Cyber attacks are not 9/11…not Pearl Harbor.
Dismissing the conspiracy theories, 9/11 and Pearl Harbor can be attributed.
The more and more I read about the cyber attack on Sony Pictures Entertainment, the more I come to learn how extremely difficult it is to attribute cyber attacks.
It’s another lesson I have come to absorb as we take on cyber risk and it is one that will stick with me because of the seriousness of cyberwar.
Even before the FBI released a statement declaring that the North Korean government was behind the cyber attack against Sony, there was talk of cyberwar on news programs—mentioned oftentimes much too casually for my liking, in fact.
I don’t think people understand what going to cyberwar means. I do not. I can be sure of that. But I imagine it has a much different feel than our troops “over there” while we remain here. I think we’d be dealing much more often with first-hand consequences of a cyberwar declaration.
It may be why President Obama was careful not to call this attack against Sony an act of war, but instead an “act of cyber vandalism.”
But beyond this are many reports from cybersecurity experts who have come out against the FBI’s findings.
I was directed by Risk Based Security‘s coverage of the Sony attack to a blog written by StreetCred Software CEO Nick Selby entitled “I Have No Idea Who Hacked Sony. And Neither Do You.” It is a great summation of what has happened since the FBI pointed the finger at North Korea.
Selby says he has learned attribution is not easy. In cyber space it is easier to fix what has happened than to find out who is responsible for it happening, he says. And many others seem to agree. If they have not come right out and said so, at the very least the intense assertions of cyber experts contradicting the FBI’s conclusions says it for them. Attribution of cyber attacks is a tough nut to crack.
Last September at The Chertoff Group Security Series conference in New York, Joe Demarest, associate director of the FBI’s cyber division, advised private companies against retribution for a cyber attack because attribution is so difficult. Even the government has a hard time with it, he said. (Retribution is also illegal, he warned.)
And even if there was a clear-as-day attack against this country by a nation state flipping us a giant “bird” on the other end of a telescope lens, then what? No one is prepared for what could come next. I don’t believe so. I think the prospect of a cyberwar is like nuclear war. Countries have bombs but no one is really prepared for what happens when a country launches one.
Therefore it may be a very good time to get our you-know-what in gear. And keep in mind, I am also reminded of something Dwayne Melancon, chief technology officer at Tripwire, said on the retribution/attribution topic during that Chertoff conference: “It doesn’t end when you say it’s done.”