5 January 2015

A Cyber-Whodunit Winning will require nerds and sleuths, not warriors.

By NEAL POLLARD
January 02, 2015 


From the past few years, it seems we can add cyber-attacks to the list of holiday headaches that includes congested travel, overeating, binge spending and in-laws. In December 2010, web publisher Gawker was hacked, with hackers posting source code, employee conversations, and the email addresses and passwords of hundreds of thousands of users. In late 2012, hackers probably affiliated with Iran, attacked U.S. banks, knocking their consumer-facing web services offline—this attack occurring not long after other hackers, probably affiliated with Iran, attacked oil producers in the Middle East. The 2013 holiday season saw millions of consumers’ personal and payment card details lost to a breach of retailers’ point-of-sale systems.

And this holiday season, Seth Rogen and James Franco made a movie, The Interview, that has challenged fundamental assumptions of geopolitics, foreign policy and modern international conflict, through the lens of a cyber-attack. What began as an antic film plot suddenly became a lot more real on January 2, when the Obama administration—responding to an actual cyber-attack possibly provoked by a fake movie scenario—escalated matters considerably by imposing new financial sanctions on 10 North Korean officials and three government agencies.

Yet the apparent tit-for-tat between Washington and Pyongyang has clarified very little. As “cyber-warfare” and cyber-attacks become more evolved, the more confused we seem to get about what they truly mean, and how to respond—or even who did it. Some of the more famous cyber-attacks described above have simultaneously been termed by government officials and experts alike as crime, terrorism, vandalism, acts of war and nuisances. They can’t be all five at the same time. The silver lining from these trends of cyber-attacks is greater awareness among the public on what is truly at risk, and an opportunity for government, industry and the media to cooperate to define a more consistent, less ad hoc framework on responding to cyber-attacks, identifying and punishing the true beneficiaries of cyber-crime and elevating cybersecurity out of the IT department and into boardrooms and the corporate suite.
Cyber-crime and conflict have changed over the past few years, in frequency, sophistication and notoriety. Cyber-crime has entered a new level of public awareness, as its perpetrators are referenced in politicians’ speeches and its consequences make headlines. Despite this evolution, government and the private sector continue to be taken off-guard, uneven in their cooperation, unsure in their response and inconsistent even in how they characterize and attribute cyber-attacks. What happened to Sony has been described as vandalism, theft, terrorism, even an act of war. Commentators and politicians have claimed the prerogative of recommending how Sony, the U.S.government and the world community should respond, but their recommendations are all over the place.

As 2014 faded into 2015, it was not totally clear what happened when Sony was hacked and its personnel “doxed” (a term for publicly publishing personal, possibly embarrassing documents or emails not meant to be published). Whoever was the perpetrator, this cyber-attack was arguably different from past attacks.

A few facts are uncontested:

• In November, Sony suffered a massive cyber-attack that resulted in widespread corporate system outages, as well as data theft.

• Someone with access to the stolen data began posting it for the world to download.

• At some point, the release of the Sony Pictures Entertainment movie The Interview became connected to the motivations, objectives and demands of the hackers.

• Sony employees (and by implication affiliates such as theater owners) were subjected to threats of physical violence if Sony released The Interview.

• President Barack Obama did not approve of some elements of Sony’s response.

• FBI and other U.S. government authorities attributed the original cyber attack to North Korea, and Obama promised retaliation.

• North Korea’s leader, Kim Jong-un, is a satirical subject of The Interview.

• North Korea is a bizarre, dangerous country, even by the most objective of standards.

Just about everything else associated with this cyber-attack and its response is being publicly contested. But there are already a few aspects of this episode that are unprecedented, while others conjure lessons from previous attacks that we should have learned decades ago:

Not your grandfather’s Pearl Harbor. The most popular theory of what happened is that North Korea hacked Sony in retaliation for Sony’s production of a movie that North Korea feels insults its leader. If true, that makes this a rather special geopolitical hack. Some pundits are calling what happened an act of war, and have implicated a conspiracy of Communist regimes behind the hack. This wasn’t what the Pentagon originally envisioned for cyberwar, though.

