Throughout 2014, there has been a constant stream of cyber attacks, culminating in the state-sponsored attack on Sony Pictures Entertainment. There were thousands, and every month brought significant attacks on business and government computer systems. A monthly listing of notable 2014 cyber attacks from many sources follows this blog post. The most complete listing available with details covering the past several years can be found at hackmageddon.com.
How to respond to hackers is the central issue presented by the attack on Sony. Based on FBI reports, North Korean hackers called The Guardians of Peace attacked Sony Pictures Entertainment in late November and obtained a large amount of embarrassing emails and other data. The FBI was investigating when the hackers pressured Sony and threatened theater chains to pull the scheduled release of The Interview, a movie that ends with the assassination of North Korean President Kim Jong Un. President Obama criticized Sony’s decision as a mistake. Subsequently, it was revealed that the U.S. Government asked China to help stop the North Korean hackers, an awkward request given that in May 2014 the United States indicted five Chinese military officials for hacking and economic espionage against 6 American businesses. Some commentators suggest China helped or was complicit in the attack on Sony. Meanwhile, as the first response, Sony has brought in Mandiant to fix and strengthen Sony’s IT systems.
All of this is bewilderingly new for businesses. They are now combating foreign government hackers, not just home-grown computer geeks who hack for the fun of it. Often, extortion is part of the cyber attack plan. Publicly, the United States is projecting confidence and talking tough, but the government is in uncharted territory.
What are the appropriate offensive responses by the attacked businesses and by the government to state-sponsored cyber attacks? President Obama stated that there would be a “proportionate” response to the cyber attack against Sony.
There is no debate over defensive measures. The first line of defense for a business is security protection and detection, but many defenses are not adequate to stop the hackers. The same is true for the government, which has the single largest collection of computer systems.
Offensive responses to a cyber attack can come from the victim and from the government in the attacked country. Businesses that have been attacked notify their customers and offer protection against credit fraud and identify theft. They have to prepare for legal fallout. Attacked businesses have been sued – Target, eBay, and others – but not always with success. A class action suit against P.F. Chang’s for inadequate security measures was dismissed on December 10 because the plaintiffs could not show actual harm. Lewert v. P.F. Chang’s China Bistro Inc., No. 1:14-cv-04787, Memo Op. (N.D. Ill. Dec. 10, 2014).
Governmental offensive responses are evolving. They may involve marshalling international and domestic resources. Behind-the-scenes diplomacy can be used to have foreign governments reign in their hackers and hold them accountable. But rogue governments like North Korea do not respond to U.S. diplomacy, so seeking the “good offices” of other foreign governments is attempted. Economic sanctions against the hacker as an individual or as a group, or against a foreign state sponsoring hackers, are an obvious response, but effective economic sanctions require cooperation from other foreign governments.
President Obama’s proportionate response suggests a counter cyber attack against North Korea, and the internet did go down for a day or two in North Korea after the Sony attack. The U.S. State Department was evasive about whether the United States was responsible for the internet shutdown in North Korea. It would be not be responsible for the United States to take a video-game attitude towards responding to state-sponsored hackers.
It has been suggested that a state-sponsored cyber attack is an act of war that could justify a military response. President Obama has rejected an act of war approach. Remember, no one has lost a life due to a cyber attack – yet. A drone counter-attack on suspected hackers would be a disproportionate response to the cyber attacks that have occurred to date, but an escalation in the severity of a state-sponsored cyber attack to cyber-terrorism could alter the equation.
Domestically, the United States has laws that make cyber attacks a crime. One of the earliest of the federal statutes is the 1986 Computer Fraud and Abuse Act that prohibits unauthorized access to computers to obtain or damage information, 18 U.S.C. §1030. Although this statute has produced few convictions, in 2013 a man with the online handle “weev” was sentenced to 41 months in prison for hacking and obtaining thousands of email addresses from AT&T. The Third Circuit, however, ultimately vacated the conviction on the basis of improper venue but did not address the substantive issue of the legality of site access. U.S. v. Auernheimer, 748 F.3d 525 (3d. Cir. 2014). The indictment against the 5 Chinese military officials was brought pursuant to the Act. The Department of Justice press release can be found here. There are a number of related federal criminal statutes that prohibit electronic espionage and unauthorized disclosure of government information about national defense and foreign relations. We can expect more of these cyber-crime indictments in the future.
With respect to privacy for email and other electronic communications, the Electronic Communications Privacy Act, 18 U.S.C. §2510, provides federal criminal law protections for email and electronically stored communications. In Maryland, Section 10-402 of the Courts and Judicial Proceedings Article provides state criminal law protections for electronic communications and makes violations punishable by imprisonment and fines.
Cyber attacks will continue; there is no end in sight. Businesses and governments must increase their protection and defense of their computer systems. When the inevitable attacks occur, however, the responses are critical. Whether the best defense is a good offense remains to be seen.
Notable Cyber Attacks in 2014
January – Over 4 million user names and photos exposed by an attack against Snapchat, the start-up photo-messaging app. The hackers wanted to expose security weaknesses in Snapchat’s app. Snapchat is still around.
February – eBay was attacked in February and March, reportedly by hackers in the Syrian Electronic Army. The company did not announce the attacks until May.
March – Hackers obtained data on credit and debit cards used at P.F. Chang’s beginning in March. The card information was offered for sale in June by Rescator, an underground store known for selling numbers hacked from Target.
April – The German Aerospace Center was attacked by foreign intelligence agency – not clear what country.
May – Internet security company Avast, which sells computer security software, was attacked resulting in a support forum going offline and threatening a leak of about 400,000 records. Meanwhile, the hacker group “Anonymous” announced plans for cyber attacks against the U.S. government and financial institutions as pay back for war crimes.
June – AT&T advised its affected customers that an employee of a service provider accessed account information without authorization.
July – A server at the Montana Health Department was attacked, causing the department to notify 1.3 million patients and offer free credit monitoring and identity protection. No harm appears to have actually occurred.
August – Namecheap, a domain name registrar and hosting company, was attacked by Russian-based “CyberVor” that used over a billion user names and passwords during the attack. Most of the attempted logins failed, but some accounts were compromised.
September – Japan Airlines was attacked, but the big news was the posting of nude and other private photos of 16 celebrities on several websites. The hackers attacked Apple iCloud servers. Wikipedia has the complete story.
October – An unclassified computer network at the White House was attacked. No hackers were identified, but some suspect Russian hackers.
November – North Korean hackers called The Guardians of Peace attacked Sony Pictures Entertainment and obtained embarrassing emails and other data. The FBI was investigating when the hackers pressured Sony and threatened theater chains to pull the scheduled release of The Interview. President Obama criticized Sony’s decision as a mistake. Then it was leaked that the U.S. Government asked China to help in stopping the North Korean hackers, even though in May 2014 the United States indicted five Chinese military officials for hacking and economic espionage against 6 American businesses.
December – The beat goes on. The German Federal Office for Information Security reported that a German steel factory was cyber attacked and shut down, causing physical injury to the factory.