On Wednesday, Sony cancelled the release of its latest mediocre Seth Rogen comedy, The Interview, in the face of terrorism threats from hackers who had been wreaking havoc on the company since late November. Reportedly, American intelligence officials are convinced that the North Korean government was “centrally involved," but they seem paralyzed about how to respond. That alone is upsetting, but even more disturbing is the apparent absence of a readily available doctrine for dealing with attacks of this kind.
This is not the first time a foreign government has targeted American-based companies for political reasons. Earlier this year, a sophisticated cyberattack shut down the computers, phones, email and other technology systems of the Las Vegas Sands Corporation, seriously disrupting the $14 billion operation. Investigators quickly concluded that the attack had originated in Iran, something that experts believe would not have been possible without the cooperation of the governing regime. Given the timing, the attacks were likely motivated by Iranian anger at Sands owner Sheldon Adelson’s calls for military action against Iran’s nuclear program. But as with Sony, the U.S. government’s response was almost entirely passive. As former CIA Director Michael Hayden told Bloomberg Businessweek, “If this would have come across my desk when I was in government, I would have just put it in the outbox.”
The government’s passivity in the face of these cyberattacks is not entirely unreasonable. As with other forms of terrorism and non-traditional warfare, it is often difficult to trace precisely who is responsible for a cyberattack and the degree of state culpability. And neither slot machines nor Seth Rogen are exactly critical U.S. infrastructure. What’s more, cyber-operations inevitably reveal something about our capabilities and can swiftly be coopted by our enemies. Elements of the Stuxnet virus (a presumably Israeli creation that successfully set back Iran’s nuclear program by years) have begun cropping up in other cyber-attacks across the globe, as Bruce Schneier, a cyber-security expert affiliated with Harvard’s Berkman Center, told me recently.
These concerns are reasons for caution, not an excuse for inaction. The cyberattacks on Sands and Sony have already cost millions, if not billions in property damage, and they have dealt a chilling blow to freedom of expression. It’s bad enough that totalitarian regimes control the artistic output of their own countries, but that they could successfully restrict speech in the world’s greatest superpower is as bewildering as it is frightening. The entire reason for the existence of a state is the protection of its citizens, especially from foreign threats. If states can no longer play this role then we are well on our way to returning to the state of nature.
It need not be this way. During the Cold War, American strategists developed complex doctrines of multi-layered deterrence. In the early years, figures like President Dwight Eisenhower were taken with the idea that nuclear weapons might provide the ultimate deterrent—and that conventional weapons were becoming obsolete. But over time, we learned that nuclear weapons really only deter other nuclear weapons—and that, to avoid unacceptable escalations, conventional Soviet attacks would have to be countered by conventional American responses. To provide a credible threat and effective deterrent, the United States poured resources into developing a full arsenal of graduated, flexible responses, and devoted the time and care into developing a comprehensive strategy that allowed for their swift deployment.
It is past time to do the same for the sphere of cyber-war. Weeks after the initial attacks on Sony, the hemming and hawing and internal White House debate over whether to even publicly identify North Korea as the perpetrator are no longer a sign of caution, but of dithering and poor planning. Some Pentagon shelf is no doubt stocked with contingency plans for various levels of retaliation against various levels of kinetic aggression from unfriendly states. Similar plans should have been developed in the cybersphere years ago, and the president should be prepared to deploy them. The only way to prevent future attacks is for foreign governments to know that attacks against U.S. targets—cyber or kinetic—will bring fierce, yet proportionally appropriate, responses. In order for other governments to know that the U.S. will respond, first our government must know that it will respond.
In a 2012 speech, then-Secretary of Defense Leon Panetta outlined a doctrine of cyber-deterrence that involved retaliation only against those attacks that cause “significant, physical destruction in the United States or kill American citizens.” This is no longer enough. Deterrence against large-scale attacks is critical, but so is the everyday security that allows Americans to produce satirical films. Giving up on the latter because it is not quite a “Cyber Pearl Harbor” is an invitation to the slow, steady erosion of basic freedoms that we too often take for granted.
Correction: A previous version of this article stated that the Las Vegas Sands Corporation is a $14 million operation. It is a $14 billion operation.