Saturday, December 20, 2014

Stand There - Don't Just Do Something

Advanced North Korean Cyber Weapons
So a hostile nation state attacked an American - well, really Japanese, but it's not an important distinction at this point - corporation, and forced them to withdraw a product in which they had made a significant investment. All the usual suspects are shrieking that we must "DO SOMETHING", without, as is always the case, specifying just precisely what it is they believe we should do. One option would be a cruise missile strike - the US has previously indicated that its doctrine does envision kinetic responses to serious cyber attacks. Another option is offensive cyberwarfare against North Korea. And a third option would be economic/diplomatic sanctions. That seems pretty straightforward so let's go ahead and think these options through.

I think we can rule out a military strike as a response in this case. The problem would be proportionality, and this just wasn't the kind of cyber attack that was envisioned when the Pentagon spoke of a kinetic response to a cyber attack. Broadly speaking, there are two kinds of cyber attacks. The most common, the kind you hear about every day, is where intruders manage to penetrate the network's defenses, either from outside or inside the network, and gain access to data. This data might be financial, it might be personal, it might be corporate trade secrets, and it might be some of everything - which is what we saw in the Sony attack. The other kind of cyber attack - vanishingly rare at this point but much more concerning from a military standpoint - is an attack that penetrates a network in order to break things and hurt people. An attack on the power grid would represent this kind of attack, as did the Stuxnet attack on the Iranian nuclear enrichment facility. That attack actually destroyed a large number of centrifuges and placed the lives of Iranian technicians at risk. If we were talking about that kind of attack, we might be more likely to see a destructive response.

Also, this wasn't an attack against a government installation or critical infrastructure - it was an attack on a corporation - an entertainment company. Nation states have been attacking corporate networks in order to conduct espionage activities for decades, and those attacks have only become more common with time. Certainly the government - particularly federal law enforcement and the counter-intelligence community - have a role to play in monitoring and defending against such cyber attacks, but that in no way exempts the corporation from their responsibility to protect their shareholders, investors, employees and customer's data from theft and mis-use. The primary cyber-defenders have to be from the corporate side - there's no practical way a government could have enough skilled professionals to protect the data owned by every business.

Economic sanctions would ordinarily be a good option - high-profile, proportionate and non-destructive. But North Korea is already so isolated, and under so many different kinds of sanctions and embargoes that there's really nothing left to restrict. All of which leads us to the conclusion that the appropriate response to the Sony attacks would be some targeted offensive cyber attacks, particularly against the North Korean government and military. And that would certainly be my recommendation. Unfortunately, there are two gigantic practical problems with that solution. First, North Korea is very isolated. ALL of her internet connections run through China. No western nation can get a TCP packet into or out of North Korea with having it go across Chinese routers and servers. If it was another nation, we could probably ask (or negotiate) for access, but with the  cyber-espionage accusations flying back and forth between Beijing and Washington, it seems unlikely that China would be predisposed to provide any kind of access to the US Intelligence Community. Also, any clandestine US penetration of North Korean networks that does exist would likely be compromised by actual attacks. The question that would have to be addressed is which would be more valuable - ongoing secret access to intelligence, or a one time rampage that would damage existing plans and operations?

In the end there are few viable options, and even those might not be worth pursuing. The US, particularly in the private sector, needs to do a much better job of preventing cyber attacks, and of detecting them when prevention fails. Because if the world descends into cyber warfare, the US will find it has very few of the advantages it has in traditional warfare. Cyber warfare does not require advanced technology, vast resources or massive R&D efforts. A dozen smart young coders can sit in a lab with some off the shelf laptops and do anything the US can do. It's hard to develop and  maintain a strategic advantage in software, and here in America we should think long and hard about what that means before we escalate a cyber war - with anyone.


  1. This was a criminal act and should be treated as such.

    Two points:

    1) I have seen some evidence that indicates North Korea was NOT behind this attack (at least not directly).

    2) Not many people are talking about the Sheldon Adelson hack that was almost as bad and was almost certainly carried out by Iran.

  2. From what I have seen, it was an inside attack, either by an employee/contractor or recently ex employee/contractor. But the attack was either on behalf of or sold to NorKor cyber intelligence, particularly the group known as Silent Chollima. While it's very possible the attack wasn't initiated BY NorKor (it's also very possible that it WAS), they ended up being the driving force and benefactor. So they ought to be the target of any retaliation...

  3. Let SONY retaliate then. Oh wait, they're incompetent, don't give a crap about security & probably laid off their best IT weasels, which lead to the inside job in the first place.

    We're in enough trouble being the rent-a-cops for fossil-fuel corporations, I don't think the U.S. should carry SONY's water too.

    But I am in favor of shutting down the iNternet & world economy for a while.

    1. It would be interesting to shut down the internarfles for a while, since it seems to be the only consistent source of contact with the outside world that MB allows. Outside, of course, repairs to the decrepit bunker he inhabits...

  4. All the usual suspects are shrieking that we must "DO SOMETHING"

    I would be curious as to what suspects you define as 'usual".

    As best as I can determine, the range of loudmouths is a bit all over the map on this....