Binary code with 'password' in red

commentary

(Newsweek)

February 9, 2015

Cyberattacks Are a Nuisance, Not Terrorism

Photo by mimadeo/Fotolia

by Martin C. Libicki

Cyberterrorism, theoretically, isn't supposed to exist. Terrorism, after all, is defined as the use of attacks to create visceral fear. Yet, almost all of what cyberattacks have done so far has been to computers—and computers lack viscera.

Nevertheless, the December attack on Sony, coupled with an earlier (though less-well reported) attack on the Las Vegas Sands Corporation, has most of the elements of terrorism, except for the visceral terror itself—even if that element later entered the equation in an offhand way.

We need to consider both the risk of further such attacks and also further ill-considered reactions that may arise if the problem of insecurity in cyberspace is shoved into the counterterrorism paradigm.

Start with the Sony hack before the release of its film The Interview, and assume this had North Korea's imprimatur. The hackers sought to harass Sony and block the distribution of The Interview, which portrayed an assassination plot against North Korea's “Dear Leader.” To this end, they penetrated Sony's systems; extracted emails from Sony executives; stole five movie files, and trashed desktop computers and servers throughout the corporation.

They then released choice emails to publicize their hack, embarrass the company's leaders and, through the release of personally identifiable information, create anxiety among employees (some of whom then sued Sony). The company's systems went down, forcing employees to work with pencil and paper. Remediation costs initially were estimated at $40 million to $100 million, though later estimates suggested a lower number.

Throughout this embarrassment, Sony continued with plans to release the film on Christmas Day. Several weeks after the hacks were revealed, the hackers upped the ante by threatening 9/11-style attacks on theaters showing the film (and hence, on theatergoers themselves). Four major movie chains backed out of showing the film.

Some misinterpreted the events as Sony withdrawing The Interview from theater distribution under the threat of cyberattack—when it was the threat of actual terrorism that was decisive.

Sony, having lost 80 percent of its domestic market, withdrew it from theater distribution. This sequence was misinterpreted by some as Sony's withdrawing the film under the threat of cyberattack—when it was the threat of actual terrorism that was decisive.

An attack similar in motivation and result was carried out against the Las Vegas Sands Corporation in February 2014. It followed corporation owner Sheldon Adelson's statements that advocated threatening Iran with nuclear strikes if it did not dismantle its nuclear capability. Suspicion for the attack thus focused on Iranians.

The hackers also trashed desktop computers and erased data on servers that helped keep track of casino winnings and losings. As with Sony, operations had to be suspended for several days. Losses were estimated at $100 million. In contrast with the Sony case, however, the hackers did not make a spectacle of their hack (perhaps the gossip of casino owners is less interesting that the gossip of movie executives) and Sands managed to keep the lid on the extent of the damage until Bloomberg BusinessWeek reported the full story.

A few earlier attacks exhibited a similar tendency to trash computers. Two attacks carried out under (supposed) Iranian auspices struck Saudi Aramco (30,000 computers trashed) and RasGas (despite network interference, there were no reports of trashed computers).

A series of attacks against South Korean banks and media companies in March 2013 (subsequently labeled “Operation Dark Seoul”) also trashed computers. On the thinking that only North Korea would care to attack South Korea, its actions established a set of cyberattack parameters that the FBI used to ascribe the Sony attack to North Korea.

Since the 1991 Michelangelo virus, people have understood that the ability to put malware onto a computer implied an ability to trash it. This took place by their overwriting the hard drive where boot-up instructions are stored. Reformatting the computer allowed the hardware to be recovered but the data would be lost. In retrospect, it is a wonder that this has not happened more often, but hackers almost always had better things to do once they put malware on a computer (such as access bank accounts or corporate servers, steal data, convert computers into bots, pop up advertisements) than to trash them.

Those days appear over, though the advent of Cryptolocker and other forms of ransomware coupled with untraceable digital currency (for blackmail payments) means that most computers are rendered inoperable from criminal not terrorist reasons.

What Makes This Terrorism?

Several attributes of these attacks echo traditional terrorism.

Soft Targets

Those who worry about cyberattacks worry over the threat that powerful actors (usually states, but perhaps well-financed non-state actors) can take down the electric power grid and crash the banking system. Others (notably a 2013 Defense Science Board study (PDF)) warned that clever hackers could catastrophically confound a network-centric military.

But these are the hard targets of society: complex critical systems whose owners are (now) aware of what is at stake. Sands and Sony are softer targets (not least, perhaps, because both are in the entertainment business, where security may have been an afterthought). More generally, large business networks with multiple ad hoc connections to partners, vendors and websites are nearly impossible to defend against assiduous (and not necessarily elite) hackers.

Because they do not defend obviously hypercritical assets, their owners rarely have cause or inclination to compartmentalize them. Barring a radical change in the systems industry, they remain soft targets, capable of being trashed.

(Without knowing what other corporation or corporate head has seriously angered Iran and/or North Korea, one cannot know whether there are comparable targets that one or the other wanted but failed to strike successfully. Nevertheless, it seems in both cases, the hackers succeeded in compromising the networks they wanted to and without inadvertently taking down systems of other organizations.)

Similarly, physical terrorists have learned that the really critical infrastructures of advanced countries are difficult to take down, but they need not be assaulted if similar levels of pain and attention can be generated by going after the thousands of undefended places where people congregate (such as coffee shops, food markets, trains). The January attack on the Paris office of Charlie Hebdo is an example of this.

