The Obama administration’s passive approach to cyber attacks, combined with a lack of competent policy leaders, provided the backdrop to a major North Korean information warfare victory last week. North Korean hackers succeeded in forcing Sony Pictures Entertainment, an $8 billion corporation, to scuttle release of a major motion picture.
The successful cyber attack was in large measure the result of President Obama and his closest advisers having adopted passive, diplomatic approaches to increasingly costly — and now destructive — cyber attacks from states like China, Russia, North Korea and Iran. Estimates of the financial losses to the U.S. economy from the loss of proprietary trade secrets as well as government secrets lost through state-run hacking ranges in the tens of billions to hundreds of billions annually.
Additionally, foreign states have been detected mapping computer networks used to control critical infrastructures, like the electric power grid, in preparation for devastating cyber attacks that could cost thousands of lives.
In the Sony hack, the North Koreans, operating under cover of a front group calling itself the Guardians of Peace, launched a major influence operation that surfaced Nov. 24 and resulted in the unprecedented action by the studio of canceling the release of the Sony Pictures Entertainment film “The Interview,” a comedy involving a plot to assassinate North Korean leader Kim Jong Un.
Despite the obvious signs the attack was both carried out by North Koreans – the malware used was found by investigators to contain Korean language – and the objective behind the strikes of seeking a halt to the release of the movie, the U.S. government mishandled its response by first keeping silent, and only naming North Korea after the hackers threatened September 11-style terror attacks on movie theaters that were to show the film. The threats prompted Sony to capitulate to the dictatorship in Pyongyang.
The FBI, among the more secretive agencies of government, took the lead in the investigation and compounded the problems by allowing one of its senior officials to deny North Korea was behind the attack. Despite the clear and early signs linking the attack to North Korea, it appears the FBI deliberately provided misleading information to the public on the attack.
“There is no attribution to North Korea at this point,” FBI Assistant Director Joe Demarest, head of the Bureau’s cyber division, told a security conference Dec. 9 – nearly three weeks after the attack was detected.
The FBI statement contradicted detailed forensic and intelligence information already uncovered by National Security Agency on the North Korean nature of the attack, including the fact that both the methods and the malware were similar to earlier North Korean attacks on South Korea.
The comments by Demarest, however, were in keeping with the FBI’s bureaucratic penchant for playing down crimes and attacks over concerns the law enforcement agency would face public and high-level criticism for failing to halt the activity.
During the period between the late November attack and last week, the FBI, working with Sony and the security firm FireEye, kept all details about the attack secret, including the fact that the group behind the attack was posting Sony’s stolen data on Pastebin. The releases resulted in salacious news stories about Hollywood salaries and plans for future motion pictures.
The losses reportedly included emails within the company network, personal data on employees and five unreleased films. Additionally, the software systematically destroyed vast amounts of data on a range of company networks.
With the Dec. 25 release day fast approaching, the North Koreans then played their most effective card. In an email released publicly, the hackers behind the Sony cyber attack stated: “The world will be full of fear. Remember the 11th of September 2001. We recommend you to keep yourself distant from the places at that time. (If your house is nearby, you’d better leave.) Whatever comes in the coming days is called by the greed of Sony Pictures Entertainment.”
Instead of exposing the threat for what it was – part of an information warfare operation to forestall release of The Interview — the administration remained silent. No formal statement was released. Instead, government officials issued boilerplate, unofficial statements to the effect no credible intelligence had been received on the North Koreans’ Christmas Day movie theater threat.
With no government effort to debunk the terror threat, five major movie theater chains announced they would not show The Interview, and Sony caved. On Dec. 18, the company announced it would not release the movie.
President Obama, on Friday, sought to deflect any criticism of the White House for mishandling the affair. He instead criticized Sony for pulling the movie. “I think they made a mistake,” he said. Next, he sought to blame Congress for not passing cyber information-sharing legislation in the recently completed session.
Then the president, in an interview broadcast by CNN, denied the Sony hack was an act of war by North Korea, instead calling it “vandalism.”
“No, I don’t think it was an act of war,” Obama said. “I think it was an act of cyber vandalism that was very costly, very expensive.”
Sony CEO Michael Lynton took the airwaves to deny the company backed down in the face of North Korean hacking and Obama’s charge it was a mistake. “We have not given in. And we have not backed down,” he insisted.
The closest the president came to admitting the hacking incident had been mishandled was his comment that “we’ve been coordinating with the private sector, but a lot more needs to be done. We’re not even close to where we need to be.”
“We will respond proportionally, and we’ll respond in a place and time and manner that we choose,” Obama said.
North Korea’s government, for its part, denied carrying out the attack, a statement left unchallenged by the Obama administration in another failure to counter Pyongyang’s disinformation and influence operations. The North Koreans went further and proposed convening a joint U.S.-North Korean team to investigated the hacking.
However, the damage had been done. The failure to disclose the nature and players behind the attack early on had sent a clear message to other would-be cyber attackers – with a relatively low cost cyber attack, U.S. economic and government policies can be influenced in favor of a foreign government.
