| Aruna Viswanatha & Joseph Menn |
WASHINGTON/SAN FRANCISCO (Reuters) – The unusually destructive cyberattack on Sony Pictures Entertainment is providing an early test of a new Obama administration policy to reveal more of what it knows or suspects about hacking campaigns.
President Barack Obama’s decision last month to blame North Korea for the breach capped a year that saw the US Justice Department file indictments against alleged Russian cybercriminals, as well as accuse five Chinese army officers of stealing trade secrets.
The increased finger pointing is part of a broad new US plan for responding to cyberattacks, setting the stage for retaliation such as sanctions or trade complaints, according to current and former government officials.
“We need to improve our defences, but we also need to make clear the consequences,” John Carlin, who heads the Justice Department’s national security division, told Reuters.
Carlin, 41 but often mistaken for younger, has been at the centre of the policy shift. He worked at the Federal Bureau of Investigation as the agency created a new cyber investigative task force, rising to be chief of staff to FBI Director Robert Mueller. Carlin was appointed assistant attorney general for national security last year, and has put cyberthreats at the top of his agenda.
The decision to blame North Korea was made easier by Pyongyang’s pariah status and the seriousness of the attack – data was destroyed, not just stolen. Eight weeks after the breach, Sony Pictures’ computer network still has not been fully restored. Carlin said US prosecutors are considering whether they can bring indictments related to the Sony attack. North Korea has denied orchestrating the breach.
Former FBI cybercrime chief Shawn Henry said the recent comments by Obama and other US officials on Sony are an attempt to define the “red lines” in cyberspace.
“The destruction of physical property is not acceptable, and the US can take steps to demonstrate what the response is going to be,” said Henry, now an executive at private security firm CrowdStrike.
The US government used to remain officially silent over similar cyberattacks, including one in August 2012 that damaged 30,000 computers at Saudi Arabia’s national oil company and was widely believed to have been orchestrated by Iran. US officials say they have changed tack because of continuing, serious intrusions; improved ability to pinpoint those responsible; and a desire to educate the public and companies about the problem’s seriousness.
The strategy is not without critics. Some security experts who looked at the evidence the FBI made public about the Sony hack said none of it proved North Korean involvement, prompting FBI Director James Comey last week to provide a forceful defence and supply new data pointing to Pyongyang.
Even if the claim turns out to be correct, the effects of the “name and shame” campaign remain unclear. Obama’s public response so far has been to slap sanctions on North Korea that appear unlikely to have much effect on the insular country. The US strategy could also prompt other states to point the finger at Washington for hacks in their own countries.
“Doing indictments once a year – I don’t see the point,” said Jason Healey of the Atlantic Council, a former White House director of infrastructure protection. “Naming and shaming might work, but not as a one-off. We need a campaign.”
The new policy has meant wresting some control of the issue from US intelligence agencies, which are traditionally wary of revealing much about what they know or how they know it.
Intelligence officers initially wanted more proof of North Korea’s involvement before going public, according to one person briefed on the matter. A step that helped build consensus was the creation of a team dedicated to pursuing rival theories – none of which panned out.
Joel Brenner, a former head of US counterintelligence and then a top lawyer at the National Security Agency, said there is a growing view that cyberattacks should be prosecuted like any other type of crime. “We’re putting less emphasis on the cyber characteristic and more emphasis on the fact that they are just criminal and that they shouldn’t be treated differently.”
Among the first people to recognise this trend was David Hickton, who became the top US prosecutor in Pittsburgh in 2010 and set up a new cyber national security unit.
Other prosecutors questioned whether the group would have any cases, but a breakfast meeting with the heads of US Steel Corp and the United Steelworkers in 2010 provided an unexpected tip.
Complaints that information stolen through cyberattacks could prove deeply harmful spurred an investigation that led to the May 2014 indictment of five Chinese army officers, who were accused of spying on US Steel, the union, and others.
“We were really interested in doing more than just monitoring hacking, we were interested in preventing it, which might include prosecuting it,” Hickton said.
It is unclear what the indictment accomplished, however. The Chinese officers are beyond the reach of US law, and security companies say they have seen no reduction in Chinese hacking. Beijing withdrew from Sino-American talks on cybersecurity to protest the US charges.
Still, the previous cases laid the foundation for the response to the Sony breach. In 2012, the Justice Department started training prosecutors in technology issues, and the FBI began giving them more in-depth information about cyberattacks.
Weeks before the Sony attack, Carlin restructured his division to create a top position specifically focused on cybersecurity, a change he said was critical in the Sony response.
Carlin said the new policy has sparked more conversations with companies about hacking incidents. He met last week in New York with security officers and lawyers from six banks and a hedge fund to discuss cybersecurity risks and defences, following a similar gathering with general counsels from Fortune 100 companies.
“We need to do something to make it stop,” Carlin said.