President Barack Obama described North Korea’s hacking of Sony Pictures Entertainment as “cybervandalism” — rather than a cyberattack — infuriating many critics, but his wording highlights just how new the rules are on this nascent battlefield.
When, how, or even if the U.S. should respond militarily to cyber intrusions remains unsettled, although the Pentagon has taken a rhetorically hard line on retaliation since the U.S. Cyber Command was established in 2009 and declared cyberspace a warfare domain a year later.
Several years ago, the Wall Street Journal quoted an unidentified military official summarizing the consequence of attacking U.S. infrastructure via cyber: “If you shut down our power grid, maybe we will put a missile down one of your smokestacks.”
But the Sony hacking case illustrates how tricky it is to gauge a proportional response to cyber invasions. Some cyber experts say that intrusions such as North Korea’s into the Sony network don’t even quality as “attacks.”
The fact that North Korea hacked into the computer network of a nongovernment entity certainly complicates a response by the U.S. government.
“I think that’s the point of the kinds of cyberattacks they’re conducting,” said Carl W. Baker, a Korea expert with the Pacific Forum CSIS in Honolulu and a former intelligence analyst for U.S. Forces Korea.
“They’re basically annoyances. They’re not really damaging to long-term national security interests of the United States.”
He compared the Sony hack to a March 2013 cyberattack in South Korea in which the computer systems of banks and broadcasters froze for days, followed by an attempted intrusion into the government’s websites.
“They can attack systems that are by nature more vulnerable than those systems that really matter to the national security of the United States or South Korea,” Baker said. “I think that’s what we need to understand. They certainly have capability, and they exercise that capability with an understanding of what risks are involved. I think they see this as something that’s in their national security interest, and it’s probably marginal to U.S. national security interest, so they’re probably willing to take that risk knowing that the outcome is going to be no worse than people complaining about North Korea’s cyber capabilities.”
North Korean websites were down for more than nine hours Tuesday, and service was intermittent a day later, leading some to speculate that the U.S. was making good on Obama’s vow to respond to the Sony hack. Neither the U.S. nor South Korea offered public statements on the outage.
Regardless of who or what caused that Internet crash, cyber retaliation against North Korea isn’t a particularly effective response to computer raids directed by the Kim Jong Un regime, argues cyber expert Motohiro Tsuchiya.
“Responding to North Korea by cyber means is not a big deal actually, because they are not dependent on the Internet,” said Tsuchiya, a professor of the Graduate School of Media and Governance at Keio University in Tokyo and currently a visiting scholar at the East-West Center in Honolulu.
“They are not dependent on digital technologies. Only a few people are using the Internet in North Korea, so it’s not big damage to them to stop the Internet, actually.”
And by strict application of international law, the Sony hack wasn’t an “attack” because it didn’t involve physical damage, he said.
“They were just stealing information, disclosing private communications and trying to disrupt a public screening,” Tsuchiya said. Examples that meet the threshold of an attack would be killing someone, breaching a dam or crashing an airplane.
Some cyber analysts think that it’s unsound to equate a cyberattack on American interests with a “kinetic” attack involving bullets and bombs.
“A cyberattack, in and of itself, does not demand an immediate response to safeguard national security,” said Dr. Martin C. Libicki, a technology expert with the Rand Corporation, during testimony before a House committee last year.
Libicki argued that the U.S. shouldn’t back itself into a corner in which it must always respond to a cyberattack “whether doing so is wise or not.”
Overemphasizing cyber threats “tends to compel the United States to respond vigorously should any such cyberattack occur, or even merely when the possible precursors to a potential cyberattack have been identified,” he testified. “Having created a demand among the public to do something, the government is then committed to doing something even when doing little or nothing is called for.”
Cyber tampering by a relatively small power such as North Korea poses little real threat, at least for now, said Erik Gartzke, an associate professor of political science at the University of San Diego and professor of government at the University of Essex in England.
“If an enemy turns out the lights in California but cannot follow through with some other action, then eventually, the lights come back on and the United States is really annoyed,” Gartzke said during an interview before the recent Sony hack. “Breaching an enemy barrier — as occurred on Omaha Beach during the Normandy invasion — is only decisive because there are U.S. forces ready to exploit this breach.”
Few, if any, adversaries to the U.S. have such a capability at the dawn of the 21st century.
“There may come a time when an enemy of the United States can use a cyberattack to create conditions that allow other more kinetic forms of force to be carried out in a way that threatens U.S. interests or power,” Gartzke said. “I think this is a very long way off. Because invading the U.S. or destroying America’s capabilities to retaliate are pretty far-fetched right now, cyber has limited salience as a threat.”
Cyberattacks against the U.S. are “pin pricks,” because opponents know that the U.S. has the military means of carrying out retribution, Gartzke said.
Conversely, America’s credible threat of force would allow it to more effectively employ cyber as an offensive weapon to weaken a foe, such as by disabling radars, before commencing a traditional military operation, he said.