North Korean Cyber Attack on Sony Poses Tough Security Questions
While cyber attacks are on the rise around the world — both from inside and outside threats — this was the first known instance of a country deliberately causing destruction to a U.S. company’s data.
“We’ve never seen a nation-state use its capability, albeit somewhat limited, in a way that actually destroyed data,” former House Intelligence Committee Chairman Mike Rogers, R-Mich., said in a panel hosted by the Bipartisan Policy Center.
Although many entities, including governments, often bypass companies’ cyber security defenses, they typically observe and may at worst interrupt service temporarily, panelists said.
“We’ve seen denial of service attacks, clearly,” Rogers said. But North Korea “stole intellectual property, and it destroyed enough data to make it very difficult for Sony to operate.”
In 2012, Iran reportedly tampered with data belonging to Saudi Arabian oil company Aramco. But there has been no confirmed case of a nation-state hacking a U.S. company prior to November, Rogers said.
Though President Obama confirmed that the attack was perpetrated by North Korea, he has described the event as one of “cyber vandalism” instead of terrorism.
President Obama had said in his response that the repercussions for this act of cyber vandalism would be handled “proportionally” — a word that former CIA director Gen. Mike Hayden said should have been removed from the speech.
“This has implications beyond cyber stuff,” he said. “They [North Korea] have taught us to tolerate ever-more provocative actions.”
Paul Stockton, managing director at Sonecon LLC and former assistant secretary of defense for homeland defense and Americas’ security affairs under the Obama administration, disagreed.
He commended President Obama for his use of the word “proportional,” calling it a wise move considering the absence of precedence in dealing with a crisis like this.
The U.S. response to the attack has been a source of much controversy, which is a direct consequence of being behind on codifying cyber definitions, policies and practices, domestically and internationally, Stockton said.
The impact of having no real laws in place to deal with cyber attacks is detrimental both economically and politically, he said.
Rogers said he expected a more offensive, reactionary response from the United States than increased sanctions.
It was reported that the North Korea experienced denial-of-service just hours after Obama named the country as the perpetrator behind the Sony attack. However, no U.S. representatives made any official comments about the disruption.
The United States needs to act in a way that shows it will not tolerate attacks like this because the world is watching, Rogers said. “Iran is watching. Russia is watching. China is watching. Every international criminal organization is watching. These are the steps now that we’re going to have to work our way through as a country.”
Publicly disclosing that North Korea was responsible was a big step in the right direction, he added.
The biggest problem moving forward is the continued lack of policy to deal with cyber conflicts.
“We’re in an era where cyber conflict is burgeoning, and we lack the rules of the road,” Stockton said. “We lack the norms. We lack the principles derived from law of armed conflict.” This framework will be necessary moving forward.
“We need to be standing up for the laws of conflict in the cyber realm that are going to be good for the United States, good for U.S. security over the long haul,” he said.
Rogers added, without such standards, the government can’t appropriately respond to cyber breaches.
North Korea’s attack on Sony was merely a small taste of the potential damage that could be caused by cyber attacks perpetrated by nation-states, he said. Destroying an entertainment company’s data — though embarrassing for Sony executives and the company’s reputation — ultimately didn’t cause harm to civilians. But the relative ease with which it was able to hack into the company has much greater implications for critical infrastructure companies.
The actors engaging in cyber theft and vandalism are much different than they were even five years ago, Art Gilliland, senior vice president and general manager of enterprise security products at Hewlett-Packard, said in an interview.
Nation-states, organizations and individuals have begun buying and selling cyber services and software on the black market instead of relying on their own capabilities — a trend that has been called “hackers for hire.”
Countries or entities with a common message or a goal have begun to exchange cyber services or software in order to cause destruction, he said.
Stockton said, “We know now that a nation with one-thousandth of the U.S. GDP has access to sufficiently sophisticated cyber weapons [and] that they can launch destructive attacks against a major corporation. That’s very different from seizing operational control of a power grid or the natural gas system.” But “we’ve had a wake-up call.”
Rogers said the Sony hack should be taken as a teachable moment. Entities now can acquire large tools for a small investment and inflict maximum damage.
If a group in North Korea can put together something to go after a company that had already been hacked, imagine what a nation-state with superior capability and malicious source code could have done, he added.
Hayden said, “This is a pathological little gangster state” that managed to do a quite a bit of damage to a company using tools that, while mildly sophisticated, are not extraordinarily hard to come by.
The United States must continue to codify cyber law because “the trend is one way, and that is toward nations obtaining increasingly sophisticated cyber capabilities,” Stockton said.
Rogers said, “The North Koreans didn’t have some new cyber technique. They didn’t have any new malicious source code. They just went around the net and took things that had already been exposed and put it together.”
It wouldn’t be necessary to go after critical infrastructure, he said. Simply going after the supply chain would be highly detrimental to a large faction of the general population.
The issues are multifaceted, and neither companies nor the government are equipped to address them, Rogers added.
The real awakening that came with Sony’s hack was the damage to its property in the form of data, he said. If the target had been in an area more critical than the entertainment industry, like an electrical company, it wouldn’t just be the executives who would be suffering.
That’s where the issue of private versus government meets, he added. While a private company may be the direct target, the victims affected by an attack like that would be part of the public interest.
In his State of the Union address, Obama said, “We are making sure our government integrates intelligence to combat cyber threats, just as we have done to combat terrorism.”
The Senate now is exploring a cybersecurity bill that aims to create a system to incentivize companies to share information with the federal government.
It is essential to have infrastructure in place that lets government and private companies share critical information quickly, Gilliland said.
Right now, the government and companies are limited in how they can deal with cyber attacks as separate entities. The idea of a cloud sharing system between the private sector and the federal government has been debated in Congress, but the implementation of an information sharing system is not expected to happen any time soon.
“If we don’t have some way for the government to at least assist private sector in protecting their networks, it makes very little sense to go over and try to create some offensive trouble,” he added. “They [other countries] are not going to come after the government networks, they’re going to go after these private companies.”
Until such laws are in place that allow the government to act on behalf of private companies, the best thing that can be done is to equip them with the proper defenses, he said.
Stockton said it is critical for the private sector to consider the security framework as explained by the National Institute of Standards and Technology, which “focuses on using business drivers to guide cybersecurity activities and considering cybersecurity risks as part of the organization’s risk management processes,” according to its summary.
That would put the onus on the private sector to take an active role in protecting its data assets, Stockton said.
Gilliland suggested that the long-term cyber security defense goals are much clearer than the short-term plans.
“We’re in this sort of strange transition between the old world and this sort of future world. I think the sad thing for us in the short-term is most of the things we could do today that would make us more secure, we are not doing,” he said.
Two things that would make the most difference are using software correctly and then encrypting information more broadly. Both of these actions would drastically reduce break-ins and information theft, he said.