Secretaries of Defense have been talking since the 1990s about a “cyber Pearl Harbor,” typically characterized as a massive attack on infrastructure such as the electric grid or transportation, usually envisioning massive economic damage and even great loss of life, as a strategic element accompanying a broader conflict among powers. This has been the dark future of various government and think-tank scenarios, predicting how nation-states would use cyberspace as a battlefield for national political or military advantage.

What we have seen over the past few years in the United States has been different: nation-states like (possibly) Iran and North Korea, using damaging but fairly limited attacks against specific companies such as banks, oil producers and media companies, to pursue rather tactical foreign policy goals, with no significant military context. The motivations for both sets of attacks appear to be political: pursuing a foreign policy objective (Iran countering a new round of sanctions, North Korea countering cinematic insults against its leader), rather than trade secrets or money. The perpetrators appear to be nation-states or their affiliates. But the attacks punished companies for narrow geopolitical slights, inflicting damage limited to those companies themselves, rather than large-scale societal outages or government agency attacks imagined in the cyber Pearl Harbor scenarios. While it is true some states such as Georgia, Ukraine and Estonia have suffered wider-scale cyber-attacks, these have been within a broader context of threatened or actual military conflict. If the Sony and similar episodes are harbingers of future cyber conflict, then private-sector corporations might be dragged into state-driven geopolitical conflict as instruments of foreign policy and economic pressure, long before they become trenches under fire on a digital battlefield. If the perpetrators of the Sony and similar episodes are truly nation-states. More on that later.

Bombs, logical or otherwise. Politically inspired or not, the episode quickly went from a bizarre cyber-crime to an alarming threat of violence. As the drama initially unfolded, unknown persons claiming responsibility for the hack, under the moniker “Guardians of Peace,” issued demands that Sony not release The Interview, originally planned for release on Christmas Day (these demands accompanied the release of more stolen Sony data). The demands seem to have evolved from more mundane extortion demands for money, according to news reports. However, the threats escalated, going well beyond a threatened “Christmas gift” of publishing more emails or pirated digital property. The threats escalated to threatened physical violence against the people who would watch the movie, when Guardians of Peace told the public to “remember the 11th of September 2001” and keep their distance from cinemas showing the movie, when the “world will be full of fear.”

With this missive, the Guardians of Peace used threats of physical violence against a specific victim population (moviegoers), with the intention of coercing a larger audience beyond the immediate victims toward a politically motivated objective. These are classic elements from definitions of political terrorism, of which North Korea used to be designated as a state sponsor.

If North Korea is truly behind the entire series of events, irrespective of how plausible the threat might have been, this might qualify as one of the first true cases of cyber terrorism—where physical violence (threatened or actual) accompanies cyber-attacks. To date, with some exceptions, “cyber terrorism” has largely consisted of terrorist groups such as Al Qaeda and the Islamic State using information technology as a means to support physical operations—secure communications, planning and mapping, money transfers, etc. Nation states have used cyber-attacks in support of broader military campaigns. But as described earlier, the use of cyber as a primary foreign policy tool, accompanied by threats of physical violence’s, represents something new in cyber-crime and conflict. If North Korea is truly behind this.

DO SOMETHING!!!!!!! Once the hack became public, the spotlight focused equally on the response. Another unique aspect of this episode was the substance and magnitude of a very urgent, very public clamor for a response, which invoked imperatives ranging from intellectual property and copyright protection to racial sensitivity, acts of war, gender inequality in pay, homeland security, and the First Amendment. Sony seemed to be under unprecedented pressure from multiple sectors to respond to all of these imperatives at once, with equal force, and its actions and decisions garnered as much scrutiny as the attack itself, including some critical comments from President Obama. This was not the only precedent President Obama set—he also issued an unprecedented declaratory policy that the U.S. government would retaliate against North Korea for its act of “cyber vandalism.” Whether the actions announced on Friday amount to what Obama said would be a “proportional” response are also up for debate.

