WASHINGTON-The chain of events since the hack on Sony Pictures on November 24 reveals a pressing need for clearer definitions and doctrines in managing cyber conflict. In addition to stealing and publishing troves of internal communications, scripts, unreleased movies, and sensitive information about Sony employees, the "Guardians of Peace" hackers destroyed roughly three-quarters of the computers and servers at Sony's main operations. This is a serious crime, but doubts linger about who the culprit is, at least among private cybersecurity professionals. How to define the crime is also unclear.
On December 19, President Barack Obama publicly accused North Korea of being responsible for the operation. On January 2, the president announced targeted economic sanctions against North Korean officials and its primary intelligence agency, the Reconnaissance General Bureau. According to The New York Times, the administration also hinted at a covert element to its response.
In cyber conflict, the attribution problem, as it is commonly known, is complex. A better way of thinking about it may be as an anonymity-attribution spectrum, which I discuss in a paper on strategic uses of anonymity in cyber conflict. Actors fall along this spectrum depending on their size, resources, expertise, tactics, and the scope of their operations, as well as the tactics and sophistication of those seeking to unmask them.
In the Sony case, U.S. officials say they have been tracking the hackers for years and have classified evidence tying them to the operation and North Korea. Moreover, the FBI last week revealed additional evidence that convinced some skeptical cybersecurity experts about the accuracy of the attribution. Of course, U.S. intelligence agencies could also have human intelligence or signals intelligence such as intercepts of North Korean orders to launch the operation. It is reasonable to assume the administration has conclusive evidence.
Nevertheless, the administration should think hard about the broader repercussions of the way it handles this delicate situation. If the evidence it presents publicly is not convincing, the United States may inadvertently be setting the precedent for other countries to simply claim evidence and engage in a retaliatory response to ambiguous cyber operations. Given how easy it currently is to spoof the origin of cyber operations, this could provide an incentive for rogue regimes to claim an attack on their computer systems by a foreign adversary and use that as an excuse to launch a retaliatory strike. It could also lead to intentional framing by state and non-state actors, which would boost the possibility for miscalculation and escalation. Thus, a minimum threshold of conclusive evidence should be required before sanction and retaliation are undertaken. Of course, where to draw the line is open to debate.
Efforts have been made to develop common rules and definitions for cyberwar, such as the Tallinn Manual, which was a response to the 2007 cyber attacks on Estonia from within Russia. However, less work has been done to understand the murky world of cyber conflict that falls somewhere between transnational crime and war. Obama was wise to use caution in defining the Sony attack as an act of "cyber vandalism," but it was more than that. Given the destruction it caused to Sony's networks, it could be termed cyber sabotage. But does cyber sabotage against an entertainment company rise to the level of a cyber attack that would trigger a country's right to self-defense under Article 51 of the UN Charter? Certainly cyber sabotage that shut down the electric grid for an entire city would reach that threshold. Given that "cyber attack" is commonly used among cybersecurity experts to denote a whole range of intrusive cyber activities, it is crucial to specify whether the term "attack" is being used in the military sense of an armed attack or in the information security sense of network penetration and disruption. As former Supreme Allied Commander for NATO Admiral James Stavridis points out, these definitions are important and carry significant consequences.
No one has a legitimate interest in their own computers and networks being used as covert tools of destruction, blackmail, and coercion, so most countries have a stake in supporting a common global framework for mitigating the risk of cyber conflict. Greater certainty about norms and definitions would bolster stability by reducing the incentive to test the line between cybercrime and cyberwar. Covert retaliation should be a last resort, and responses should be funneled through multilateral frameworks as much as possible. Countries have an inherent right to self-defense, but the complex interdependence and borderless nature of the digital world makes this a collective challenge.
We are at an early stage in the era of cyber conflict where doctrines are being created and precedents set. This is not a time to rush or be secretive. Clear communication from Obama on what steps he is ordering the United States to take, what objectives he hopes to achieve, and what precedent he hopes to set will be essential as the situation unfolds. For a president who promised the most transparent administration in U.S. history, now is a time for his actions to match his words.
