Countering Cyber Attacks Without a Playbook
New York Times (News Analysis), Dec. 24, Pg. A3 | David E. Sanger
WASHINGTON — For years now, the Obama administration has warned of the risks of a ”cyber-Pearl Harbor,” a nightmare attack that takes out America’s power grids and cellphone networks and looks like the opening battle in a full-scale digital war.
Such predictions go back at least 20 years, and perhaps that day will come. But over the past week, a far more immediate scenario has come into focus, first on the back lots of Sony Pictures and then in back-to-back strategy sessions in the White House Situation Room: a shadow war of nearly constant, low-level digital conflict, somewhere in the netherworld between what President Obama called ”cyber vandalism” and what others might call digital terrorism.
In that murky world, the attacks are carefully calibrated to be well short of war. The attackers are hard to identify with certainty, and the evidence cannot be made public. The counterstrike, if there is one, is equally hard to discern and often unsatisfying. The damage is largely economic and psychological. Deterrence is hard to establish. And because there are no international treaties or norms about how to use digital weapons — indeed, no acknowledgment by the United States government that it has ever used them itself — there are no rules about how to fight this kind of conflict.
”Until now, we’ve been pretty ad hoc in figuring out what’s an annoyance and what’s an attack,” James Lewis, a cyber expert at the Center for Strategic and International Studies, said last week. ”If there’s a lesson from this, it’s that we’re long overdue” for a national discussion about how to respond to cyber attacks — and how to use America’s own growing, if unacknowledged, arsenal of digital weaponry.
All those issues have been swirling in the background in the drama of North Korea’s effort to intimidate Sony Pictures, and the retaliation by the United States — if that was the case — against one of its oldest Cold War adversaries. ”If you had told me that it would take a Seth Rogen movie to get our government to really confront these issues, I would have said you are crazy,” one senior defense official said a few days ago, referring to the Sony Pictures film ”The Interview.” ”But then again, this whole thing has been crazy.”
With Tuesday’s announcement that ”The Interview,” a crude and poorly reviewed comedy about a C.I.A. effort to hire two bumbling journalists to knock off Kim Jong-un, the North Korean leader, will be shown in a limited number of theaters, it is very possible that this confrontation with the least predictable of the nine nations possessing nuclear weapons may not yet be over.
Like most cyber attacks, it started with a simple question: Who did it? But this was no ordinary effort to steal credit card data, like what happened at Target and Home Depot. What made the attack on Sony different was its destructive nature. By some accounts, it wiped out roughly two-thirds of the studio’s computer systems and servers — one of the most destructive cyber attacks on American soil.
It took three weeks for Mr. Obama to take the extraordinarily rare step of publicly identifying North Korea, and its leadership, as the culprit. And even now, the F.B.I. refuses to release much of its evidence, presumably because it could reveal the degree to which the United States had penetrated North Korea’s networks and the Chinese systems through which they are routed. The president’s decision to also mention the Chinese during a news conference last week in which he responded to the Sony attack was ”itself part of the effort to create some deterrence,” one administration official said, ”by making it clear we can cut through the fog.”
But because the government will not make the evidence public, there will be doubters.
”The N.S.A. has been trying to eavesdrop on North Korea’s government communications since the Korean War, and it’s reasonable to assume that its analysts are in pretty deep,” Bruce Schneier, one of the country’s leading cyber experts, wrote in The Atlantic, referring to the National Security Agency. ”The agency might have intelligence on the planning process for the hack. It might, say, have phone calls discussing the project, weekly PowerPoint status reports, or even Kim Jong-un’s sign-off on the plan.”
”On the other hand, maybe not,” he wrote. ”I could have written the same thing about Iraq’s weapons-of-mass-destruction program.”
But Washington’s declaration that North Korea was the source came paired with Mr. Obama’s warning of a ”proportionate response.” Within days, North Korean Internet connections sputtered and went dead — and after briefly reviving, they were out again on Tuesday.
An American attack? Did the Chinese pull the plug? Did the North Koreans take themselves offline to protect themselves? No one in Washington will say. But it is possible that to deter future attacks, the administration was not looking for subtlety. Instead, it might have simply wanted to remind Mr. Kim that the United States is training 6,000 ”cyber warriors” among its military units, and they all have North Korea’s Internet Protocol address.
Still, if North Korea did bear the brunt of an American counterstrike — a significant ”if” — it will most likely prove more symbolic than anything else and serve to remind Mr. Kim that his family has miscalculated before.
In the summer of 1950, gambling that the Americans were too distracted to respond, the founder of the country, Kim Il-sung, invaded the South. It turned out he was wrong, and the devastating three-year conflict that followed ruined his nation. But, improbably, it left him and his family in power.