The range and stridency of imperatives surrounding the response to the attack illustrate something common to any significant, complex cyber-attack: Such attacks by their nature affect multiple critical business areas, and a victim cannot simultaneously and equally address all areas of risk created by the attack. In this case however, there was an unprecedented range and variety of voices pushing multiple response imperatives at once, many having nothing to do with Sony’s business. When everything is important, nothing is important. Ordinarily a corporation can respond effectively to a cyber-crisis by focusing on what aspects of the attack can most damage core corporate missions and values. In this case though, the din of calamity made everything sound critical, especially in light of North Korean involvement. If North Korea was truly involved. More on that now.

Whodunit? (International edition). This cyber-attack might be unprecedented in its crowd-sourced forensics and theories of attribution. In fact, the world hasn’t seen this many gratuitous explanations, conspiracy theories, goofy speculation and specious analysis since the John F. Kennedy assassination. The FBI was clear that they attribute this attack to North Korea. However, the FBI likely cannot yet release the full forensic basis of its conclusions, for a variety of good reasons. In the vacuum, otherwise respected researchers have come out of the woodwork with no direct connection to the investigation at all, claiming they disagree with FBI’s conclusions (although they are working with far less data), and that without more proof they are not willing to demur to FBI claims. It is not clear, though, what choice they have.

Attributing this attack recalls some past lessons about cyber-attacks. One lesson is the caution corporations and governments should take against prematurely attributing, or even characterizing, cyber-attacks. In 1998, a cyber-attack on Defense Department systems, which DoD termed “Solar Sunrise,” was described by the then-deputy secretary of defense as the most organized and systematic attack to date, attributed to Iraq given some of the Gulf-based IP addresses used in the attack, as well as rising tensions and DoD mobilization in the Gulf against Iraq. In reality the attack was not terribly sophisticated—it exploited a known, unpatched Solaris vulnerability in a limited set of systems, and caused no outages or damage. The actual perpetrators were two teenagers in California and a teenage hacker in Israel, eventually uncovered by a U.S. law enforcement investigation.

Another point that this episode has highlighted is widespread confusion about both the difficulty and the importance of attribution. Attribution is sometimes challenging, but far from impossible, and important only to the extent dictated by retaliatory options. First, forensic investigation can turn an old cybersecurity adage on its head: an attacker may need only to get lucky once to breach a network, but once in, the attacker has to be vigilant most of the time to keep from being detected and attributed. The investigator need only get lucky once to find a fingerprint. Second, different responses require different standards of attribution, some easier than others. If one requires 100 percent scientific certainty in attribution, it will be impossible; criminal justice in a US court requires attribution beyond a reasonable doubt; civil judgments generally require a preponderance of evidence; frontier justice requires a little bit of evidence and a great deal of righteous indignation; and so on.

The debate over this hack, the chorus of voices weighing in on who is responsible, what it means, and what the response should be, has diluted the ultimate utility of a forensic investigation. What if, as has been alleged recently despite denials from the Obama administration, the actual perpetrator turns out to be a disgruntled former employee. That will illustrate other basic truths of cyber-crime and conflict: Insiders are often in the best position to do the most damage, and government and industry have a long way to go in cooperating and responding to cyber-crime and conflict, both to deter this sort of activity, and make the victims whole. 

Even assuming it is North Korea, it isn’t clear what more the United States can do to them. Sanctions tend to punish only the North Korean people. Even in the case of the sanctions just announced, against specific North Korean government agencies and officials, many of them are alleged to be doing nasty non-cyber things that were already ripe for sanctions (e.g., weapons proliferation). All we can be sure of is that the phantom war, conducted by phantom combatants, will somehow rage on.

Neal Pollard is a senior fellow at the Atlantic Council’s Cyber Statecraft Initiative, and adjunct professor at Georgetown University. The opinions contained herein are his own and do not reflect those of any of his institutional affiliations. 

No comments: