REVIEW: China’s Position on the 2014 Sony Attack: Implications for U.S. Response
Wilson, J. (2015). China’s Position on the Sony Attack: Implications for the US Response. Washington, DC: US-China Economic and Security Review Commission.
The issue presented in this report to the United States (US)-China Economic and Security Review Commission addresses the recent hacking event against Sony Pictures Entertainment in November 2014. The author discusses the identification and attribution of North Korea as the state-agent responsible for the “crime” based on the Federal Bureau of Investigation’s (FBI) assertion of fact.
The report is specifically focused on the US avoiding overly criticizing or condemning any complicity on the part of China since it may damage current cyber-related negotiations. The former Obama Administration’s concern is whether such charges of complicity by China damage current cyber espionage cooperative discussions.
What further impact would a cyber-counterattack against North Korea have on any negotiations with China?
Because of the contentious nature of past charges by the US against China, this was both a political and a legal matter. Politically, what were the implications of overtly charging China with aiding or abetting the Sony cyber-attack? The Chinese have already suspended “US-China Cyber Working Group” “…in May 2014 in response to the FBI’s indictment of five People’s Liberation Army officers for cyber espionage” (Wilson, 2015, p.2). These indictments have contributed to the stalling of US-China cyber discussions. The article discusses this as “uncharted territory,” and an appropriate opportunity for the Administration to establish US unilateral policy that could seek to provide future “redlines”for acceptable behavior by China.
The general question raised by this article is whether the US’s response comports with past and current cyberspace policy?
The Bush Administration’s “National Strategy to Secure Cyberspace” would not define Sony Pictures as a member of the US’s “critical infrastructure,” and therefore would not receive or expect to receive government assistance. While the Obama Administration’s “International Strategy for Cyberspace” would treat a cyber-attack through the promulgation of “… overlapping policies that combine national and international network resilience with vigilance and a range of credible response options [emphasis added]” (Office of the President of the United States, 2011, p. 12).
The article reported that President Obama promised to respond to this attack “proportionately.” The question is whether that position is consistent with past and current US policy or strategy?
Clearly, the Bush Administration would not have taken such a position since Sony Pictures is not part of the defined “critical infrastructure” categories. These categories include banking and finance, insurance, electric, and oil and gas, etc. The picture-entertainment industry is not declared as a critical category of industry covered under this strategy. However, President Bush in his opening statement to protecting critical infrastructure may have provided coverage for the entire US economy to include Sony Pictures. The objective of this protection included the assistance of the US government to “… help to protect the people, economy [emphasis added], and national security of the [US]” (The Office of the President of the United States, 2003, p. i). While this may be construed as including Sony, the further specificity of the strategy and its subsequent implementation would not allow any ensuing response by the US government on the behalf of Sony; any federal cyber-response would be counter to this strategy.
The Obama Administration’s strategy, and presumably the strategy that should prevail here is both vague and flexible. The policy is more of “dissuading and deterring” state-sponsored cyberspace bad-actors. The US reserves the right to defend “vital national assets” (Office of the President of the United States, 2011, p. 12) as necessary or appropriate. (Review of this strategy document found no definition for a “vital national asset”). The question is under this new protected category should Sony be considered a vital asset?
It should not if both of these policy-strategy documents exercise appropriate currency to the protection of US cyber interests. Sony is a private company with its own responsibility to manage its cybersecurity posture. It certainly should be able to avail itself to the FBI or local law enforcement after a crime has been committed but should not be afforded prior or post “protection,” vis á vis, a cyberattack against North Korea.
In this case, the FBI acted appropriately to a crime that had been committed. However, any “offensive” act by the government would be totally counter to both Administrations’ declared policies. Any overt cyberattack could unfortunately create a cascading demand by private industry to “attack” foreign state and non-state actors on their behalf. Should the US government conduct offensive operations for Target if the exfiltration of their customer credit card data can be attributed to Russian hackers? This escalation would clearly become cumbersome and counter to US policy. Private companies, even those covered under the rubric of “critical infrastructure,” should not expect the government to respond on their behalf.
The response should be overwhelming, and not “proportionate” if the cyber-attack of US critical or vital infrastructure areas are grossly damaged, degraded, or destroyed.
Politicians believe that proportionate responses are moral and just, but their stated objectives are typically never met to degrade and destroy the threat; this political view consistently fails.
While escalation in cyberspace is fraught with dangers, it should be tied to a publicized international and national declaration that warns potential adversaries of what to expect. Declaring “redlines,” is realistic and formidable if we honor and execute them in the protection of US interests.
REFERENCES
Office of the President of the United States. (2011, May). International Strategy for Cyberspace: Prosperity, Security, and Openness in a Networked World. Retrieved from White House: http://www.whitehouse.gov/sites/default/files/rss_viewer/international_strategy_for_cyberspace.pdf
The Office of the President of the United States. (2003). The National Strategy to Secure Cyberspace. Washington, DC.
Wilson, J. (2015). China’s Position on the Sony Attack: Implications for the US Response. Washington, DC: US-China Economic and Security Review Commission.
Ms. Columbus has worked in the Intelligence Community (IC) for over 20 years. She retired from the US Air Force in 2014 after working as a Senior Advisor providing authoritative advice on all aspects of Cyberspace operations, force structure and organizational concepts. She oversaw strategic support activities to enable the right mix of cyber capabilities for future operations.