In the confines of national security, deterrence is the act of preventing another party from taking action out of fear of the consequences. In the attack against Sony Pictures Entertainment, North Korea failed in deterring Sony from releasing the movie “The Interview,” and the United States failed in deterring North Korea from attacking Sony. Why? In cyberspace, the rules of the game are different. States are not deterred and regard cyberattacks as consequence-free because adversaries have until now not paid a price for attacks. From a technological perspective, the cyberattack against Sony is old news. Highly disruptive computer attacks (or “Denial of Computing”) have been around for over 25 years, with hardly any ability to attribute and deter the perpetrators. However from a strategic perspective, the unprecedented actions of the Obama administration against North Korea may herald the dawn of cyber deterrence.
Denial of computing attacks date back to at least 1989. In an interesting example, a computer worm was used to attack NASA as a protest against the launch of the plutonium-powered Galileo satellite. It was the second major worm in the history of computer networking. Two years later, in 1991, the Michelangelo virus was wiping thousands of computers around the world.
Because of our hyper connectivity and ever-increasing dependency on computers, recent attacks have been much more destructive. In 2012, the Shamoon virus was used to delete data on 30,000 computers at Saudi Aramco. A few weeks later, the same virus attacked 12,000 computers at RasGas, a Qatari company. Ultimately, the attacks were attributed to Iran and interpreted as Iran “firing back” in response to cyberattacks and sanctions on its oil exports (recently released NSA documents suggest Iran learned to do to others as was done onto it). According to a Saudi Aramco representative, Iran sought “to stop the flow of oil and gas to local and international markets.” While the attack failed to disrupt oil production, it succeeded in disrupting the oil production business. How can any enterprise work without its computers?
March 2013, data on 48,000 computers were deleted in three banks and two television stations in South Korea. The attack caused a staggering $750 million in damages and was ultimately attributed to North Korea. A similar attack happened in February 2014 to Las Vegas Sands Corp. According to Bloomberg, “PCs and servers were shutting down in a cascading IT catastrophe, with many of their hard drives wiped clean. The company’s technical staff had never seen anything like it.” Iran was the main suspect in carrying out the attack.
In all of these cases, attribution occurred through comments to the press and there was no apparent retaliation, either online or offline, for government-sanctioned cyberattacks. For cyberattacks crafted and executed by nation state actors, difficulty in attribution makes retaliation difficult. Attribution, or determining the perpetrator behind a cyberattack, is often not possible by forensics and pattern analysis but only from intelligence. Even when intelligence is available, nations are often reluctant to publicly reveal it and endanger their sources, giving the attacker plausible deniability. This paradigm may have changed in the Sony attack.
The official U.S. response in the Sony attack appears to have changed the game on both attribution and retaliation. This is a rare case of a nation officially attributing a cyberattack and publically discussing some of the methods used. According to the NSA Director Admiral Michael Rogers: “From the time the malware left North Korea to the time it got to Sony’s headquarters in California, it crossed four different commanders’ lines or areas in the U.S. construct.” Interestingly, NSA’s attribution of the attack wasn’t limited to pattern and traffic analysis alone. In a recently disclosed document, NSA had knowledge of the attack from early warning software that was hidden in North Korea’s networks since 2010. The intelligence from the software was critical in persuading President Obama to accuse North Korea of an official role in the Sony attack.
A few days after the FBI officially attributed the attack, the president sent a clear message saying North Korea “caused a lot of damage” and the U.S. “will respond proportionally.” According to the NSA Director “the entire world was watching” how the “U.S. as a nation [is] going to respond to this.” The response didn’t’ take long to come. During the following days, North Korea suffered a shutdown of their Internet—blaming the U.S. government for those actions. A few days later, an official response came from the U.S. government placing economic sanctions on North Korea, stating they are in direct “response to North Korea’s attack against Sony.” The White House stated those “actions are the first aspect of our response.”
Despite the timing of the North Korean outage, mere days after Sony attack, the U.S. denied any involvement, possibly to maintain some form of plausible deniability and to avoid brandishing their offensive cyber capabilities. Some speculate it was not the work of the U.S. government. If it’s not the U.S., it can be considered as an opportunity lost.
This may be one of the few cases where a victim’s country publically blamed its attacker and retaliated. These sanctions may make North Korea pay a price greater than what they wanted to achieve in attacking Sony, and improve the U.S. state of cyber deterrence.
Even if the U.S. didn’t disrupt North Korea’s internet, the sanctions alone may have succeeded in sending the powerful message that it possesses the intelligence and technological capability to attribute cyberattack necessary respond and the will to do so.
President Obama recently signed an executive order promoting cybersecurity information sharing, however, he admitted that “we’re not even close to where we need to be”. To get to where we need to be governments need to progress in three particular areas:
Improve deterrence by denial, by investing in defense mechanisms and developing policies for collecting and sharing relevant operational intelligence with the private sector.
The private sector is not equipped to collect intelligence on nation state actors and the intelligence shared should be used for targeted cybersecurity aiming at increasing the cost of executing attacks.
Develop a policy for using intelligence in the investigation of cyber incidents to improve timely attribution. The Sony case is a good example of it since attributing the attack was FBI-lead, government wide collaboration that made it possible. According to the NSA Director: “we were asked to take a look at not just the data that was being generated from Sony but also what data could we bring to the table.”
Improve deterrence by punishment, by having the will to follow through on counterattacks in the event deterrence fails.
The cyberattack on Sony was bad for the company, but it might be good in the long run for other entities. It was important in raising awareness about the seriousness of cyberattacks and will likely be a catalyst for improving cybersecurity in the private sector. The successful cooperation between the FBI, NSA and Sony may set a good example and encourage information and intelligence sharing between the private sector and government intelligence agencies. Most importantly, this might be the dawn of cyber deterrence.
When the United States blamed North Korea and retaliated, they may have changed the rules of the game. It conveyed a symbolic but clear message to cyber attackers – the days of cost free cyberattacks are can end and attribution capability is available. With that, decision makers have a new option on the table – to retaliate and start building deterrence. As seen from this attack and others, the growing convergence between cyber and the physical space makes the ability to inflict damage from cyberattacks a real danger. Failure to develop the ability to attribute and deter potential aggressors from attacking means our businesses, governments, and critical infrastructures are in danger. Cyber attackers must pay a price greater than the benefits of their attacks.
Too bad we needed a Seth Rogen film for this to happen.
The article was originally
Ram Levi is the CEO of Konfidas, a cybersecurity consulting firm, and a Senior Fellow at the Yuval Ne’eman Workshop for Science, Technology and Security. He formerly served as the secretary of the Israeli prime minister’s national cyber initiative task force.