co-authored by Dr. Stephen Bryen, Chairman & CTO Ziklag Systems/FortressFoneTechnologies
If there is one salient fact that emerges from the Sony hack it is that the bad guys won. The bad guys won because they paid no price for the damage inflicted. In the Sony case the hackers are outside and beyond the law, so their backers and sponsors are encouraged to cause even more damage in future. To stop cyber attacks, particularly those sponsored by foreign governments, we need to respond to them.
Sony is a movie company, a major cog in the entertainment industry. Whether Sony rises or falls has little or nothing to do with national security. There are plenty of other entertainment companies that can fill the gap if Sony drops out, something that Sony surely understands.
But the sort of intimidation attack suffered by Sony is non trivial, and presages similar attempts that surely will come by hostile actors to intimidate our government. The Russians have used such attacks against at least three former Soviet Republics (Lithuania, Georgia and Ukraine), electronically hacking telecommunications, banking, government and military organizations. Newspapers have also been attacked by foreign hackers, signaling displeasure over certain stories. The North Koreans have also pummeled South Korea with cyber attacks, destroying hard drives and shutting down banking operations. One South Korean bank was out of commission for more than two weeks.
Despite precautions, cyber attackers can often stay one step ahead of protection mechanisms. Sony, of course, had little in the way of cyber security protections, making it an easy soft target for hackers. But even better protected systems can be penetrated.
Liran Tancman CEO of CyActiv, tells the Times of Israel, "Cyber-security is, for the most part, reactive, not proactive. A company will spend hundreds of thousands or millions of dollars to secure themselves against a major malware variant, fighting off a specific attack." But hackers can often get around better protected organizations. "All they have to do is insert some changes in their malware code, and they are in the clear. For $150, a cyber-criminal can hire a hacker to do $25 million of damage, and then do it again a few months later, making very minor changes to their malware code."
In the wake of the Sony attack, former Republican Speaker Of the House and presidential candidate Newt Gingrich says that we have lost our first cyber war. Commenting on Twitter, Gingrich said "it wasn't the hackers who won, it was the terrorists and almost certainly the North Korean dictatorship, this was an act of war."
Gingrich begs the question: if a serious cyber attack is an act of war, how should America respond?
The Pentagon has set up Plan X supposedly to respond to cyber attacks by launching cyber assaults of its own as retaliatory strikes. But nothing like that has happened. Russian, Chinese, North Korean, Iranian and Syrian hackers --all government backed-- continue to operate unabated. Is there a threshold that remains to be crossed, and when it is, will the Pentagon launch a massive retaliatory cyber attack on the perpetrators, namely the governments that sponsor the hacks? Plan X is a nice idea, but it is a wasted effort unless it is used.
Hacking is a cheap crime to commit unless there are costly consequences.
It is a bad idea to wait around until a massive cyber attack leads to costly consequences such as paralyzing our government and military, creating a run-away chain reaction cascade at a nuclear power plant, or wrecking our banking system.
A prudent policy is to start striking back when we are hit the first time, not the last time. Only in that way can limits be set and warnings understood. If the United States answered even one of the Chinese-Russian-Iranian-North Korean-Syrian attacks by a strong meaningful response, the bad guys would get the message. Then the hackers would lose.