Pages

20 June 2019

What does a cyber counterattack look like?

By JOSEPH MARKS 

President Barack Obama promised at his year-end news conference Friday that the U.S. will respond “proportionally” to North Korea’s cyberattack against Sony Pictures Entertainment, but the conventional options available to him are ineffective, merely symbolic or a bad risk because they might lead to a larger military conflict.

Military action against North Korea is effectively off the table, experts told POLITICO, and trade with the isolated rogue nation is nearly nonexistent, making sanctions ineffective. The U.S. could indict those behind the hack, but that would have little real-world effect. A senior Democrat called for the country to be relisted as a state sponsor of terrorism — but North Korea already spent years on the list before the Bush administration removed it during the past decade.

With conventional options so limited, the preferred option of several former officials and cyber watchers who spoke to POLITICO this week was a brand of psychological warfare aimed at undermining support for the regime in Pyongyang — especially among the Pyongyang-based Communist Party elite, the only segment of the population with access to technology like computers and DVD players.

North Korea watchers say that dictator Kim Jong Un, an inexperienced leader who inherited his position when his father died suddenly, has courted the elite since coming to power — probably because he needs their support but is uncertain of it.

One psychological-warfare response might be for government hackers at the NSA or elsewhere to break into North Korea’s state-controlled Internet and pepper the nation’s computer users with articles from The New York Times and other websites that the nation’s rigid controls on information and speech don’t allow, suggested Bruce McConnell, former Homeland Security Department cyber counsel.

Such an action would likely be legal under the intelligence community’s covert action authority, provided the hackers didn’t damage North Korea’s critical infrastructure along the way, experts said.

It would also strike at the very ideological divide that the Sony hack exposed: For North Korea, “The Interview” — the film that apparently motivated the attack and that portrays Kim as a buffoonish tyrant who’s ultimately assassinated — is an act of war; for the U.S., it’s free expression, a right enshrined in the constitution.

“On diplomacy … you can’t do much more with public isolation, and you can’t do much more with sanctions,” said McConnell, now senior vice president at the EastWest Institute think tank. A response like the information campaign he described is attractive partly because “I don’t think the U.S. has a lot of options here,” McConnell said.

Another response might be for Congress to appropriate funds for the U.S. government to buy “The Interview” from Sony and distribute it free online, said Martin Libicki, a senior management scientist at the Rand Corp. who’s written extensively on cyber conflicts.

Some anti-Pyongyang protest groups in South Korea have in the past floated DVDs over the border by mass releasing them on balloons, and activists there and in the U.S. have called for similar measures to smuggle copies of the movie in.

Gabi Siboni, director of the Cyber Security Program at the Institute for National Security Studies, went a step further, suggesting the U.S. government should assume financial liability for Sony and for any theater that shows the film, incentivizing them to change their minds about pulling it.

The creativity of the proposed solutions reflects the strange new world of cyber conflict in which the battlefield is comprised of private companies’ computer networks rather than physical geography and in which intangible and ideological assets, such as innovation and free expression, are in play as much as kinetic assets such as tanks, planes and ships.

It was that new battlefield that provoked the government’s muted response today. When administration officials are asked in the abstract what level a cyberattack against the private sector must reach before the U.S. treats it as an act of war, they typically say there must be lives lost, massive financial ruin or damage to critical infrastructure such as an electrical grid.

A bloodless hack against a Hollywood studio, damaging though it was, would not make the cut.

In this case, however, Sony’s decision to accede to the hacker’s demands and not release the film turned the debate into one about national values.

“The U.S. government was sort of forced into this position,” said Adam Segal, director of the Council on Foreign Relations’ Cyberspace Policy program.

“If Sony had played this differently, if Sony hadn’t pulled the movie and said, ‘We’re going to continue showing it,’” he said, “then the government would have been under less pressure to respond given this argument about free expression and North Korea exerting its influence over us.”

But Sony’s decision meant the debate became about the precedent of an artistic work being silenced by international opponents.

“If you think the goal was to publicly embarrass Sony and prevent them from releasing a movie, well, uh, that’s kind of what happened,” said Jacob Olcott, who manages the cybersecurity practice at Good Harbor Consulting.

“The chilling effect the attack will have on Hollywood could be very significant … on Hollywood and on other companies that are considering taking what are perceived as controversial stances on things,” he said.

That chilling effect will be magnified if there is no effective response, experts warned.

During his news conference, Obama told reporters that his advisers “have been working up a range of options” to present to him.

“I will make a decision on those based on what I believe is proportional and appropriate to the nature of this crime,” he said.

Obama appeared to contradict comments Thursday from the State Department saying the U.S. government should not be in the business of telling Sony whether or not to release the film.

“I wish they had spoken to me first,” the president said, adding, “I would have told them, ‘Do not get into a pattern in which you’re intimidated by these kinds of criminal attacks.’”

Some noncyber responses have been floated in Congress and elsewhere.

Rep. Ed Royce (R-Calif.), chairman of the Foreign Affairs Committee, suggested on CNN Thursday that the U.S. might try to cut off North Korea’s access to global finance, telling banks they can do business with the communist state or with the U.S. but not both.

Senate Foreign Relations Chairman Robert Menendez (D-N.J.) sent Secretary of State John Kerry a letter Friday asking that North Korea be returned to the government’s list of state sponsors of terrorism. The Bush administration cut North Korea from that list in 2008 amid ultimately unsuccessful talks to halt the nation’s nuclear program.

If the U.S. can definitively link particular members of the North Korean government or military to the attacks, the Justice Department ought to write up indictments, just as it indicted members of China’s People’s Liberation Army for hacking U.S. companies in May, said Catherine Lotrionte, director of Georgetown University’s Institute for Law, Science and Global Security.

Those PLA indictments were largely symbolic, however, and have had little effect other than to further deteriorate bilateral cyber talks between the U.S. and China.

North Korea indictments would likely have even less effect, Lotrionte acknowledged, because the isolated regime won’t feel the same sense of moral opprobrium that China, a rising economic power, has.

One reason the U.S. may be keen to respond to the North Korean attack is because we have so little to lose in that relationship, Libicki pointed out.

Responding to a Sony-level attack by China would endanger one of the world’s largest trading relationships; responding to Russia might further devolve the situation in Ukraine; and responding to Iran might destroy any hope of progress in negotiations to halt its nuclear program, he noted.

With North Korea, on the other hand, there’s not much else at stake.

Libicki also pointed out that for all of the complexity of the new cyber battlefield, that complexity is preferable to the old, kinetic alternative.

“Harry Truman’s battlefield was two countries capable of destroying each other. We’re not there and thank God for that,” Libicki said. “Cyber isn’t going to get us there. We can worry about cyber, to a large extent, because we don’t have bigger things to worry about, and that’s just fine with me. I rather enjoyed getting out from under the Cold War.”

No comments:

Post a Comment