Over at EvenTheLiberalAlthoughNowItsActuallyDead New Republic, Yishai Schwartz takes a break from cheering on the killing of children in Gaza and hilariously overreacting to recent developments with respect to Cuba to ask this question:
The answer is simple but multi-part:
- Apart from the government saying “trust us, it’s North Korea” (which, you know, fool me once…) it’s still actually unclear against whom we should be retaliating. Really, really unclear. Schwartz argues that the government was “dithering” for all those weeks when it wouldn’t declare North Korea responsible for the attack, but how can it be dithering when it’s still not clear that North Korea was responsible?
- It’s not really the government’s job to wage war, even cyber-war, on behalf of the property rights of a single private corporation, particularly when that corporation can’t be bothered to take the most basic steps to protect its own property. I know, I know, it’s about artistic expression and freedom of speech, not property! And those principles are important! But both could be protected if Sony were to release “The Interview” online or via video on demand! The fact that they’re refusing to do that tells you that it’s really not about principle as far as they’re concerned.
- It’s not at all clear what “retaliation” looks like here, which I guess could be a sign of “poor planning” but is really a function of this particular case. Aside from not actually knowing who was behind the attack or how much of the fallout was essentially Sony’s fault for its terrible security practices, what would the nature of the retaliation be? Do you target a North Korean corporation in a tit-for-tat move? If so, uh, good luck finding a “North Korean corporation.” Should we levy sanctions against North Korea, put them back on the terrorist sponsor list? Yeah, isolating a country that’s already completely isolated, that should do the trick! If we can make the poorest country on the face of the Earth incrementally poorer, they’ll definitely end this behavior that they may not even have perpetrated in the first place.
Now, let’s dive a little deeper.
Schwartz, and I know this will come as a shock, wants war, albeit of the cyber flavor:
It need not be this way. During the Cold War, American strategists developed complex doctrines of multi-layered deterrence. In the early years, figures like President Dwight Eisenhower were taken with the idea that nuclear weapons might provide the ultimate deterrent—and that conventional weapons were becoming obsolete. But over time, we learned that nuclear weapons really only deter other nuclear weapons—and that, to avoid unacceptable escalations, conventional Soviet attacks would have to be countered by conventional American responses. To provide a credible threat and effective deterrent, the United States poured resources into developing a full arsenal of graduated, flexible responses, and devoted the time and care into developing a comprehensive strategy that allowed for their swift deployment.
It is past time to do the same for the sphere of cyber-war. Weeks after the initial attacks on Sony, the hemming and hawing and internal White House debate over whether to even publicly identify North Korea as the perpetrator are no longer a sign of caution, but of dithering and poor planning. Some Pentagon shelf is no doubt stocked with contingency plans for various levels of retaliation against various levels of kinetic aggression from unfriendly states. Similar plans should have been developed in the cybersphere years ago, and the president should be prepared to deploy them. The only way to prevent future attacks is for foreign governments to know that attacks against U.S. targets—cyber or kinetic—will bring fierce, yet proportionally appropriate, responses. In order for other governments to know that the U.S. will respond, first our government must know that it will respond.
Yeah, there’s that question of “proportionally appropriate,” but part of doing punditry is never having to fill in the details. The best thing that could come out of this episode isn’t a flailing retaliatory strike against North Korea’s…something. It’s a firm commitment to improving this country’s cyber-security across the board, from all levels of government to the private sector. But, sorry, private corporations have to take responsibility for protecting their own stuff. The idea that it’s Washington’s job to protect Sony’s emails from hackers comes out of the same mindset that brought you the Wall Street bailout, the one that says it’s OK for private companies to privatize profits and socialize losses. If Sony can’t be bothered to invest in the resources needed to protect itself (and this isn’t the first time they’ve been hacked, you know?), why should the rest of us have to step in and do it for them?
Obviously the feds should pursue the perpetrators of this hack and do their best to punish them for it, treating it as the crime it is. But just as you wouldn’t send the Marines into Pyongyang if a couple of DPRK government officials stole a laptop out of Sony Pictures Entertainment’s corporate HQ, you shouldn’t mobilize whatever cyber-war capabilities the government has over this hack. And if that analogy isn’t absurd enough for you, imagine that the DPRK guys were able to steal the laptop because SPE leaves its HQ unlocked and unguarded at night and never bothered to invest in an alarm system. Are you really going to go to war over that?
Bonus Round: In the midst of his tirade, Schwartz offers this nugget:
The government’s passivity in the face of these cyberattacks is not entirely unreasonable. As with other forms of terrorism and non-traditional warfare, it is often difficult to trace precisely who is responsible for a cyberattack and the degree of state culpability. And neither slot machines nor Seth Rogen are exactly critical U.S. infrastructure. What’s more, cyber-operations inevitably reveal something about our capabilities and can swiftly be coopted by our enemies. Elements of the Stuxnet virus (a presumably Israeli creation that successfully set back Iran’s nuclear program by years) have begun cropping up in other cyber-attacks across the globe, as Bruce Schneier, a cyber-security expert affiliated with Harvard’s Berkman Center, told me recently.
Successfully set back Iran’s nuclear program by years, you say? Sadly, no!
But the IAEA’s files also show a feverish – and apparently successful – effort by Iranian scientists to contain the damage and replace broken parts, even while constrained by international sanctions banning Iran from purchasing nuclear equipment. An IAEA report due for release this month is expected to show steady or even slightly elevated production rates at the Natanz enrichment plant over the past year.
“They have been able to quickly replace broken machines,” said a Western diplomat with access to confidential IAEA reports. Despite the setbacks, “the Iranians appeared to be working hard to maintain a constant, stable output” of low-enriched uranium, said the official, who like other diplomats interviewed for this article insisted on anonymity to discuss the results of the U.N. watchdog’s data collection.
The IAEA’s findings, combined with new analysis of the Stuxnet worm by independent experts, offer a mixed portrait of the mysterious cyberattack that briefly shut down parts of Iran’s nuclear infrastructure last year. The new reports shed light on the design of the worm and how it spread through a string of Iranian companies before invading the control systems of Iran’s most sensitive nuclear installations.
But they also put a spotlight on the effectiveness of the attack in curbing Iran’s nuclear ambitions. A draft report by Washington-based nuclear experts concludes that the net impact was relatively minor.