U.S. to hit back at N. Korea over Sony -- but how? Cyberwar favors the weak
The stakes in the Sony hack keep getting higher. We are all about to get a lesson in asymmetric warfare, and that has me really concerned. Now that the U.S. government has so openly accused North Korea of attacking America, and its way of life, the U.S. has a really big problem: How does it respond? What would a proportional response look like?
The simplistic answer -- hacking a North Korean company and ruining a multi-million-dollar movie premier -- isn't an option.
That's the nature of asymmetric warfare. It turns David vs. Goliath on its head. As a techno-Goliath, the U.S. is an easy cyberwar target. We also have a wide diversity of targets. Sure, hacking Sony is bad, but it's not like hackers shut down a power plant or did something that directly led to physical harm, like disabling a 9-1-1 system. What constitutes a proportional response?
U.S. officials have told NBC News that they haven't ruled out hacking North Korea computers as a response. Which computers? What private company deserves retribution for the Sony hack? What North Korean government system could the U.S. take down that would cause real financial harm, but not physical harm? The U.S., you'd have to think (hope?), has no interest in escalating the situation.
But here's the problem: It's very hard to imagine a response involving Korean computers that isn't either a) Silly, like hacking a "shame on you" message onto a computer somewhere or b) an escalation. As The Wall Street Journal explained this week, cutting North Korean off from its China-controlled Internet access isn't a great option. And wrecking North Korean systems might do more to harm U.S. spying efforts than anything else.
The problem I see now is that the U.S. has backed itself into a corner. For some reason, it has rushed to come forward and finger North Korea, even while many analysts have reasonable skepticism about the conclusion (why was there an extortion demand before the movie demand?) I don't understand why this happened, but it means the U.S. has to do *something* now as a response, or else risk looking even more helpless.
Certainly, the Obama administration could have chosen to leave itself wiggle room on the North Korea attribution. There are many levels on which a nation-state could have been involved in this attack -- from directing it to simply allowing its already-hacked computers to be used by independent groups to execute an old-fashioned extortion. For years, hackers working for China have successfully attacked U.S. corporate interests. The U.S. government has never responded like this. Now, it has to provide a show of force. But how?
Not long ago, I talked about this tricky, uniquely 21st-Century problem with Eneken Tikk, who at the time was a policy analyst at NATO's Cooperative Cyber Defence Centre of Excellence in Tallinn, Estonia. NATO's center was in Estonia because that nation is famously the site of what folks consider the first cyberattack. Tikk was studying problems like: When would a digital attack require a real-world, bullets and blood attack? And even more dicey: When would a cyberattack on a NATO member trigger NATO's mutual assistance agreement? When would other NATO members be required to jump to the defense of a cyber-attacked member?
Tikk, who is very level-headed, explained various scenarios where these scary things could happen. It's easy to imagine a digital attack that could lead to real physical harm. Shutting down a power grid could lead to deaths at a hospital, for example. Shutting down a 9-1-1 system could easily cause physical harm. In a case like that, a NATO nation could argue it has justification for bombing a hacker hideout, for example. And the victim nation might turn to other NATO members for help doing so.
Back to Sony. As the feeding frenzy of this story continues to escalate, it's incredibly important to realize that a feeding frenzy helps no one. There's two things I know about the digital underground: 1) Often, nothing is as it seems. It's just so easy to leave false flags, take on false personas, etc. So be slow to draw conclusions. and 2) Folks who yell the loudest at times like this usually have a lot of money to make. Cyber security is a cash cow. Hopping along a hot hack story can make (or break) a small security company. And one incident like this can help a government agency get millions of dollars in new funding. So there's any awful lot of incentive to exaggerate. Usually, that's just relatively harmless chest-beating which leads to the writing of big checks. In this case, it might lead to cyberwar.
Recall that we've had a massive race -- by the U.S. government and journalists -- to publicly blame a foreign enemy for something in our recent history that didn't work out very well. Please overindulge in skepticism right now. Whoever turns out to be right about the source of the Sony hacks, one thing is sure now:
The U.S. is planning a response. It has thrown down the glove and has to respond now. How in the world will we right-size that response?
(And earlier version of this story incorrectly used the term "asynchronous." I regret that).