20 December 2014

Sony Hack Attacks Presage New Warfare: The Weaponization of Code


12/16/2014 

North Korea is a miserable, backward, hellhole of a place. It has a per capita GDP ofless than $2,000 -- trailing Yemen, Tajikistan and Chad -- and about one-sixteenth the size of the GDP of South Korea. The Hermit Kingdom derives its power through the twin pillars of state repression and an all-encompassing propaganda apparatus.

This poor, delusional country managed to wallop Sony after it objected to the content of some movie which I can't remember the name of at the present moment but which looks boring and stupid. Most of the press reporting is about the compromise of celebrity emails and some Hollywood chitter-chatter. Nobody will remember or care about these emails or chitter-chatter in a week.

What is important is that these hacks presage what is going to happen for years to come and at far greater cost than what is being imposed on Sony. We have had a good 20-year run since the advent of the commercial Internet, during which the worst that comes from our connectivity is (for the most part) spam, occasional identity theft and lots of time wasted on click-bait.

The weaponization of code is the most significant development in warfare since the weaponization of fissile material.

Sadly, there are few barriers to entry in the domain of cyber war. Any country that puts a little bit of time and effort into it can develop some pretty nasty offensive capabilities. It is not like the development of nuclear arms, which requires years of work, billions of dollars and access to the scarcest of scarce scientific talent and transuranium elements. Don't want to invest the time or effort? That's okay -- today'sLégion étrangère is the black hat hacker -- available on a fee-for-service basis. Just wire the money and they'll start shooting in the direction you point toward.

The very nature of cyber conflict shifts norms in transnational conflict. It is no longer just sovereign nation state versus sovereign nation state. The guys wearing blue uniforms versus the guys wearing red uniforms. No, increasingly cyber conflict will be directed from a country toward a company and from a company toward a country.

It is only a matter of time before some hotshot group of engineers recognizes and stalls a cyber attack and instead of calling the authorities (who can't do anything anyway), the VP of Engineering orders a counter attack against the aggressor. If Sony had a better engineering department --- if it were a little more Northern California instead of Southern California -- I wonder what would have happened if they had identified the source of the hack and shot back with a DDoS attack. Would the North Koreans have considered this an "invasion" by the United States or Japan (where Sony is actually headquartered). They are complete lunatics, so they probably would.
"Would the North Koreans have considered this an 'invasion' by the United States or Japan (where Sony is actually headquartered). They are complete lunatics, so they probably would."

This all seems slightly fantastical, but it is real and going to grow more commonplace. A key takeaway from the Sony hack is that each and every large company needs to recognize that cyber offense is easier than cyber defense. Any big company can be brought to its knees by an aggrieved party. In Sony's case, it was a nasty dictatorship. In the case of some prominent banks, it was Russophiles working with an encouraging head-pat from the Kremlin. In the case of Target, weaponized code written by a 17 year-old Russian and inserted through the virtual private network of a private contractor doing heating and ventilation work, causing a massive breach and the CEO his job.

Cyber offense is getting easier. Cyber defense is getting more difficult.

One thing that needs to go on every Fortune 500 board chairman's to do list is to start a search for a board member with cyber expertise. About 10 years ago it became near-mandatory for every board of directors to have a member with expertise in the audit function. In five years, any board of directors without a board director with expertise in cyber will be perceived as a shortcoming of corporate governance.

For national governments, at some point they are going to have to come together and develop the kind of norms and rule-setting that developed in the 1960s with nuclear weapons. It took a very long time for treaties and arms control agreements to develop following the invention of the atomic bomb. Those treaties and arms control agreements helped keep the world safe. Without legal and diplomatic structures that can be used to govern the use of weaponized code, it is every country and company for itself. That means many more examples of hacks à la Sony.

Alec Ross is a Senior Fellow at the Columbia University School of International & Public Affairs

No comments: