Response to Sony hack reveals limits of U.S. cyber doctrine
The Obama administration imposed additional sanctions on North Korea Friday in response to the November cyber attack against Sony Pictures Entertainment. The sanctions, which block access to the U.S. financial system, target 10 North Korean government officials, as well as the reclusive regime’s military intelligence bureau and state-run arms dealer.
But while cybersecurity analysts continue to argue about whether North Korea was behind the attack and what it might mean for the prospects of new cybersecurity legislation in the new Congress, some national security analysts see the real lesson as the time it took the U.S. to respond to what it has said was a state-sponsored cyber attack that undermined free expression and caused significant financial harm to a major corporation.
“This should be another wake up call to this administration that we desperately need a national-level doctrine that charts our course for the cyber era,” said Tim Sample, former staff director of the House Permanent Select Committee on Intelligence and a 30-year intelligence community veteran. The Sony hack, the decision to pull the film from the theaters, and the resulting U.S. response (proposing sanctions and possibly adding North Korea back to the state sponsor of terrorism list) “all point to one salient point; we do not have a national-level doctrine for the cyber era and we desperately need one,” Sample said.
The Obama administration took nearly six weeks to respond to the Sony hack. And while officials have acknowledged that there will be aspects of the U.S. response not made public, the amount of time it took to assign responsibility for the attack and to devise a response raises serious questions about the administration’s progress in devising a realistic, coherent cyber doctrine.
It’s been more than two years since President Barack Obama signed Presidential Policy Directive 20, or PPD-20, a classified directive that establishes guidelines by which the federal government can operate beyond the confines of federal networks to respond to serious cyber attacks. PPD-20 is considered the government’s first step toward laying a foundation upon which a national doctrine governing cybersecurity could be devised.
The importance of PPD-20 stems from what many say is the document’s broad outline of what the U.S. government is willing to actively defend in cyberspace and, depending on the circumstances, how it should go about defending those assets. In addition, PPD-20 is believed to have laid the foundation for moving U.S. cyber defenses beyond static policy debates about roles and responsibilities, and toward a more active defense of cyber assets and private enterprises deemed critical to national security. It is because of PPD-20 that some analysts have speculated that the recent Internet outage in North Korea may have been the work of the U.S. military.
There are dangers, however, associated with taking an offensive posture in cyber defense, most notably the chance of miscalculation. There remains a debate about whether defensive cyber attacks can be conducted with enough precision that they can avoid impacts on civilians — impacts that could be interpreted as an act of war. The Sony attack, which some prominent lawmakers have called an act of cyber war, is a perfect example of a major policy question that has baffled cybersecurity policymakers for at least two decades: At what point is a cyber attack considered an act of war? And what if a cyber adversary’s definition of an act of war in cyberspace is different from the U.S. definition?
In 2012, Sample and co-editor Michael Swetnam compiled a volume of essays titled “#CyberDoc: No Borders – No Boundaries” as a preliminary framework for the development of a national doctrine for the cyber era. Several of the authors explored the viability of developing a cyber doctrine by raising the prospects of applying to cyberspace the concepts used in U.S. nuclear doctrine, such as containment, mutually assured destruction and first strike.
According to Sample, the U.S. has not had a national-level doctrine since the end of the Doctrine of Containment in 1991 as the Cold War was ending, and the nation has suffered significantly for this. “In essence, we have not developed, nor articulated any sort of doctrine in the ‘Grand Strategy’ sense and have, instead, lurched from one crisis to the next over four administrations,” he said.
“The Sony issue, and the sanctions on North Korea, point out how unprepared we are and how much we would like to ignore what’s in front of us in the hope that it will not affect us all that much,” Sample said. “Unfortunately, we are treating this issue with our usual sense of what are the norms for legal behavior and response. What we face doesn’t neatly fit into this mode, but [we] can’t seem to grapple with that reality yet.”
The Sony example
The Sony hack may well be a case study in how the U.S. defines a national security level cyber incident and the roles and responsibilities of the government and private industry.
“Sony is going out of its way to play the victim here and believes it is incumbent on the U.S. government to protect its interests,” Sample said. “We have, as a nation, decided that protecting an individual company is the job of that company and have encouraged every company to adopt baseline standards of IT security,” he added, referring to the voluntary cybersecurity framework developed by the National Institute of Standards and Technology and supported by the Department of Homeland Security.
In fact, the U.S. government has given in to pressure from Silicon Valley and has gone out of its way not to regulate or require companies to adopt specific protections. And because there was no specific damage to any U.S. national security interests from the attack against Sony, it is far from clear if the government has any responsibility to respond, according to Sample. “Additionally, what if Sony had the sophistication and ability to not only defend itself, but to strike back? As a private organization, could it respond and should it be allowed to? Certainly, some companies do have such capabilities and could likely respond much faster than the U.S. government could,” Sample said.
The question, from Sample’s perspective, then becomes should we allow and or sanction such activity? “Defining an appropriate relationship between industry and government must be part of a doctrine and, at the end of the day, will take leadership on behalf of the President as part of our overall national security make up,” he said.
In the long term, the Sony hack will likely be just a blip on the screen when it comes to the development of a national doctrine for cyberspace security and defense. And despite all of our sophisticated technology and our growing ability to use that technology offensively, there will be situations where technology will not give the U.S. the types of responses that policymakers desire, according to Sample.
But active cyber defense also brings up a host of additional issues that confound our government, Sample said. “Collateral damage, physical or otherwise, will be something that is more likely in the cyber era. For example, one can take out a portion of a country’s electrical grid in order to degrade a country’s air defense system, for example,” he said. “What if such a move also created a blackout of an entire region, including civilian facilities and support? How does this factor into our human rights criteria? There are very few actions that we can affect via cyber means that will have the precision of a cruise missile.”