Adm. Mike Rogers, Cyber Command commander, voiced concerns about using purely defensive means in the current cyber wars. Although, the four-star admiral was careful not to criticize the current administration policy, his comments suggest he favors a more muscular, offensive approach to dealing with state-origin cyber attacks.
Rogers told the House Permanent Select Committee on Intelligence four days before the Sony hack that “being totally on the defensive is a very losing strategy to me.”
“It will cost a significant amount of money. It leads to a much decreased probability of mission success. That’s just not a good outcome for us in the long run,” Rogers said, adding “there doesn’t seem to be a sense of risk among nation-states, groups and individuals in the behaviors we see in cyber that you can just do literally almost anything you want and there isn’t a price to pay for it.”
“That’s not a good place, I would argue, for us as a nation, and I would argue, more broadly, for us internationally to be in,” Rogers said.
Details of the Sony hack and the software and other methods used in the attack were made public late last week when the FBI, based on National Security Agency intelligence, linked the North Korean government to the highly sophisticated, and layered cyber espionage and sabotage operation against the major film maker.
The White House approach to cyber attacks against both the private sector and government networks has been limited to diplomacy- and law enforcement-centered responses to a problem that is not well suited for solutions provided by both methods.
The NSA and the U.S. Strategic Command subcommand Cyber Command currently remain the premiere organizations for both detecting and responding. Yet the administration’s key leadership – the president, key advisor Valerie Jarrett, National Security Adviser Susan Rice, Chief of Staff Denis McDonough and Deputy National Security Adviser for Communications Ben Rhodes all remain opposed to giving NSA and Cyber Command lead authority for cyber security policies and actions.
All five remain deeply skeptical of the military in general and the NSA in particular, after the embarrassing Edward Snowden revelations of foreign electronic spying on foreign leaders created enormous pressure on the White House to curb the agency and its extensive electronic cloak and dagger activities.
The weak response to the North Korea hack of Sony revealed the administration is ill prepared to address what is emerging as among the most significant 21st Century strategic threats – devastating cyber attacks aimed at not just stealing data for economic or military gain, but influencing foreign and domestic policies of target countries.
Michael Daniel outlined the administration’s passive approach to cyber warfare in a speech last March. The administration, he revealed, has held “long and tortured debates” in the White House on the use of offensive cyber attacks in retaliation said in speech March 28.
The argument being used by the administration’s pacifists is that determining the attribution for foreign cyber attacks is too difficult. Additionally the administration is opposed to using a demonstration of U.S. cyber power, as advocated by NSA/Cyber Command’s Rogers.
Also, policies for dealing with cyber attacks remain constrained and limited because of a lack of authority and divisions of labor among various agencies. The Department of Homeland Security and FBI are asserting that they are the leaders in dealing with domestic cyber attacks, while the NSA and Cyber Command are the most skilled and knowledgeable about attacks and counter attacks but have been sidelined by bias against the military and intelligence from senior White House leaders, including the president.
“So when we consider what we’re doing to actually strike back at some of these things, we have to be very careful,” Daniel said, adding that he is concerned any damage to nation states could cut electrical power to hospitals and universities.
Daniel indicated the administration will probably take action in some other sphere besides cyberspace. Following its liberal foreign policies that seek negotiation and diplomacy, the administration’s main approach has been to seek international agreements or a code of conduct for cyberspace – a recipe followed in arms control that usually involves the United States strictly adhering to the agreements while foreign states either ignore the agreements or violate them.
Besides diplomacy, the Obama administration also has tried to use law enforcement action. That too has proved ineffective, as the May 1 indictment of five Chinese military hackers shows. The five hackers are said to remain active in PLA cyber espionage and cyber reconnaissance activities. A congressional China commission report made public in December concluded that “China’s cyber espionage continued unabated in 2014” despite the indictment of the military hackers.
The administration also is reluctant to act against cyber attackers over concerns it lacks international support, another key feature of the Obama administration’s overall approach to foreign affairs once characterized by an official as “leading from behind.”
The threats posed by state-run cyber attacks are increasing in both damage they cause and the losses they create for both government and private sector. Meeting the cyber threat challenge will likely dominate policy debate in government and private sector for coming years.
“The hackers are going to get better, too,” Obama said Dec. 19. “Some of them are going to be state actors. Some of them are going to be non-state actors. All of them are going to be sophisticated and many of them can do some damage.”
The president then denounced the impact of the North Korean hack of Sony on American freedom. “We cannot have a society in which some dictator someplace can start imposing censorship here in the United States,” he said. “Because if somebody is able to intimidate folks out of releasing a satirical movie, imagine what they start doing when they see a documentary that they don’t like or news reports that they don’t like.”
The president would do well to review the current passive defense approach of his administration and adopt new policies that will better deter, defend and defeat foreign hackers.
— Bill Gertz
Dec. 20, 2014