War over Cyber Pacific
As North Korean internet suffered massive outage yesterday, it is difficult not to wonder whether this is the ‘proportional response’ President Obama warned about. While, massive DDoS of DPKR’s network seems almost too blunt instrument, considering sophisticated capabilities of targeted operations available to NSA, it would be appropriate as a “warning shot” – showing how easily (in matter of less than week) whole Korean internet infrastructure can be disabled. It has to be noted though that officially American administration ruled out possibility of demonstration strike. Regarding if North Korea is really source of the attacks, jury is still out. According to FBI, evidence strongly backs this theory, however some researchers, including Bruce Schneier, remains unconvinced. Those opinions however, often does not fully embrace the fact that FBI press release may purposefully present very general overview of evidence gathered, in order to not give heads up to actual attacker.
Until more informations will be available two issues may already discussed – to some degree who could be responsible for Korea’s internet outage and whether it is proper to engage in cyberwar over attack on corporation.
Regarding first question, recent write-up about state of DPKR‘s internet access and hosts identified reveals interesting state of DPRK’s network and perhaps potential attractive targeted attack for hackers. Legal status of such activities also remains in grey area – it is hard to judge whether authorities would decide to prosecute someone trying to breach into North Korean network, even if strictly speaking most provisions included in criminal codes does not differentiate between targets of breach. Also given possibility that Sony attacks originated from Korea, countries might not want to have leading back to them. Revealed IP address include even login page for Cisco router (http://184.108.40.206/) – possibly tempting target for anyone curious. However, scale of the outage suggests rather organised effort and no hacker group yet claimed responsibility. Interesting theory involves China intervention – perhaps escalation of affairs caused its involvement in order to prevent further embarrassment.
Question of response to cyber threads is part of much wider debate – ranging from whether is legal to hack into computer of someone who planted RAT on our machine (whether it falls under self defence laws), to whether cyber attack is sufficient to trigger Article 5 of the North Atlantic Treaty. Given how situation is developing up to this point, it seems that cyberwarfare will for the time being remain in somewhat grey zone of combat. As Bruce Schneier observed, North Korea engaged in far more aggressive behaviour, including rocket launches, which did not ended in declaration of war. However, it would be naive to believe that dichotomy of current situation involves either doing nothing or going to war. Grey zone mentioned relates to how separated cyberattacks are from kinetic warfare, at least in terms of political consequences. Most obvious and extreme example involves of course Stuxnet – it requires through mental gymnastic to differentiate between use of malware and use of missile to cause explosion in nuclear enrichment facility. In case of involvement of NATO, situation becomes even more complex, while it seems that cyberattack will be treated similarly to conventional warfare, specific of how this approach will be applied will have to be clarified. Let’s just imagine how bizarre would be witnessing joint response to security breach of private corporation, aimed at preventing release of a comedy. On the other hand response to attack on corporate infrastructure itself is not that easy to rule out. First of all ties between national and corporate security are already tightening. To name few examples ‘Perfect citizen’ program, launched as aftermath of Chinese operation against Google, GCHQ guides and cooperation efforts aimed at protecting businesses, and recently launched in Poland National Centre of Cryptology – which among its goals have facilitating cooperation between government and private entities. Furthermore, ruling out attack on enterprise as armed aggression on principle could have profound consequences. After all many industries such as aerospace engineering or military electrical engineering are in possession of information vital to strategic safety of country. However, does it applies to entertainment industry? It should be noted that to some degree such massive enterprises, regardless of their branch, should be taken under some form of security umbrella provided by national agencies. Successful breach of most successful companies, like Sony, might be used i.e. to spread malware or create botnet, using accessibility and popularity of entertainment services. Furthermore, it has to be noted that such attacks does cause some form of economic damage both directly and in form of opportunity cost.
Where this assessment situate Sony incident? Putting aside doubts about North Korean involvement in the incident, it has to be said that breach still seems to fall under private rather than national problem. And certainly is not justification for war. It has been reported that Sony neglected security issues, furthermore reason of political nature of attack was to a degree also Sony’s fault. Decision not to release ‘The Interview’ cannot be reasonably justified by supposed threads of theatres bombing and, as even President Obama, noticed send out wrong message to whoever was behind the incident. Does it justify some form of response though? Answer to this question would require much more information than it has been released. If US is certain of the origin and intent of attacks, ‘proportional response’ seems reasonable, if especially given how cyberattacks still are miles apart from conventional actions in terms of political fallout. It would be neither surprising nor outrageous if recent DDoS was in fact work US agencies. However, anything further might be considered sending improper message to corporation – that regardless of negligent behaviour government powers will come to rescue. Whether it really was work of US agencies and will prevent further attacks or escalate conflict, will be a measure of place of hacking on the landscape of use of force.