President Obama and Ambassador Susan Rice have both pontificated that the attacks on Sony Corporation Entertainment (SCE) represent a threat to the national security of the United States.
Really?
More than the hacks on Home Depot, Target, JP Morgan Chase, and the PlayStation and Xbox networks? How do we decide which hacks are “national” security and which are corporate security? And, to paraphrase Al Haig, who IS in charge here?
The SPE investigation is an FBI criminal investigation. The goal of a criminal investigation is to determine the names of the actors responsible, the nature of their activities, and to “bring them to justice” – typically with a criminal indictment. Then comes a trial, and a conviction or acquittal, and if conviction, punishment.
We try people all the time for crimes that implicate national security. As the Rosenberg’s. Or the Walker family. Or even the members of the Chinese People’s Army recently indicted in Pittsburgh for hacking into places like Alcoa to steal their trade secrets. So criminal prosecutions for national security violations are commonplace. In fact, there is an entire Division in the Department of Justice and another in the FBI dedicated to the criminal investigation of national security threats.
But is the SCE case a national security threat?
Generally, for threat to implicate national security, the threat must be on the United States’ “critical infrastructure.” This typically means things like DoD facilities, DOE, or other sensitive government agencies, as well as the civilian infrastructure necessary for national security.
This includes, but is not limited to things like energy, transportation, banking, telecommunications, chemical, manufacturing, water – you know, CRITICAL infrastructure. Determining whether infrastructure is critical is not easy, as each infrastructure is dependent upon the other. Take out the dams, the electricity generation is gone. Take out electricity, telecom is dead.
Nowhere on this list is the movie industry.
Sure, making movies is important. Hell, if it weren’t for movies, I wouldn’t have anything to write about. But national security? The salary of senior executives is sensitive, but not worth war. The script to the latest Bond movie? Maybe an adversary could get some ideas from it, but again – not war.
So whether or not the attacks on SPE are a threat to national security depends on WHO perpetrated them and why, and to somewhat lesser extent, the fact that the SPE attack demonstrates the vulnerability of our entire infrastructure, including the critical infrastructure. IF the attacks were a state-sponsored, politically motivated attack, then maybe it is a military problem for the U.S. If it is a disgruntled employee, then probably not. And if it is a bunch of Russian hackers – a coin toss.
If it’s a military problem (as opposed to a law enforcement problem) then the jurisdiction lies with U.S. Cyber command. Otherwise, it’s the FBI and its international counterparts. But that’s the problem. You can’t decide who is in charge based on the results of the investigation.
So right now, the FBI is saying that it is in charge, but that its investigation has determined that this was a state sponsored military attack by the government of North Korea. So here is the question. If the government of North Korea launched a missile at a movie studio in Century City, and destroyed buildings and property, would this be an FBI case, or a DoD case?
The problem with “cyber” (other than the fact that it is not a word!) is that it has attributes of domestic and international action, war and crime, individual and concerted activity, state sponsorship and rogue actors. In other words, it’s fun for everyone, and everyone can do it.
It also matters whether we treat this as crime or national security for the level of proof required before we take action. If we treat the attacks as crimes, we require proof beyond a reasonable doubt for conviction, and the evidence is mostly made public (a law called CIPA allows some classified information to remain secret in a criminal trial.)
But the level of “proof” for the military to engage in offensive responses is much lower – more than a hunch, but not a hell of a lot more. The level of proof for diplomatic actions such as multinational sanctions is simple. Whatever convinces the international community. Our track record here is spotty at best.
Share and Share Alike
So the US Government has been promoting information sharing and cooperation. When the security firm Norse posited that they had information indicating that the attack may have been the work of insiders working with hacker groups, the FBI showed its openness by meeting with the security firm for three hours before it dismissed its conclusions as a misinterpretation of the evidence.
That is information sharing.
Problem is, we are getting next to no information publicly from the FBI, DoD, State Department or Homeland Security about the nature of the threat or the attacks. Sure, they may be telling someone, but it certainly isn’t the public. How can the public evaluate the validity of the claims of DPRK participation if it doesn’t have at least some of the (non sources and methods) information on which the FBI is relying. If I am in the critical infrastructure looking to protect myself from a SONY type attack, what do I do?
Two way street. Share and share alike. With thousands of security researchers worldwide, we have the ability to crowd source investigations. Think of the podcast SERIAL. Many minds (including whackos) are better than just one source.
What we can’t do is rely on the government – any government – which simply says “trust us.” Better motto – trust but verify.