be a twofer: It would set North Korea’s nuclear program back and would do so in a way unlikely to affect North Korean civilians.
Whether the target were Yongbyon or some other facility, sooner rather than later it is important for cyberadversaries to get the message that the United States is going to do more than hurl the expected “we’re considering all options” book at them — when they know how little that means. And while it is true that the United States has many more vulnerable targets, that vulnerability should not be allowed to cow us into inaction — a measure that only compounds the risk of further attacks. (Reports of a North Korean Internet outage on Monday may or may not represent a response of sorts. Were it one — and it could have been a result of many factors — it would be welcome but mild, a demonstration of capacity to respond rather than the kind of meaningful punitive blow. And, within a matter of hours, reports on Tuesday indicated that some North Korean Internet capacity was coming back online.)
The United States needs to accept that we are in a new era and that future such attacks – high-profile attacks with significant social, economic, and political consequences — are inevitable. The president and his team should seize this moment to develop in advance not only cybercapabilities but an array of public, diplomatic, military, and other responses that will actually create the most effective deterrent to future attacks that is possible. And then, beyond that, it is time the United States considered something like the big Civil Defense push of the early nuclear era in which the U.S. government launched a major effort to work with the private sector to increase awareness of risks and to promote hardening our assets and honing our responses to future attacks in a far more comprehensive way than we had done to date. (Some sectors, particularly those associated with critical infrastructure, have been working with the government. But as the Sony situation indicated, the best preventive work has been done in only a few sectors — like finance — and even in these, much more needs to be done.)
This should be a big initiative of the White House, the Department of Homeland Security, the Justice Department, and the rest of the government. Further, its effectiveness would be enhanced greatly if key allies were enlisted within the private-sector community. For example, insurance companies, institutional investors, and others should be encouraged to weigh cyberpreparedness as they evaluate the risks of individual companies — creating incentives for them to move faster and to be smarter. Boards should get the clear message that lack of cyberpreparedness will invite liability that no company should tolerate. The program should build on existing efforts, but the events of the past week should underscore that much more can and should be done.
These are the early days of the cyber era. This administration could not be expected to have fully formed ideas on these issues, and indeed, they have made some important initiatives in this area. But it is clear that much work still needs to be done. Just as we belatedly closed the book on one of the last vestiges of our Cold War policy, yet another relationship that is a throwback to that era reminded us that it is time to start writing a new playbook and that the longer we delay, the more likely it is that further and more damaging illustrations of our lack of preparation will manifest themselves.
Chip Somodevilla/Getty Images News