Friday, April 3, 2015
Obama Cyber Sanctions: Reality or Illusion?
By James McFarlin
Affirming that cyber threats "pose one of the most serious economic and national security challenges to the United States," President Barack Obama on April 1 announced the intent to level sanctions against hackers, foreign state-owned corporations and nation-states that harmfully attack U.S. critical information networks.
Serious questions remain, however, as to whether such sanctions will have the intended deterrent effect. Or even take place at all. Let's look at three major questions on the viability of such actions:
Attribution. Affirmatively placing blame for attacks is a tricky, many times inconclusive and in all cases elusive endeavor. Many remember the wide discussion, even heated arguments, over who was actually responsible for the Sony Pictures hack. The government claimed it was North Korea. I have been in presentations where impressive evidence was presented that the real attackers were, in one case, Russian, and in a second case, Sony insiders. This is not an unusual circumstance.
Without confirmation of attacker's identity, how can sanctions or retaliatory action of any type be launched? They can't.
Type of Response. What level of sanctions are warranted by specific cyber theft, espionage, or other attacks? What is the process of determination and which government body makes such decisions? It is widely believed, for example, that the U.S. fumbled the handling of the Sony attacks.
Who is to say future government cyberattack responses under Obama's sanctions order will be any different? This is unproven territory where it is best to tread carefully.
Foreign Retaliation. We are living in a world where unintended consequences abound. What if foreign hackers sanctioned for cyber attacks decide to change identities (easily done, in many ways) and make additional, even more damaging attacks on the U.S., such as to our power grid or transportation systems? What if a nation-state sanctioned for espionage against the U.S. retaliates by stopping all trade with specific American technology firms?
It is not too hard to see that Pandora's Box, once opened by tenuous and perhaps unproven sanctions actions, can rain even more harmful cyber dangers on the U.S.
The point is, the problems of attribution, lack of response definition and the level of potential 'what ifs' may very well checkmate the U.S.-levied sanctions in many, unintended ways, severely limiting the implementation of such actions.
If such sanctions occur at all. In which case, we have an illusion and a few headlines, nothing more.