In the aftermath of the Sony attacks, the US is considering a range of possible retaliatory measures.
On Thursday, the White House promised that the US would engage in a “proportional response” against those who conducted the attacks against Sony.
US officials are expected to pin the hack on North Korea with possible links to “Chinese actors.”
This malicious intent and apparent state sponsorship has forced the US to respond to the incident as a matter of national security, instead of simply being an instance of cyber crime.
This distinction has opened up a wider range of responses that the US could conduct against those responsible for the Sony hack.
The US could treat the Sony breach as an attack on a single private company rather than on the United States writ large. Even now, the attack doesn’t fit NATO’s definition of an act of cyber-war since there has been no loss of life or physical damage resulting from it. Even with state backing, the hack wasn’t aimed at hospitals, the military, or the electrical grid. “The Interview” isn’t vital infrastructure.
By not acting, the US may have less of a chance of blundering into a larger cyber-escalation and wouldn’t have to deal with the possible myriad consequences of shifting its entire legal and diplomatic framework in response to a single incident.
Risks: By doing nothing, the US government would be saying that it doesn’t feel obligated to respond to even a highly damaging state-backed attack on an entity in the United States. This would may embolden future attackers. And it would fail to address any of the alarming issues that the Sony hack raises.
Declare that the hackers a terrorists
The US could declare that the groups behind certain hacks are “cyber-terrorists.”
According to Dave Aitel, a former NSA research scientist and CEO of the cybersecurity firm Immunity, one option is “declaring certain cyberattacks terrorist acts and the groups behind them terrorists,” which would “set in motion a wider range of legal authority, US government/military resources, and international options.”
This designation would “set in motion a wider range of legal authority, US government/military resources, and international options.”
This would be a new legal category and may require bringing the rest of the international community on board in order to have teeth.
Risks: Designating North Korea a terrorist sponsor could hamper any future nuclear negotiations with Pyongyang — the US actaully removed the country from the state sponsors of terror list in 2008 in order to make headway on the nuclear issue. The label would also be precedent-setting and raise all sorts of incredibly thorny legal, diplomatic, and practical questions.
Would China and Russia be labelled state supporters of cyber-terror for their DDoS attacks against American companies and sabotage of US government systems? And what would this designation even mean in practicality — what individuals or entities would be affected, and how might an expanded legal regime complicate other US economic and political interests? For starters, sanctioning cyber-terrorists or companies that assist them could conceivably complicate some US firms business dealings in China.
Engage in counter-hacks:
If it is conclusively proven that North Korea carried out the attacks against the Sony, the US could engage in retaliatory hacks against Pyongyang. This hacking could target North Korean and a range of North Korean websites, affiliated sites, or internal networks. The US could take North Korean government infrastructure offline as a warning of the potential consequences of a future hack.
Risks: Any cyber engagement against North Korea runs the risk of escalating a conflict into a full-blown cyber war between the two nations. If North Korea feels that it is directly under attack, it could also physically respond with kinetic strikes against South Korea.
Declare North Korea a state sponsor of terrorism
Evans Revere, a former State Department official and specialist on Korea, has suggested that Pyongyang could be designated a state sponsor of terrorism, joining Sudan, Iran, and Cuba. This designation would be warranted due to both the attack and the threat of carrying out violence against theatres that screened “The Interview.”
Risks: North Korea was on the state sponsors of terrorism list until 2008, when it was removed by the Bush administration during nuclear negotiations. Putting it back on would be nothing more than a return to the status quo.
Go after Chongryon:
The organisation for Japan-based supporters of the North Korean regime once ran a miniature business empire in the country and served as Pyongyang’s chief means of acquiring foreign currency.
Chongryon has fallen on hard times, and been forced to sell off much of its business holdings and property. But the group answers directly to the Liaison Department of the North Korean government. And according to an HP Security report from August of 2014 on North Korean cyber-capabilities Chongryon’s “‘study group’ … gathers intelligence for North Korea and helps the regime procure advanced technologies.” The report concluded that Chongryon is “critical to North Korea’s cyber and intelligence program.”
The US could pressure the Japanese government to shut down and expel the organisation.
Risks: Japan has been negotiating with North Korea over the fate of nearly a dozen Japanese citizens kidnapped and taken to North Korea over the past 40 years. Sony is a Japanese company, but Japan may bristle at what could be perceived as American intrusion into its foreign and domestic affairs.
Totally end trade:
The US and North Korea conducted $US21.9 million in trade last year, the highest total since 2008. This is a small amount of money, but every bit of external trade is critical in a place as isolated as North Korea, where the elite depends on a steady supply of foreign currency in order to remain in charge.
Risks: None, really. It’s just too little money to make much of a difference.
End even the possibility of expanding food or development aid:
The US cut off much of its food aid to North Korea in 2008. Since then, there have been intermittent discussions about possibly resorting US development projects and humanitarian assistance. The US could freeze those and communicate an intent not to resume them.
Risks: This would effectively punish ordinary North Koreans for the actions of their government. And it probably wouldn’t do much: the country experienced a debilitating famine in the 1990s, and the Kim regime was still able to hang on to power.
Try to run the North Korean government off of the internet:
As the HP report notes, most North Korean websites are actually hosted on servers in Japan and Thailand; the only internet service provider inside North Korea is actually a Thai joint venture. Through a combination of cyber-activity and diplomacy, the US could probably blacklist North Korean domains from foreign servers. The US Department of the Treasury could also sanction any company involved in hosting North Korean websites or providing internet access to the country’s government.
Risks: This just wouldn’t have much of an impact — it’s not as if the Korean Central News Agency is a traffic monster.
The US has the ability to place particularly crippling sanctions upon North Korea. Gordon G. Chang of The Daily Beast notes that financial sanctions put in place under the Bush regime forced Pyongyang to ferry cash in suitcases. This lack of funding led to the closure of certainNorth Korean weapons programs.
Risks: High-level sanctions on North Korea could lead to more difficult relations with China. The previous round of sanctions were prematurely lifted at Beijing’s desire. And North Korea is tightly sanctioned as it is.
“The Obama administration has been reluctant to embrace ” the sanctions approach, Associated Press reports. “The biggest impact would be felt by banks in China, complicating US efforts to curry better ties with Beijing.”
“There should at least be firm diplomatic repercussions for these types of attacks,” Aitel told BI. “After all, what would we have done if they’d blown up the buildings at Sony Pictures but not caused any casualties? That is the context these attacks need to be put in.”
Risks: Nothing happens.
Business Insider Emails & Alerts
Site highlights each day to your inbox.