What The US Could Do In Response To The Sony Hack
"They caused a lot of damage, and we will respond," President Obama told reporters in an end-of-year news conference.
This malicious intent and apparent state sponsorship have forced the US to respond to the incident as a matter of national security, instead of treating it simply as an instance of cybercrime.
This distinction has opened up a wide variety of responses that the US could conduct against those responsible for the Sony hack.
Declare North Korea a state sponsor of terrorism. The US is reportedly considering this option.
Evans Revere, a former State Department official and specialist on Korea, has suggested that Pyongyang could be designated a state sponsor of terrorism, joining Sudan, Iran, and Cuba. This designation would be warranted because of the attack and the threat of carrying out violence against theaters that screened "The Interview."
Risks: North Korea was on the state sponsors of terrorism list until 2008, when it was removed by the Bush administration during nuclear negotiations. Putting it back on would be nothing more than a return to the status quo.
Expand sanctions. The US is reportedly considering this option.
The US has the ability to place particularly crippling sanctions upon North Korea. Gordon G. Chang of the Daily Beast notes that financial sanctions put in place under the Bush regime forced Pyongyang to ferry cash in suitcases. This lack of funding led to the closure of certain North Korean weapons programs.
Reuters notes that the US sanctions "only 41 companies and entities and 22 individuals" relating to North Korea for their involvement with the country's nuclear program. The US could designate additional people and entities for their connections to North Korea's hacking program, as well as its telecommunications and internet infrastructure.
Risks: High-level sanctions on North Korea could lead to more difficult relations with China. The previous round of sanctions were prematurely lifted at Beijing's desire. And North Korea is tightly sanctioned as it is.
"The Obama administration has been reluctant to embrace" the sanctions approach, AP reports. "The biggest impact would be felt by banks in China, complicating US efforts to curry better ties with Beijing."
And North Korea is already one of the most sanctioned governments in history. "We've already got every sanction known to man against them," Jim Lewis, a senior fellow at the Center for Strategic and International Studies, told Reuters.
Declare the hackers terrorists.
According to Dave Aitel, a former NSA research scientist and CEO of the cybersecurity firm Immunity, one option is "declaring certain cyberattacks terrorist acts and the groups behind them terrorists," which would "set in motion a wider range of legal authority, US government/military resources, and international options."
This designation would "set in motion a wider range of legal authority, US government/military resources, and international options."
Risks: Designating North Korea a terrorist sponsor could hamper any future nuclear negotiations with Pyongyang (the US removed the country from the state sponsors of terror list in 2008 to make headway on the nuclear issue). The label would also be precedent-setting and raise all sorts of incredibly thorny legal, diplomatic, and practical questions.
Would China and Russia be labeled state supporters of cyberterror for their distributed denial of service (DDoS) attacks against American companies and sabotage of US government systems? And what would this designation even mean in practicality — which people or entities would be affected, and how might an expanded legal regime complicate other US economic and political interests? For starters, sanctioning cyberterrorists or companies that assist them could conceivably complicate some US firms' business dealings in China.
Engage in counterhacks.
If it is conclusively proved that North Korea carried out the attacks against the Sony, the US could engage in retaliatory hacks against Pyongyang. This hacking could target North Korean and a variety of North Korean websites, affiliated sites, or internal networks. The US could take North Korean government infrastructure offline as a warning of the potential consequences of a future hack.
Risks: Any cyber engagement against North Korea runs the risk of escalating a conflict into a full-blown cyberwar between the two nations — and the US wouldn't have much to gain from it, considering the deep asymmetry in the wealth and development of each country. "You can turn out the lights in Pyongyang, and they could turn out the lights in New York. Who loses more? There's no way for us to win a trade," Jim Lewis, a senior fellow at the Center for Strategic and International Studies, explained to Reuters.
If North Korea feels it is under attack, it could physically respond with kinetic strikes against South Korea.
Go after Chongryon.
The organization for Japan-based supporters of the North Korean regime once ran a miniature business empire in the country and served as Pyongyang’s chief means of acquiring foreign currency.
Chongryon has fallen on hard times, and been forced to sell off much of its business holdings and property. But the group answers directly to the Liaison Department of the North Korean government. And according to an HP Security report from August 2014 on North Korean cyber capabilities Chongryon's "'study group' ... gathers intelligence for North Korea and helps the regime procure advanced technologies.” The report concluded that Chongryon is “critical to North Korea’s cyber and intelligence program.”
The US could pressure the Japanese government to shut down and expel the organization.
Risks: Japan has been negotiating with North Korea over the fate of nearly a dozen Japanese citizens kidnapped and taken to North Korea over the past 40 years. Sony is a Japanese company, but Japan may bristle at what could be perceived as American intrusion into its foreign and domestic affairs.
Totally end trade.
The US and North Korea conducted $21.9 million in trade last year, the highest total since 2008. This is a small amount of money, but every bit of external trade is critical in a place as isolated as North Korea, where the elite depends on a steady supply of foreign currency to remain in charge.
Risks: None, really. It’s just too little money to make much of a difference.
End even the possibility of expanding food or development aid.
The US cut off much of its food aid to North Korea in 2008. Since then, there have been intermittent discussions about possibly resorting US development projects and humanitarian assistance. The US could freeze those and communicate an intent not to resume them.
Risks: This would effectively punish ordinary North Koreans for the actions of their government. And it probably wouldn’t do much: The country experienced a debilitating famine in the 1990s, and the Kim regime was still able to hang on to power.
Try to run the North Korean government off of the internet.
As the HP report notes, most North Korean websites are hosted on servers in Japan and Thailand; the only internet service provider inside North Korea is a Thai joint venture. Through a combination of cyber activity and diplomacy, the US could probably blacklist North Korean domains from foreign servers. The US Department of the Treasury could sanction any company involved in hosting North Korean websites or providing internet access to the country's government.
Risks: This wouldn’t have much impact. It’s not as if the Korean Central News Agency is a traffic monster.
The US could treat the Sony breach as an attack on a single private company rather than on the US writ large. Even now, the attack doesn't fit NATO's definition of an act of cyberwar since there has been no loss of life or physical damage resulting from it. Even with state backing, the hack wasn't aimed at hospitals, the military, or the electrical grid. "The Interview" isn't vital infrastructure.
By not acting, the US may have less of a chance of blundering into a larger cyber escalation and wouldn't have to deal with the possible myriad consequences of shifting its entire legal and diplomatic framework in response to a single incident.
Risks: By doing nothing, the US government would be saying that it doesn't feel obligated to respond to even a highly damaging state-backed attack on an entity in the US. This may embolden future attackers. And it would fail to address any of the alarming issues that the Sony hack raises.
"There should at least be firm diplomatic repercussions for these types of attacks," Aitel told Business Insider. "After all, what would we have done if they’d blown up the buildings at Sony Pictures but not caused any casualties? That is the context these attacks need to be put in."
Risks: Nothing happens.