Over the past two years, his grandson — who has tailored his appearance to closely resemble the North’s revered Great Leader, who died 20 years ago — has embraced digital weapons precisely because they are far more subtle than sending troops over the 38th Parallel. In fact, cyber weapons are perfect for a failing state. Unlike North Korea’s small arsenal of six to 12 nuclear weapons, they can be used without risking an annihilating response. Unlike North Korea’s missile fleet, they are uncannily accurate. Just ask Sony, which is still trying to figure out whether its attackers had inside knowledge or just got lucky.
But that leaves Mr. Obama with a ”short of war” conundrum. How much American power should be deployed to stop a cyber vandal from becoming a cyber terrorist?
Until the past week, the president’s temptation has been to refrain from responding at all. But the combination of the destructive attack, the effort to silence American criticism of a brutal regime and the threats of attacks on American theaters made this one different.
The mystery now is whether the young, untested Mr. Kim will back off, or whether, like his grandfather, he will push ahead, figuring that an unpredictable North Korea has kept enemies at bay for six decades, and that his new weapon may extend the streak.
China: No Proof Against Pyongyang
Beijing shows it’s reluctant to side with U.S. on Sony attack
Washington Post, Dec. 24, Pg. A4 | Simon Denyer
BEIJING – China said Tuesday that there was no proof that North Korea was behind a cyber attack on Sony Pictures Entertainment, signaling Beijing’s reluctance to side with the United States over the incident, while also rejecting speculation that it had cut off Pyongyang’s Internet access as punishment.
Asked about U.S. requests for help from China to punish North Korea for cyber attacks, Hua Chunying, a spokeswoman for China’s Foreign Ministry, said the United States and North Korea needed to communicate directly with each other.
She said Beijing had not seen proof of who was behind the attack on Sony. “We need sufficient evidence before drawing any conclusion,” she said at a news conference.
Obama administration officials had asked Beijing on Thursday to block Pyongyang’s access to Internet routers and servers in China, to expel North Korean hackers living in China and to pressure the regime of Kim Jong Un to end its alleged cyber-offensive against U.S. companies, according to one official.
On Monday, North Korea’s Internet went dark for more than nine hours, but who pulled the plug remains a mystery. The U.S. government issued a coy non-denial that it might have been responsible, and China rejected media speculation that it might have been to blame.
“This kind of reporting has no factual basis. It is speculative and pure assumption. It is not trustworthy at all,” Hua said. “And the reporting itself is irresponsible, nonprofessional and misleading.”
The attack on Sony has put Beijing in a difficult position. On one hand, China wants to cooperate with the United States on cyber security and cyber terrorism, but on the other, it does not want to alienate its allies in North Korea.
On Tuesday, State Department spokeswoman Marie Harf said the Chinese “certainly have a role to play” in helping combat North Korean hacking.
China said Foreign Minister Wang Yi, in a phone conversation with U.S. Secretary of State John F. Kerry on Sunday, reaffirmed Beijing’s “unwavering position” on the subject. Hua reiterated the message Tuesday.
“China is against all forms of cyber attacks and cyber terrorism, including cyber attacks launched by any country or individual by using facilities beyond its own national borders against a third country,” she said.
Bloomberg Businessweek quoted an anonymous source Monday as saying that China had agreed to start its own investigation into the attack after the Sunday phone call.
Liu Deliang, a professor and cyber-law expert at Beijing Normal University, said he doubted that China would agree to such an investigation, arguing that Beijing was keen first to help set up an international code of conduct and a legal framework to govern the Internet, with an independent third party established to look into cyber attacks.
But other experts said Beijing’s desire to be seen as a responsible power in global Internet governance means that it might be willing to look into the attack on Sony.
“The conclusion that North Korea attacked Sony is based on inference. So is the conclusion that the United States attacked North Korea. The incidents have not been proved yet,” said Shen Yi, an associate professor in the School of International Relations and Public Affairs at Fudan University.
“Tracking down attackers is always the most difficult task, because it’s hard to know if the IP address belongs to a springboard or is the original source,” he said. “But if China wants to act like a responsible big power, of course it should cooperate with the U.S. to track down the attacker rather than acting passively.”
Trust on cyberspace issues remains low between China and the United States. This year, the United States indicted five People’s Liberation Army computer experts on charges of spying on U.S. companies in cyberspace, prompting the Chinese to pull out of bilateral talks on cyber security.
Complicating matters, there have been suggestions that the Sony attack could have been routed through Chinese servers, just as an attack on South Korea’s banks is thought to have been last year. Although China may not have been directly responsible, some U.S. experts say it is not doing enough to prevent such attacks.
But Yuan Shengang, chief executive of the private cyber security company NetentSec in Beijing, said communication between the United States and China on cyber security had improved recently.
