Discussions over the nature of the cyber attack against Sony Pictures Entertainment, launched in an attempt to prevent the release of “The Interview,” continue to spark heated debate, and the US response to it has been at the epicenter of these discussions. Indeed, the US course of action constitutes many significant “firsts,” with potentially damaging reverberations for its extended deterrence policy on the Korean peninsula, in Northeast Asia and globally. The publicity surrounding this incident highlights the problematic issue of what is an appropriate response to cyber offensive actions that seem to be increasingly the weapon of choice for otherwise marginalized states like North Korea.
Speak Loudly and Carry a Small Stick
One month after the attack on Sony, the FBI officially named the DPRK as the instigator—moving with unprecedented speed and certainty. On January 2, 2015, the US proceeded to impose sanctions against three North Korean entities and 10 individuals, curtailing their access to US financial markets, the first time that any country responded to a cyber attack so forcefully and in such a public fashion. Public discussions of potential retaliatory measures against North Korea included direct cyber offensive measures, criminal indictments of the individual perpetrators and renewing the DPRK designation as a state sponsor of terrorism. However, while the US action constituted a significant departure from past international responses to cyber attacks, North Korea had already been subjected to sanctions for decades and the targeted individuals had limited financial ties outside the country.
In short, the immediate impact of these measures appears to be more symbolic, rather than pressure-inducing or precedent-setting. Moreover, the sanctioned entities were also allegedly involved in nuclear and missile procurements for the DPRK—perhaps these sanctions conveniently hit two birds with one stone? Of course, the US may also have taken less visible actions. North Korea experienced significant problems with its internet services over December 20-23, 2014, following the FBI statement and prior to President Obama’s announcement of the US response. But American officials subsequently denied any involvement.
Precedents and Norms—Not Forceful Enough
While the US action may seem like a step forward in the context of responses by other nations to arguably far more damaging events, the controversy surrounding the steps taken by Washington (and the subsequently limited international endorsement), as well as its ultimately symbolic nature, suggest they did not go far enough. The response failed to send a message of strength to potential future cyber offenders or allies facing similar challenges. For example, the US used sanctions in response to cyber penetration for the first time in May 2014, indicting five Chinese military hackers for cyber espionage activities during 2006-2014. Since cyber intelligence gathering or data destroying operations emanating form Chinese territory have been far more problematic in the past for the US security apparatus as well as its corporate entities at home and abroad, that indictment signified an important step, even though it was not publicized nearly as much as the Sony case. Yet, in formulating its response to the Sony hack, the US did not invoke the previous Chinese indictment as precedent. Moreover, it did not make the point of establishing a consistent response, which is also curious since the DPRK may have had to launch the Sony attacks from Chinese territory because of its own bandwidth limitations. If anything, handling each case in isolation and reacting with somewhat similar measures to drastically different threats has muddied the waters of appropriate (or even likely) future responses.
Granted, while a growing number of countries and corporations have been falling prey to politically or financially motivated cyber intrusions, consensus on the appropriate response framework has been slow to emerge. For instance, as the Sony affair was unfolding, Germany reported a particularly powerful cyber attack on an unidentified steel mill (only the second ever cyber incident able to cause direct physical damage), and another incident of its government websites coming under attack by a pro-Russian group. Yet, Germany took no formal action against the perpetrators in either case and the US actions against DPRK were hardly held up as a role model, in part, because many in Europe remain skeptical about the attribution of this attack.
Crossing the Public-Private Divide
Traditionally, the US has not been a frequent target of cyber attacks by North Korea or sympathetic hackers—the Sony hack is only the second such instance. It is curious that an attack against Sony led to perpetrator sanctions, when American industries of arguably great strategic significance have found themselves under cyber attack from other sources over the past several years. Just over the past two years, the target list has included media outlets, financial and technology service providers, as well as US government bodies. An incident concerning a defense subcontractor BAE Systems was of special concern, since the blueprints of the F-35 fighter may have become available to US adversaries.
The Sony hack can hardly compare to any of these cases in terms of financial losses, the amount of exfiltrated confidential data, or equipment destroyed. Since the leaked data concerned pop-culture celebrities of international fame perhaps their high visibility to the masses resulted in pressure to take action? Or perhaps it was because the US has recognized the significance of being able to project soft power, which in many parts of the world has become synonymous with Hollywood movies and fast food chains. Although the White House has called the Sony hack “a serious national security matter,” a symbolic response was seemingly matched to the symbolic threat—potentially also coupled with concerns about cyber escalation with the DPRK if the US reaction had been more punitive. If critical will had indeed been reached within the administration to make an example of a cyber offender and retaliate strongly in an attempt to dissuade others from launching cyber attacks against the US or its allies in the future, a comparable campaign in response to any of the incidents discussed above would have served much better to convey this message. While going beyond rhetorical condemnations in response to a cyber offensive (especially one attributed to a state) was a commendable step in principle, attempting to project a forceful and highly public stance towards an incident of this nature detracted from the authority and credibility of the US in this instance.
One distinguishing feature of the Sony cyber attack was the element of a coercive threat: traditionally, cyber penetration has been occasionally accompanied by destruction, signaling the perpetrator’s presence and capabilities, but pressuring the victim (not) to act in a certain way, or to suffer further damage is a new use of cyber tools. As often is the case in deterrence, threats and perceptions of their credibility tend to be more powerful than the actions implied; and being implicated in the Sony hack may have even benefited the DPRK. Whether or not North Korea was behind the attack, its declaration that the release of “The Interview” would constitute an “act of war” was taken seriously, and its capabilities to act on this pronouncement were assessed as sufficient for its culpability to be entertained. The incident arguably served to raise the profile of North Korea’s emerging cyber offensive capabilities, while the punishment delivered did little to signal US ability to dissuade the DPRK or other potential perpetrators from similar acts in the future.
This limited selective US response to a cyber attack that has been attributed to the DPRK could leave its Asian partners questioning the credibility of US extended deterrence guarantees in the face of the changing nature of security threats. The ROK has been regularly subjected to cyber security breaches, and its officials have been very vocal in attributing them to DPRK (though the ROK has not resorted to retaliation). Historically, such incidents have tended to intensify around the time of ROK-US joint military exercises, which North Korea perceives as a direct threat to its security. However, beyond recognizing regular North Korean efforts to jam GPS signals during these exercises as a source for concern, neither the ROK nor the US seem to have taken a specific course of action in response. Cyber incursions into the ROK had intensified to such an extent that in 2014, the country had officially announced the establishment of a concerted effort to develop national cyber offensive capabilities. While taking steps to strengthen national resilience to cyber offensives is commendable, South Korea’s overtly signaling a willingness to resort to unilateral offensive action against an impending or unfolding cyber attack from the DPRK indicates a lack of faith that the alliance with the US and associated collective security commitments in other domains could stave off such future threats. While the ROK and other allies in Asia face challenges posed by the DPRK’s growing cyber offensive capabilities, America’s continued emphasis on extended deterrence guarantees, as underwritten solely by its nuclear and conventional arsenals, looks increasingly like a nominal nod to the pretense of regional stability. The US response to the Sony hack is yet another example of the loud-talk-small-stick dynamic.
Cyber attacks are increasingly becoming the lowest common denominator in the use of force comparable to the localized non-state actor conflicts that simmered on the periphery of the superpower Cold War confrontation. These provocations serve to test the adversaries’ defenses and responses with limited responsiveness serving to gradually push the threshold of acceptable damage further and further out. In this context, setting up a dialogue involving the US and its regional partners (South Korea, Japan) to explore the prospects for collective defense arrangements against cyber threats, could serve as a reinforcement of extended deterrence commitments. Such an initiative might come as an addition to the trilateral intelligence sharing agreement between the US, ROK and Japan concerning the North Korean missile and nuclear threats, which the countries signed in December 2014.
Nevertheless, it is important to recognize that deterrence by dissuasion in cyber space remains a problematic concept: the inherent difficulties of signaling and gauging the responsiveness of an adversary in an information-scarce environment are magnified by the lack of a normative framework outlining the rules of engagement in this domain. Furthermore, North Korea poses a particular challenge in terms of cyber dissuasion because of the inherent opacity of its regime and the subsequent difficulty of establishing mutual baseline expectations of strategic behavior.
There may be even greater opportunities focusing on deterrence by denial, collectively working to fortify potential targets against North Korean cyber incursions. Mutual public sector engagement in the form of assistance for improving crisis preparedness measures and developing capabilities to restore functionality after a cyber attack would be important areas for US-ROK-Japan collaboration. In addition, the US and its partners should prioritize the development of public-private partnerships with industries deemed of national significance, incentivizing companies to invest in maintaining adequate security measures in the face of evolving cyber threats from North Korea and other state and non-state actors. Encouraging companies to periodically conduct cyber stress tests, and promoting the sharing of best practices across borders and industries would also be a helpful step. In this vein, it is worth considering adopting a lesson from the financial sector, where banks have long been mutually assessing each other’s vulnerability and crisis preparedness on a voluntary basis. This has been done despite inevitable concerns about proprietary information and corporate secret disclosure in this peer-review process. All of these measures would not only harden targets in the private sector, contributing to averting a potential crisis in the future, but also would be powerful diplomatic signaling tools.
 For example, Estonia, which suffered a three-week-long assault (the first massive cyber offensive against a state) in 2007, blamed Russia unofficially, and while the incident caused considerable concern among NATO and EU leaders, no state or entity was formally accused as supporting or instigating the attack in its immediate aftermath. The incident stirred international discussions about collective defense for NATO members under a cyber attack, but no direct measures were taken against the culprits of this incident, who were eventually identified as a pro-Russian youth group Nashi.