Confusion in the wake of the Sony hack
The response to recent attack shows that work is needed for more international norms on states’ cyber policies, says Paul Meyer.
The official confusion apparent in Washington in the wake of the cyber attack on Sony would be bemusing if it wasn’t for the fact that the most powerful country in the world is stating ominously that it will be retaliating “in a place and time and manner that we choose.” Having pronounced unreservedly on North Korea’s culpability the White House has had difficulty in characterizing the nature of the act for which it is holding Pyongyang responsible.
White House spokespeople have said the attack constituted a “serious national security matter” and the terms “criminal act” and “cyber terrorism” have also been bandied about. President Obama in his December 19 press conference appeared to treat it as a hostile act against the United States to which his administration would respond “proportionally” (a key term drawn from the laws of armed conflict) and noted that his national security team was preparing a range of options for his consideration. The next day he seemed to step back from this framing of the offense, saying that it was not an act of war, but rather a case of costly “cyber vandalism.” Given that, according to media reports, amongst the options being generated for the President are offensive measures against North Korea undertaken by U.S. Cyber Command, this begs the question of whether an act of vandalism warrants a military response?
There is also talk of putting North Korea back on the U.S. Government’s list of state sponsors of terrorism, a list from which it was removed in 2008. Such a step would seem to distort the defining criterion out of all recognition in applying a “terrorism” label to the cyber attack on Sony. Civilians were not deliberately targeted and there was no physical injury or death stemming from this operation. Destruction of data yes, unauthorized disclosure of corporate information yes, even veiled threats that bad things could happen to movie-goers, but these are criminal acts if they are anything — hardly a terrorist assault.
Some would observe that the root cause of this crisis is the failure of a major corporation to provide for adequate cyber defence of its computer systems. This is more appropriately a responsibility of the corporation itself than it is of the federal government. By invoking “national security” with regard to the cyber attack on Sony, the U.S. Government may be putting itself into the awkward position of assuming policy responsibility for dealing with the problem. If every state-conducted or state-sponsored cyber attack is to be considered a threat to national security, this could serve as an excuse for some in the private sector to evade responsibility for taking action themselves to prevent such attack. A corporation might claim that the Government should look after its cyber defence in the same manner that it takes care of its air defence against possible attack by a foreign power.
Part of the policy dilemma here concerns the official identification of the North Korean state as the perpetrator of the attack. The FBI has relied on similarities in the malware and tactics of the cyber attack against Sony and earlier ones conducted against South Korea to point the finger at North Korea. There is debate however amongst cyber security experts as to whether the North Korean state is really the responsible agent with several noting indications that the attack appeared in part the work of an insider. A high standard of attribution would seem necessary prior to a state taking action against another state it considers responsible. This would also seem a necessity to justify any offensive action in the light of international law and global public opinion.
If these policy responses by the U.S. seem ad hoc and disjointed, it is because they are. Regrettably, there is little in the way of internationally agreed norms governing how states should conduct themselves in cyberspace. Probably the most important segment of the President’s press conference (and almost completely overlooked in the media commentary) was his call for working out “rules of the road” amongst states as to their actions in cyberspace. The President would be well-advised to energize this aspect of his cyber foreign policy rather than engage in ill-conceived retaliation that will likely lead to further escalation and undercut efforts at forging cooperative security arrangements in cyberspace.