Lu Wei, China’s top official in charge of the Internet, was in the United States this month meeting officials in Washington and visiting prominent technology companies on the West Coast.
There is a growing sense in China that cooperation between major powers is necessary to combat cyber terrorism, Yuan said.
“For example, North Korea needs to go through China to access the American Internet,” he said. “China can certainly help with the investigation into the cyber attack, by negotiation, communication, discussion, even by bargaining.”
But Yuan said it was “impossible” to imagine that China had helped North Korea carry out the attack on Sony, especially as relations between the two countries appear to have deteriorated in the past two years and there being no “domestic political atmosphere” for such action.
The cyber attack was apparently retaliation for Sony’s planned Christmas Day release of “The Interview,” a comedy starring Seth Rogen and James Franco about a plot to assassinate the North Korean leader. Sony initially canceled the scheduled theatrical release of the movie, but it backtracked Tuesday and announced a limited release.
–Liu Liu and Xu Jing in Beijing and Karen DeYoung in Washington contributed to this report
As Cyber Threats Rise, Push For Intelligence Heightened
USA Today, Dec. 24, Pg. A3 | Erin Kelly
In a small hotel meeting room a few blocks from the White House, employees from power plants, factories, airports and oil refineries hunched over laptops working frantically to stop cyber terrorists from firing a rocket launcher into the heart of a picturesque American town.
It was just a training drill with pretend hackers and a model “cyber-city” made of plastic and wood. But, for the participants, the lesson zeroed in on a threat becoming increasingly real.
While the nation has focused on the dramatic cyber attack against Sony Pictures and the recent hackings of Target and Home Depot, cyber security experts say the greater danger is that terrorists will go after the nation’s critical infrastructure — airports, water treatment plants, power companies, oil refineries and chemical plants.
Cyber terrorists could turn off the lights for millions of Americans by attacking power grids, shut down the nation’s airports by seizing control of air-traffic control systems or blow up an oil pipeline from thousands of miles away, experts say.
“This is a much bigger threat over time than losing some credit cards to cybercriminals,” said Derek Harp, lead instructor at the recent training conference run by SANS Institute, which provides cyber security education and certification for people who run industrial control systems.
Members of Congress agree.
Maryland Rep. Dutch Ruppersberger, the senior Democrat on the House Intelligence Committee, said cyber attacks will be “the warfare of the future.”
“Just think what could happen down the future if North Korea wanted to knock out a grid system, an energy system, knock out air- traffic control,” he said in an interview Monday on CNN.
The House passed a bill in early December to help protect the U.S. against electromagnetic pulse weapons, which terrorists could conceivably develop to disrupt or destroy computer systems controlling the electrical grid.
However, the Senate did not take up the Critical Infrastructure Protection Act, which requires the U.S. government to make plans to prevent and recover from a large-scale blackout. Bill proponents say they plan to reintroduce it after the new Congress convenes in January.
“Our electric grid is a key target to exploit not only for its inherent vulnerability, but because we are so vitally dependent on it,” said Rep. Trent Franks, R-Ariz., a member of the House Armed Services Committee and the lead sponsor of the bipartisan bill.
President Obama also urged the incoming Congress to pass “stronger cyber security laws that allow for information sharing” in the wake of the cyber attack against Sony.
A bill to pave the way for increased information-sharing about Cyber Attacks between private companies and the Department of Homeland Security stalled in the Senate this year, but supporters plan to try again.
“We must pass an information-sharing bill as quickly as possible next year,” said Sen. Dianne Feinstein, D-Calif., lead sponsor of the Cyber Security Information Sharing Act.
The bill encourages businesses to voluntarily share information about cyber attacks with the government by giving them protection from lawsuits and antitrust actions if they disclose when they’ve been hacked and provide details of the attacks.
It failed to pass this year in part because privacy rights groups say companies are protected even if they inadvertently share their customers’ personal data with DHS, which may go on to share it with the National Security Agency or Defense Department. Supporters of the bill say those fears are unfounded.
Industrial control systems that enable pipelines to flow, nuclear power to be generated and factories to make products have been switching from old, analog electronics to digital, Web-accessible structures since the 1990s. The switch boosts efficiency and saves money but opens these crucial systems to cyber attacks.
In the power sector alone, an estimated 10,000 more employees need training to defend against cyber attacks, according to the SANS Institute. “Workforces generally are undertrained to defend their companies,” said Michael Assante, a SANS Institute project leader.
During the recent training drill here, one team of participants beat back the make-believe terrorists and seized control of the rocket launcher, firing the mock weapon into open space away from the model city. The victory drew enthusiastic applause.
But in real life, Harp said, “we’ve got a long way to go to defend ourselves.”