The Sony incident, which delayed the planned national release of The Interview, a comedy film that parodied North Korean leader Kim Jong Un, the CIA and journalists, set standards for how the United States responds to computer attacks on American citizens and companies, said Eric Jensen, professor of law and cyber warfare at Brigham Young University in Utah.
“The biggest impact of (Sony) was that the United States took a stance,” Jensen told the Trib. “... It tells everybody else in the world that when a state attacks you and you can attribute it, you can respond — even if it's not an attack on the state but on a state interest.”
Jensen spoke here Thursday at the Journal of Law & Cyber Warfare conference, an annual event attended by about 150 leading military and private-sector computer security experts. A Trib reporter was invited to attend the closed-door event at the Cardozo Law School in Manhattan.
The Sony incident not only captured the public's imagination about the potential consequences of a cyberattack but also caused government officials around the world to think seriously, said Michael Schmitt, director of the Stockton Center for the Study of International Law at the Naval War College in Newport, R.I.
“Before Sony, there wasn't much of this discussion about countermeasures,” said Schmitt, who also serves as a senior fellow at the NATO Cooperative Cyber Defense Center of Excellence. “When Sony happened, everyone went, ‘Whoa, can Sony respond? Can we respond? How can we respond against whom?' So it focused, globally, attention on the issue of response.”
In the United States, the lesson has been that the government will respond, on a case-by-case basis, when a computer attack causes a loss of life, destruction of property or long-lasting economic impact, said Robert Clark, cyber operational lawyer for the American Cyber Institute at the U.S. Military Academy in West Point, N.Y.
President Obama's official response to the Sony incident was to impose financial sanctions on North Korea. The decision was based on destruction of property, economic impact and North Korea's efforts to stifle freedom of expression in the movie's content.
North Korea's Internet network also was knocked out for 9.5 hours. U.S. officials declined to comment when asked about responsibility for the takedown. Experts said North Korea's weak computer network could just as easily have been taken down by hacktivist groups such as Anonymous or Lizard Squad.
The Obama administration's response to the incident amounts to a “cyber Monroe Doctrine” for clearly stating that the United States will extend its defense of American citizens and companies online, Clark added.
“The movie being the impetus? Yeah, it's pretty stupid,” Clark said. “The opportunity to hit a major U.S. corporation? ... If they wanted to make a statement, it was handed to them.”
The government's potential responses fall on a sliding scale, depending on the severity of the attack, Jensen said. The United States could make a simple public statement, sever diplomatic ties, enact sanctions, take computer security countermeasures and ultimately even use force.
The Obama administration has said its responses are limited to taking the least amount of action necessary to stop the attack and defend the victim's computer networks, preferring a law enforcement response to a military one, Clark said. The administration could justify a broader responsive attack if it's needed to disrupt a repeated threat, he said.
Despite all of the computer attacks of the past several years — on retailers, health-care providers, manufacturers and the federal government — companies are vulnerable, experts said at the conference.
Even large companies with major computer security infrastructure are exposed to hackers entering through a third-party contractor or through spear-phishing emails that look real but contain malicious software.
Executives who know better, who have been warned repeatedly, continue to click on dangerous emails and take unnecessary risks, said Daniel Garrie, a cyber security lawyer and editor-in-chief of the Journal of Law & Cyber Warfare.
“There's just no connection between your success in the workforce and good cyberhygiene,” Garrie said. “Until you marry the two more closely, there's no incentive structure from the senior executive all the way down to the junior, first-year employee.”
©2015 The Pittsburgh Tribune-Review (Greensburg, Pa.) Distributed by Tribune Content Agency, LLC.