Don’t miss the latest developments in business and finance.

Hack reveals US cannot protect its business from cyber attacks

Image
Bloomberg Washington
Last Updated : Dec 22 2014 | 3:56 AM IST
Back-channel talks between Sony Pictures Entertainment and the White House to coordinate a response to a debilitating cyber-attack didn't prevent a public disagreement over the studio's decision to pull its film, The Interview.

Sony canceled the December 25-release of the comedy about a fictional plot to assassinate North Korean leader Kim Jong Un, saying that theater chains had received threats. The move prompted Obama to say the company "made a mistake" and that he wished "they would have spoken to me first." The head of Sony's studio and White House officials did talk, both sides agree - just not about whether the movie should be released.

The spat showed that the US government and businesses still can't collaborate effectively to deter cyber-attacks, defend against them or respond to them. It added urgency to a debate over whether and when the government should take responsibility for protecting private companies from attacks and whether and when those companies can strike back against foreign nations. "They caused a lot of damage, and we will respond. We'll respond proportionally, and we'll respond in a place and time and manner that we choose," Obama said at his year-end news conference.

More From This Section

Now, Obama has to figure out how and when to strike, a decision complicated by the ambiguities of electronic warfare. "I'm not able to lay out in any specificity for you what would be or wouldn't be an act of war in the cyber domain. It's not like there's a demarcation line that exists in some sort of fixed space on what is or isn't," Navy Rear Admiral John Kirby, the Pentagon's chief spokesman, said at a briefing on Friday for reporters.

How Sony should respond is a separate issue, according to the two officials. Both said the administration told Sony that it was up to the studio to decide what to do with the movie, although its decision would have geopolitical as well as corporate implications. That left Obama free to criticize the move without being tangled in advising a private company on what it should do.

The administration gave a very limited answer because of the classified nature of information about the attack. The White House also didn't want to set a precedent of answering requests on a company-by-company basis -- and possibly appearing to favor one firm over another -- said one of the officials. Instead, the official said, the government chose to respond to Sony's request publicly.

Sony Pictures Chief Executive Officer Michael Lynton told CNN in an interview that he did "reach out and speak to senior folks at the White House" and "informed them that we needed help." Conducting such back-channel discussions with U.S. officials before the release of a film isn't uncommon, with "Zero Dark Thirty," about the hunt for Osama bin Laden, being one example, according to one entertainment industry veteran familiar with such discussions, who also requested anonymity.

Sony's inquiry to the White House about the Seth Rogen comedy, "The Interview," was different than most pre-release discussions with the government. Instead, it centered on how seriously to take the online threats of violence from hackers calling themselves the Guardians of Peace against anyone who went to see the film in theaters, according to administration officials. Hackers had previously published private e-mails from the company.

Last month's attack on Sony has been a topic of discussion for the U.S. government's interagency Cyber Response Group, according to an administration official who wasn't authorized to discuss the program publicly and requested anonymity.

Situation Room

Lisa Monaco, the assistant to the president for homeland security and counterterrorism, set up the group earlier this year among various national-security agencies to improve the government's response to attacks on both public- and private-sector institutions.

Members of the group "literally get around the table in the Situation Room, pool our knowledge, understand what that threat looks like," and then figure out how to share information with the private sector so companies can be protected, Monaco said at a Bloomberg cybersecurity conference earlier this month.

The White House declined to make her available for an interview on Saturday.

The Federal Bureau of Investigation said Friday that it had concluded that North Korea was behind the attack. Malicious software in the Sony incident bore links to malware previously used by North Koreans, according to the FBI. The hacking tools employed also were similar to those used in a March 2013 cyber-attack on South Korean banks and media organizations.

'Grave Consequences'

North Korea's government said on Saturday it had nothing to do with the hacking of Sony's computer systems and called on the U.S. to hold a joint investigation into the incident.

North Korea can prove its innocence and warned of "grave consequences" if the U.S. fails to take up its offer, the country's foreign ministry said in an e-mailed statement cited by the state-run Korea Central News Agency. "As the U.S. is spreading groundless allegations and slandering us, we propose a joint investigation," the ministry said.

The White House National Security Council, responding to North Korea's statement, said it stood by the FBI conclusion.

"The government of North Korea has a long history of denying responsibility for destructive and provocative actions," Mark Stroh, an NSC spokesman, said in an e-mailed statement. "If the North Korean government wants to help, they can admit their culpability and compensate Sony for the damages this attack caused."

Asymmetric Response

For both practical and political reasons, it would be best for any move to be international and asymmetric, in both time and nature, according to two Obama administration officials involved in discussions on how to respond. That would limit the appearance that the U.S. was responding to the effort to suppress the movie, rather than acting over the cyber-attack on Sony, they said. It would also signal to the Chinese and other cyber-powers that destructive hacks cross a line and that there's international support for drawing such a line.

U.S. officials say it's important to conduct retaliatory strikes in a measured way that prevents America from being portrayed as violating the norms it's trying to create.

For example, it's unlikely that the U.S. Cyber Command at Fort Meade, Maryland, would destroy data stored on servers used by North Korea, said one administration official involved in discussions about how to respond. That would legitimize what hackers did to Sony and risk an escalation of destructive cyber-warfare that could seriously harm financial institutions or energy infrastructures in the U.S., the official said.

Corporate Retaliation

"The cyber domain remains challenging, it remains very fluid," Kirby told reporters at the Pentagon. "Part of the reason why it's such a challenging domain for us is because there aren't internationally accepted norms and protocols. And that's something that we here in the Defense Department have been arguing for."

Congress will probably take a close look at the rules governing how companies can respond to cyber-attacks, House Homeland Security Committee Chairman Michael McCaul, a Texas Republican, said in an interview with Bloomberg reporters and editors this month.

"I'm going to study the legal implications of allowing companies to do it, to do more to retaliate," he said.

Also Read

First Published: Dec 22 2014 | 12:15 AM IST

Next Story