60 Minutes on the Sony Cyberattack: There is no defense, only deterrence

CBS has published video of a Sixty Minutes segment on North Korea’s 2014 cyberattack on Sony, hosted by correspondent Steve Kroft.

The conspiracy theories of a few pro-Pyongyang gasbags and assorted cranks notwithstanding, the President, the Directors of the FBI and the NSA, and our country’s best technical experts agree that Pyongyang did it. I’m certainly no technical expert myself, but I don’t have to look back from the moon to believe that the Earth is round. After all, it’s not as if President Obama needed to frame Kim Jong-Un for the Sony cyberattack and threats to have an excuse to do approximately nothing about them. Another point that should not be lost is that the attack was carried out with the material support of the Chinese government, whose dictator will soon be welcomed to the White House.

Kroft says the attack qualified as the use of force against the United States. According to cybersecurity expert James Lewis, “The significance is that a foreign power has reached out and touched an American target. The fact that the North Korean government felt that it could do something in the United States and get away with it – that’s what’s significant.” I agree that that’s very significant, but I’d argue that an even more significant implication arises from the threats that followed the cyberattack: that a foreign power carried out an act of terrorism against the U.S. civilian population – unlike The New York Times, I apply the term according to its legal definition – to censor free expression. In 2014, Kim Jong-Un extended the long arm of his censorship to our society, a society that treasures free expression as its most important constitutional right. Successfully. And got away with it.

That is a problem, because a failure of deterrence would leave us essentially naked to the next attack. The report points out the sheer impracticality of defending any network, when even a relatively unsophisticated piece of malware, like the one used for the Sony cyberattack, can be so successful.

That leaves us with deterrence. Kroft quotes Lewis, who correctly says that our only real deterrent against this sort of attack is “going after the leadership, going after the revenue streams coming to the leadership.” Kroft then incorrectly says that that’s what the Obama Administration has done. In fact, the Obama Administration promised a proportional response, but delivered a sub-proportional one that former CIA Director Michael Hayden accurately described as “symbolic at best” – blocking the assets of ten low-level arms dealers, and three entities whose assets had already been blocked for years. Almost a year after the Sony attack and threat, the Obama Administration has done little of consequence to deter the next one. And although the U.S. intelligence community is saying that there have been no more North Korean attacks on the United States since then, North Korea is believed to have around the same time as the Sony cyberattack, and was implicated as recently as this week for planting malware in a South Korean word processor used by military officers.

For anyone who’s paying attention, the Sony threats ought to have changed everything. There is a school of thought, after all, that says we should just ignore North Korea and let it go nuclear, which is pretty much what the Obama Administration has spent the last seven years doing. Sony exposed the fallacy of this strategy. No matter how stubbornly our government refuses to be interested in North Korea, North Korea will always be interested in us. It needs conflict with us to justify the very existence of a system that can’t provide for its people, and it shields that system behind isolation and repression. To Pyongyang, the very existence of free thought and free expression that might break through that isolation is a mortal threat to its survival. As long as Americans feel free to make movies about North Korea, to criticize North Korea, or to refuse North Korea’s extortionate demands, North Korea will be interested in us. The closer North Korea comes to credibly threatening the United States with an effective nuclear arsenal, the fewer options we will have to deter its attacks.

~ ~ ~

Update: The South Korean President’s special security advisor in charge of cyber-defense also wonders about the sufficiency of her government’s deterrence.