Ram Levi is the CEO of Konfidas, a cybersecurity consulting firm, and a Senior Fellow at the Yuval Ne’eman Workshop for Science, Technology and Security. He formerly served as the secretary of the Israeli prime minister’s national cyber initiative task force.
In the confines of national security, deterrence is the act of preventing another party from taking action out of fear of the consequences. In the attack against Sony Pictures Entertainment, North Korea failed in deterring Sony from releasing the movie “The Interview,” and the United States failed in deterring North Korea from attacking Sony. Why? In cyberspace, the rules of the game are different. States are not deterred and regard cyberattacks as consequence-free because adversaries have not paid a price for the attacks. That changed with the Obama’s unprecedented actions against North Korea and may herald the dawn of cyber deterrence.
There is little doubt that cyberattacks are getting more brazenly destructive. In 2012 the Shamoon virus was used to delete data on 30,000 computers at Saudi Aramco. A few weeks later, the same virus attacked 12,000 computers at RasGas, a Qatari company. The attacks were attributed to Iran and interpreted as Iran “firing back” in response to cyberattacks and sanctions on its oil exports (recently released NSA documents suggest Iran learned to do to others as was done onto it). According to a Saudi Aramco representative, Iran sought “to stop the flow of oil and gas to local and international markets.” While the attack failed to disrupt oil production, it succeeded in disrupting the oil production business.
In March 2013, data on 48,000 computers was deleted in three banks and two television stations in South Korea. The attack caused a staggering $750 million in damages and was attributed to North Korea. A similar attack happened in February 2014 that affected the Las Vegas Sands Corporation. According to Bloomberg, “PCs and servers were shutting down in a cascading IT catastrophe, with many of their hard drives wiped clean. The company’s technical staff had never seen anything like it.” The United States has now attributed that attack to Iran.
For cyberattacks crafted and executed by state actors, difficulty in attribution makes retaliation difficult. Attribution, or determining the perpetrator behind a cyberattack, is often not possible by forensics and pattern analysis but only from intelligence. Even when intelligence is available, nations are often reluctant to publicly reveal it and endanger their sources, giving the attacker plausible deniability.
This paradigm may have changed in the Sony attack. The FBI attributed the attack relatively quickly and several U.S. officials publically discussed some of the technical methods used in the attribution process. A few days after the FBI announcement, President Obama sent a clear message saying North Korea “caused a lot of damage” and the United States “will respond proportionally.” According to the NSA Director Admiral Michael Rogers, “the entire world was watching” how the “United States as a nation [is] going to respond to this.”
The response didn’t take long to come. In the days after the Sony incident, North Korea’s Internet connection was knocked offline and the North Korean government blamed the United States. A few days later, the White House announced a series of sanctions for North Korea, stating they were a direct “response to North Korea’s attack against Sony.” The White House made sure to indicate that the sanctions were only “the first aspect” of its response.
Despite the timing of the North Korean outage, mere days after Sony attack, the United States denied any involvement, possibly to maintain some form of plausible deniability and to avoid brandishing its offensive cyber capabilities. If the North Korean Internet outage was not the U.S. government’s work, then it was a lost opportunity for the United States to respond in kind to a cyberattack.
President Obama recently signed an executive order promoting cybersecurity information sharing and establishing a new cyber threat intelligence center in the office of the Director of National Intelligence. The president, however, admitted that the order was only a first step and that the United States is "not even close to where [it] needs to be.”
To get to where they need to be, governments need to focus on three particular areas:
- Develop a policy for using intelligence in the investigation of cyber incidents to improve timely attribution. The Sony case is a good example of the FBI leading a whole of government attribution effort;
- Improve deterrence by denial by investing in defense mechanisms and developing policies for collecting and sharing relevant operational intelligence with the private sector. The private sector is not equipped to collect intelligence on nation state actors and the intelligence shared should be used for targeted cybersecurity aiming at increasing the cost of executing attacks; and
- Improve deterrence by punishment by having the will to follow through on counterattacks in the event deterrence fails.
The cyberattack on Sony was bad for the company, but it might be good in the long run for other entities. It was important in raising awareness about the seriousness of cyberattacks and will likely be a catalyst for improving cybersecurity in the private sector. The successful cooperation between the FBI, NSA, and Sony may set a good example of information and intelligence sharing.
Most importantly, this might be the dawn of cyber deterrence. When the United States blamed North Korea and retaliated, it conveyed a symbolic but clear message to cyberattackers—the days of cost-free cyberattacks are over. With the ability to attribute and retaliate, deterrence will emerge over time as attackers will fear the consequences of their actions.
Too bad we needed a Seth Rogen film for this to happen.