Weapon of the Weak

If either Iran or North Korea were strong and influential, they might have been able to head off being treated with what they regarded as such disrespect by tried-and-true methods of pressure and financial leverage. But they are weak players and had to use other, more disruptive methods.

Conventional terrorism is also a weapon used by those without the ability to carry out conventional military tasks such as defending populations, or attacking the other side's military.

Political Motives

Hacking systems primarily to make a political point has been around almost as long as hacking. And hacking to spite those who insult you has already been done (for example, what Anonymous did to HBGary in early 2011). But political motives are unprecedented for hacks as large as those against Sony and Sands.

The messaging of these hacks—be careful whom you diss—can be considered an attempt by countries to regulate global political speech through explicit threats against their exercise. Similar acts of enforcing political correctness through the threat of terror have been attempted against a Danish cartoonist and a Dutch filmmaker (in the latter case, fatally). The Charlie Hebdo attack is a reminder that exercising free speech brings with it a risk of real terrorist threats well beyond what we might strain to label as cyberterrorism.

Wanton Destruction

Most of those who invade information systems do so to seize something of value, whether it is intellectual property, business proprietary data, or personally identifiable information. The victims may lose, but the attackers gain something they can use.

Physical terrorists gain nothing for themselves; their entire interaction with their victims is one of loss, whether their attacks are random or aimed at specific targets. So too it is with the hacks of Sands and Sony. The latter two lost, but the hackers have filled no other needs.

Terror

The hackers in neither case were capable of causing visceral fear—directly. As noted, the Sony hackers had to make threats of violence to get their way. These threats were taken seriously, despite the Department of Homeland Security's announcing that nothing indicated that there was anything behind the threats.

Hence the question: Would such threats have been taken so seriously had they not followed successful cyberattacks? After all, there is no reason why hackers should be taken seriously as experts in killing people; they take different skill sets. It is very difficult to generate a credible hacking threat against a specific target; if such a threat were believed, the victims would find ways of countering it (either by fixing faults, or by taking pains to disable network features that they otherwise find valuable).

To wit, the ability to threaten with any specificity tends to be self-abnegating. Perhaps a tendency to regard good hackers with awe and wonder may have led people to ask: If these hackers were so powerful as to compromise Sony, how do we know they cannot pull off a very different class of attack?

The difference between a costly annoyance and terror matters in another way. Terrorism is intended to influence an audience larger than those directly affected. After the Sony hack, any company contemplating a movie about North Korea (or Iran, or another rogue state) now has to enter the risk of cyberattack into its calculus of costs and profits from moviemaking—just as it has to enter the risks arising from lawsuits.

But these risks can be analyzed rationally. By contrast, after the 9/11 attacks many individuals abandoned the choice to fly and choose instead to drive—in which the odds of death per mile traveled are considerably higher. Visceral fear causes irrational behavior.

Is There a Counterterrorism Analog in Cyberspace?

Countries can choose to treat terrorism as a threat to public safety or a national security threat.

As a threat to public safety, the natural question is what policies should be adopted to minimize the total cost of terrorism—in which cost is defined as the sum of the consequences of successful terrorism and the resources required to keep terrorism from being no more consequential than it is. The difficulty of putting a price on human life, and the even greater difficulty of putting a price on being able to live without fear (notwithstanding the poor correlation between what people fear and what they should fear, based on statistics) complicate such calculations but do not obviate the principle: Terrorism is but one threat among many to public safety, and there are sound ways to analyze alternative ways of spending money to improve public safety.

Once labeled a national security threat, economic questions are considered illegitimate. Such threats must, accordingly, be defeated as long as countries can afford to do so. The United States responded to the 9/11 attacks as if they threatened the nation's security—and spent a great deal of money and blood in doing so.

(Even if one believes that the wars that the United States fought in Iraq and Afghanistan reduced the odds of subsequent 9/11s, how many 9/11s would have had to be stopped to make the costs of such wars—in money and blood—worthwhile?)

Yet it is hard to conceive of any way that the terrorists could have threatened the nation's security in the sense of being able to occupy the country, change the government, make the country into a vassal, impoverish its citizens, or seize its territory.

The debate over whether cyberattacks should be treated as national security or public safety concerns was shoved forward with the Sony hack. President Obama declared it was an act of vandalism, not war. Others, such as Newt Gingrich and Senate Armed Services Committee Chairman John McCain, would treat it as war.

Without visceral terror, the logic of treating attacks like that on Sony as public safety threats, much less national security issues, is strained.

But without visceral terror, the logic of treating attacks like that on Sony as public safety threats, much less national security issues, is strained. Inasmuch as cyberattacks have yet to hurt anyone directly, non-military cyberattacks can be treated almost entirely in economic terms. There is no sound alternative to a cost-minimization test of public policy.

Along such lines, it is worth noting that the United States keeps 28,500 troops in Korea at no small cost. As a rough order of magnitude guess, it costs $1 million to support one warfighter in Iraq and Afghanistan, making the Korean cost $28.5 billion. Conversely, it is unclear whether the size of the U.S. Armed Forces would be correspondingly reduced in a world without North Korea.

The Sony hacks cost the United States less than one percent of that amount. When it comes to U.S. policy vis-á-vis North Korea, the conventional military threat remains the big dog; cyberattacks are no more than the small tail by comparison.


Martin Libicki is a senior management scientist at the nonprofit, nonpartisan RAND Corporation.

This commentary originally appeared on Newsweek on February 8, 2015. Commentary gives RAND researchers a platform to convey insights based on their professional expertise and often on their peer-reviewed research and analysis.