The Obama Administration’s announcement that it would impose sanctions on North Korea due to the alleged involvement of the North Korean government in the Sony Pictures hack came amidst a growing controversy about the true nature of the DPRK’s involvement. Some experts have raised the possibility of a false flag operation, while others have suggested an inside job. However, the FBI so far has stuck to its initial narrative blaming North Korea directly for the attacks:
“The FBI has concluded the government of North Korea is responsible for the theft and destruction of data on the network of Sony Pictures Entertainment. Attribution to North Korea is based on intelligence from the FBI, the U.S. intelligence community, DHS, foreign partners and the private sector(…)There is no credible information to indicate that any other individual is responsible for this cyber incident.”
No serious cyber analyst so far has denied that this may very well turn out to be true. Nevertheless, the speed with which the U.S. government has identified the alleged culprits – despite the slim unclassified evidence available in the public domain – has taken a lot of analysts by surprise. Yet, the FBI’s conclusions may be less surprising if one views this move as part of an overall U.S. cyber deterrence strategy vicariously aimed at dissuading China and other great powers hostile to the United States from engaging in or supporting adverse behavior in cyberspace.
China remains North Korea’s closest ally. Amongst other things, the DPRK gets around 90 percent of its energy imports, 80 percent of its consumer products, as well as 45 percent of its food supply from Beijing. On the cyber front, Pyongyang relies on China Unicom – a Chinese state-owned telecommunications operator – for Internet access. It also procures most of its routers and servers from its big communist neighbor. Also, China is training North Korean cyber warriors now numbering – according to uncorroborated reports – around 5900. In addition, some members of North Korea’s Unit 121 of the Reconnaissance General Bureau of the Korean People’s Army, an elite DPRK hacker unit, are allegedly stationed in and operate out of Shenyang, China. As Steve Sin, a former senior U.S. intelligence analyst emphasizes: “China plays a major role supporting the North’s cyber operations.”
The FBI’s conclusions therefore can be interpreted to be both a warning to China, as well as clarification of the United States’ red line in cyberspace, which the PRC – or any other power for that matter – should not dare to cross.
Delineating this red line is an integral part of a cyber deterrence strategy.
In its simplest form any good deterrence strategy is build upon two principle factors: good defense and the threat of retaliation. In addition, attribution – tracing back an attack to a specific source – is paramount. In the murky world of cyberspace, correctly attributing attacks remains one of the greatest challenges. However, even more challenging for policy makers is to figure out the figurative red line in cyberspace that would trigger sever active defense measures by nation states such as strategic retaliatory strikes (not to be confused with low-impact DDOS attacks). This is mostly due to a lack of genuine communication and signaling mechanisms in cyberspace.
As I have written in the past, the United States has clearly signaled that Washington is interested in a de-escalation of tensions in cyberspace. However, this approach has gained no traction so far in China due to the diplomatic fallout mostly caused by the NSA scandal, and the PRC’s perceived technological inferiority in cyberspace.
The FBI’s conclusions and new sanctions signal that the U.S. government is ready to progress up the escalation ladder from “naming and shaming” alleged state-sponsored hackers via the U.S. private sector and media (e.g., the 2013 Mandiant Report), to a more direct approach. Specifically referring to the Sony Pictures hack the security analyst Bruce Schneier thinks that, “it’s a smart strategy for the US to be overconfident in assigning blame for the cyberattacks. Beyond the politics of this particular attack, the long-term US interest is to discourage other nations from engaging in similar behavior.”
In all of this we have to keep in mind that any serious analysis of nation state activities in cyberspace must be caveated with the fact that we have to evaluate evidence based on primarily open source intelligence, which does not provide us with an entirely accurate picture. However, this fact should not subtract from the slowly emerging macro picture that the United States is increasingly taking a tougher stance vis-à-vis antagonistic powers in cyberspace.