Everybody jokes about the Sony hack. Two comedians blow up Kim Jung Un, a movie studio gets hacked, emails come out badmouthing Hollywood, the movie is pulled from theaters, and then reinstated at the last minute. In reality, though, it’s not funny at all. If North Korea really did it, it would be the first time an organized, foreign cyber threat has waged a destructive attack on private citizens of the United States.

THE SONY HACK IS INDICATIVE OF A NEW BREED OF TERRORISM TARGETING OUR COMPANIES, OUR CITIZENS, AND OUR WAY OF LIFE.
After years of waging increasingly disruptive and destructive cyber attacks on the banks, media, government, and military of its southern neighbor, North Korea may have shifted its sights to us. The Sony hack is indicative of a new breed of terrorism targeting our companies, our citizens, and our way of life. If we don’t draw a clear, public line in the sand showing that there will be serious consequences for destructive cyber attacks on U.S. companies, it will only make matters worse.


At first glance, cyber attacks may not seem as scary as setting off bombs in public, but they can cause much more targeted chaos: effectively destroying critical infrastructure and the systems that allow our society to function. With its latest hacks, North Korea has pushed the boundaries for conducting “cyber attacks” that fall short of acts of war. Since at least 2009, North Korea has conducted or sponsored increasingly painful attacks, demonstrating a willingness to blur the line between the cyber and physical worlds—leveraging computer systems breaches to destroy real-world machines and business functions. North Korea has long supported cyber attacks against South Korea, and the escalation of the consequences show clear evidence of just how destructive cyber attacks can be.

Attacks don’t have to be particularly sophisticated to cause significant real-world harm. Back in 2009 and 2011, North Korea built a botnet (a network of hijacked computers controlled by malware) to conduct distributed denial of service (DDoS) attacks against major South Korean corporations and government organizations. Attacks like these are fairly straightforward, sending an overwhelming amount of network traffic to websites, causing them to crash and blocking legitimate visitors. While taking down a website may seem like an inconvenience rather than a real threat, imagine blocking access to a major ecommerce site, like Amazon, or a government portal that people need to file for unemployment.

Then, in April 2011, Nonghyup Agricultural Bank, a mid-sized South Korean bank, suffered intermittent service outages for three weeks after malware took down 273 of its 587 servers. While there was no smoking gun, a mountain of publicly available technical and circumstantial evidence led the South Korean government and many independent security firms to confidently link the Nonghyup attack to North Korea. For two days, all banking services were completely disabled and suffered intermittent issues for the next 18 days. Fortunately, because many South Koreans have multiple accounts at several banks, and the outage caused few major problems for ordinary citizens. However, if a similar attack were perpetrated against a major U.S. bank, it could cause major financial problems and widespread public panic, since many Americans only have one bank account and could be completely unable to access critical funds.

North Korea’s destructive attacks didn’t stop there. In June 2012, hackers destroyed article and photo databases and the editing production system at two conservative South Korean newspapers, one week after the North Korean military criticized them for their negative coverage. And, in March 2013, tens of thousands of computers at six South Korean banks and broadcasters simultaneously stopped working after malware overwrote critical hard drive components with the names of Roman army units. While these last two incidents may not seem like incredibly destructive or dangerous attacks, they set a precedent for targeting journalists, media outlets, and individuals that voiced disagreement with the North Korean regime. They were attacks on free speech.

LAST MONTH’S SONY ATTACK COULD BE THE FIRST PUBLICLY DISCLOSED, NATION-STATE-SPONSORED DESTRUCTIVE ATTACK ON AN AMERICAN BUSINESS.

If the FBI’s attribution is correct, the North Korean government sponsored an attack in November on the California-based company Sony Pictures Entertainment. Under the guise of a hacktivist group calling itself “Guardians of Peace,” hackers rendered workstations useless and leaked unreleased movies, corporate documents, emails, and scripts, causing damages estimated to exceed $100 million.

The Sony attack presents a new challenge for the United States. While other companies have faced destructive attacks before, last month’s Sony attack could be the first publicly disclosed, nation-state-sponsored destructive attack on an American business. Destructive attacks not only disable computers, but also threaten their data, the systems that operate on them, and the companies that profit from them.
No longer can companies just worry about other nations that use their hacker corps to steal intellectual property and monitor corporate strategic planning. The fate of Nonghyup Bank raises the specter of the scale of attacks that will inevitably be attempted on other U.S. companies, affecting not just businesses, but the citizens that rely on them for their livelihood. Banks are only one potential target. Hospitals, power grids, and nuclear plants are others, and the stakes for deterring destructive attacks are of the highest order. North Korea and other rogue states will likely continue to push the boundaries of destructive cyberterrorism, skirting the edge of outright war, unless we take decisive action.

This threat necessitates a strong, public U.S. government response that is markedly different from its reaction to cyber espionage. Shaming hackers behind intellectual property breaches would have even less of an effect on North Korea than it had on deterring Chinese hacking attempts. In fact, it would have completely none. President Obama also cannot treat the Sony cyber attack as an act of war. The attack has not resulted in loss of life or gravely harmed a critical infrastructure sector. America’s first cyber war has not been lost, because it has not yet begun.

Whatever its reaction, the Obama administration will set new standards for a legitimate “proportional response” to financially costly, but ultimately bloodless, cyber attacks. America’s friends and foes alike can be expected to watch this decision closely and will likely point to it when they, too, must eventually react to cyber attacks on their people and institutions. Some have suggested that the United States conducted the unsophisticated, low-bandwidth DDoS attacks that knocked North Korea off the Internet yesterday and today. In addition to this attribution being highly unlikely, this attack wouldn’t have sent nearly a clear or potent enough message.

As it stands, pariah states like North Korea are able to accomplish with cyber armies what they can’t with traditional ones: project power and fear globally, even in the United States, without shedding a single drop of blood. America’s response to recent attacks must be significant enough to alter their calculus on whether it’s still a wise investment to build new cyber armies or launch even more destructive cyber attacks. We need to set a clear precedent; otherwise there is no disincentive for state-sponsored cyberterrorism.