Sony Pictures Entertainment was recently pwned by a group calling themselves the Guardians of Peace, ostensibly acting under the guidance of the North Korean government (this is subject to debate, here). There are a ton of highly intelligent, well-researched summaries of what happened, like the one here, or here, so we won’t try to duplicate their work. Needless to say, it was bad that the hackers took advantage of a culture of bad cybersecurity practice at Sony. Thanks to a bevy of embarrassing cybersecurity practices, worse cybersecurity discourse, and a growing culture of fear in Washington (and around the world), there is little doubt that this incident will be spun to support poorly-drafted laws that infringe upon user rights and do nothing to increase security.
We shouldn’t, and we don’t, have to sacrifice privacy to achieve better network security. The U.S. Congress needs to reject any legislation that would attack our privacy, such as an invasive information sharing regime.
Unfortunately, in the U.S., the two legislative proposals currently at the front of the cybersecurity debate are riddled with harmful loopholes and ambiguities. These proposals include Mike Rogers’ Cybersecurity Information Sharing and Protection Act (CISPA)* (closely related to the Cybersecurity Information Sharing Act [CISA] in the Senate), and the even-worse SECURE IT Act, sponsored by Representative Marsha Blackburn. These bills all contain information sharing regimes that encourage the sharing of private information through comprehensive immunity with few protections for the private information.
It is highly unlikely that any of the proposed pieces of information-sharing legislation, and in fact any information sharing regime at all, would have prevented the Sony Pictures hack or others like it. Sony Pictures was already well aware that it was vulnerable before the attack, having suffered a similar breach in February. Months after this breach, an internal report detailed Sony Picture’s widespread system weaknesses (and let’s not even get into the numerous attacks against other Sony subsidiaries). Further, evidence obtained from Sony Picture’s systems implicated a current or former employee as having assisted in the attack.
And now, policymakers are in a frenzy trying to figure out an appropriate response, each one more bizarre than the one before it. Senator John McCain called the hack an act of war. Other suggestions have called for exercising eminent domain to seize The Interview, the movie that was the purported reason for the attack, or having the government buy the film in order to grant people the choice to view it. It is possible the U.S. has already retaliated: Yesterday, there was total internet outtage in North Korea (all 1,024 IP addresses). Importantly, we don’t know who is responsible for the reported outages in North Korea, it could be state-sponsored or independent actors, or North Korea itself. Attribution is notoriously hard following a cyber attack (remember, there is educated doubt that North Korea is even responsible for Sony Pictures’ attack).
When, if ever, is it appropriate for the state to get involved in an attack on a private company? Last week, Michael McCaul, Chairman of the House of Representatives Homeland Security Committee, said that the lack of cyber battle lines makes it difficult to assess an appropriate response. The Tallinn Manual provides expert guidance, in lieu of a comprehensive treaty. The manual provides analysis of the application of existing international law, including jus ad bellum (necessary criteria for war) and humanitarian law and cyberwarfare.
Using the Tallinn Manual as a reference, the Chair of International Law at the U.S. Naval War College, Michael Schmitt, recently explained why, at most, the Sony hack justifies countermeasures “subject to strict limitations dealing with such matters as notice, proportionality, and timing.” In other words, the attack was not an act of war and the U.S. response should not treat it as such. As Access and a number of civil society organizations wrote in a letter to President Obama, we cannot conflate cyberwarfare with other, lesser cyber incidents, lest every time a U.S. company is breached we unleash the doges of war.
There is also domestic guidance on the issue of cyberwarfare. In 2002, George W. Bush issued National Security Presidential Directive 16 (NSPD-16). The still-classified policy directive contained the conditions for launching an offensive cyber attack. NSPD-16 should be made public in order to open debate on whether the standards conform to international law, which includes prohibitions against attacking civilians, and for greater understanding of circumstances under which the U.S. may pursue a declaration of war against state and non-state actors.
We need solutions that will better protect users. And Sony and dozens of other companies need to do a better job of protecting their systems. Period. Rather than focusing on information sharing, Congress should instead incentivize improved digital security, including timely resolution of known vulnerabilities and more security by design. Our Data Security Action Plan gives a list of basic digital security considerations that any party who chooses to collect personal data must take into account. Congress should also take several other non-controversial steps to demonstrably increase security for users. For example, there also needs to be more transparency through broader data notification rules. Congress recently passed a data notification requirement for the federal government, which should be extended to the private sector.
These solutions work to increase both network security and user privacy. We urge Congress to reject CISPA, CISA, SECURE IT, and any other harmful legislation masked by a playful acronym, and instead pass holistic cybersecurity legislation designed to protect the interests of users.
* note: Mike Rogers (R-MI), CISPA’s sponsor, has retired from Congress, but it is doubtful that his absence will mean that we’ve seen the last of the harmful bill