NATO’s Tallinn Manual defines an act of cyberwar that permits a military response as “a cyber operation, whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects.”
The world after the Sony Pictures hack may require a new perspective.
Dave Aitel, a former NSA research scientist and CEO of the cybersecurity firm
Immunity, argues that while the attack “doesn’t meet the threshold for a response by our military,” it should still be viewed as an act of war.
“We need to change the way we think about cyberattacks,” Aitel told Business Insider in an email. “In many cases, these aren’t ‘crimes’ — they’re acts of war. A non-kinetic attack (i.e., destructive malware, destructive computer network attack) that causes just as much damage as a kinetic attack (i.e., a missile or bomb) should be viewed at the same level of urgency and need for US government/military response.”
Aitel, one of the preeminent experts on cybersecurity, said “there should at least be firm diplomatic repercussions for these types of attacks. After all, what would we have done if they’d blown up the buildings at Sony Pictures but not caused any casualties? That is the context these attacks need to be put in.”
He argues that if the US believes North Korea directed the attack — which he does — then it is critical that policymakers formulate offensive and defensive responses carefully.
“We’re obviously not going to bomb North Korea, but could we launch a cyberattack against their institutions? Could we shut down their Internet access?” Aitel wrote. “From a technical standpoint, we could do all of those things, but it would likely lead to an escalation by both sides.”
Many of the offensive options are problematic given “the technical complexities involved, legislative challenges, or the international escalation they will generate,” Aitel said.
Nevertheless, one proactive move the US should consider, according to Aitel, is “declaring certain cyberattacks terrorist acts and the groups behind them terrorists,” which would “set in motion a wider range of legal authority, US government/military resources, and international options.”
The new legal framework “would also make it harder for hacker networks to operate in key international areas, as it would require a greater level of cooperation from US allies, EU members, NATO, G20, etc.,” in addition to making it easier “for the US government to target the funding of not only the hacker networks, but any companies or organisations that aid them, even in incidentally or unknowingly.”
Since 9/11, the US has officially considered acts of terrorism to be acts of war. Aitel’s suggestion is to update this understanding so that it includes what would be “cyberterrorists” committing cyber acts of war, like the one that hit Sony.
“Frankly, we need to start talking about what role and responsibility the US government should have in securing US companies from cyberattacks,” Aitel said.
One way to bolster US cyber defenses, according to Aitel, would be for the government to provide companies “with the option to have their web hosting and security provided by the federal government itself.”
And even though turning over the “IT keys” to the government would be an unpopular idea — especially after the revelations by Edward Snowden — Aitel calls it “the most effective model the cybersecurity industry would have to protect against state-sponsored attacks like the one that hit Sony or the millions of cyber-espionage attacks that occur yearly against other key US entities.”
That’s because a critical attack on a US-based company would be treated, legally and politically, as an attack on the US itself.
“In this scenario, the full resources and capabilities of the US government’s intelligence, law enforcement and military apparatuses would be leveraged to protect US companies from overseas attacks,” Aitel said. “The US government doesn’t want to share classified information with companies directly; but it could use this information to protect them. Hosting providers like Amazon, Microsoft, Rackspace, Google, etc., would basically become the new defence contractor.”
An Unprecedented Attack
The Sony hack is “the first major attack on a US company to use a highly destructive class of malicious software that is designed to make computer networks unable to operate.”
An estimated 11 terabytes of information was taken, revealing information including scripts, unreleased movies, actor compensation, and off-the-cuff conversations among high-level Sony executives.
The attack’s political motives, along with Sony’s public humiliation, raise the specter of an entirely new phenomena: hacks that combine “national rivalry, hacker ideology, performance art, ritual humiliation and data combustion, culminating in complete corporate chaos,” as John Gapper explained in the Financial Times.
The malware used reportedly bore traces of Korean language packs and resembled software deployed during previous attacks against South Korean targets. This reinforces the idea that North Korea or its supporters hacked Sony as retribution for the release of “The Interview,” a film in which James Franco and Seth Rogen play talk-show hosts sent into the country to assassinate Supreme Leader Kim Jong Un.
“It is extremely likely that North Korea is pretending to be an ‘Anonymous’-like group, which is what nation-states tend to do to obfuscate their role in an attack,” Aitel said, adding that analysis by the FBI and the US intelligence community to identify the source of attacks “is not based on court of law facts, but intelligence they have collected over a number of years.”
Further, it makes complete sense for North Korea to use proxies.
“If North Korea was to come out and state that it was them, they would be able to sued in international court,” Aitel explained, “but because they know the US isn’t going to burn its sources and methods, as long as they pretend to be an Anonymous-like group they can maintain a veneer of innocence. This is also something Iran does, with #OpIsrael Anonymous campaigns and the Syrian Electronic Army. These are both operated out of Tehran.”
Business Insider Emails & Alerts
Site highlights each day to your inbox.