North Korean agents. Russians. Disgruntled employees. Hacktivists. Whoever really orchestrated last month’s cyberattacks against Sony may be beside the point. That’s because a growing chorus of security experts is revealing the most significant flaw in the U.S. government’s defense against future cyberattacks: an utter lack of credibility.
The doubters are not Internet trolls, but many of the world’s leading cyberspecialists who share their views in tightly guarded e-mail lists. Their trust in the U.S. government matters because they will be crucial allies in future cyberconflicts, where the stakes will be far higher than the delayed release of a comedy like The Interview. From identifying and responding to serious attacks to finding ways to collaborate with industries (such as enabling law enforcement access to encrypted iPhones), the goodwill of the private sector is vital to U.S. national security.
The government’s response to the Sony attack represented a tipping point for this goodwill, which was already in short supply after the Snowden leaks and CIA torture report. Now, it’s at an absolute nadir, which makes America ill-prepared to face down the next—and potentially much more dangerous—cyberattacks.
Many technical experts began fairly early on to question the evidence available connecting the attacks with North Korea. Parts of the hackers’ message suggested their native tongue was Russian, rather than Korean—raising the specter of Moscow’s involvement. Others argued that malicious employees at Sony itself were the most likely culprits.
The information-security community regularly chats about attribution issues. But what was truly remarkable was the level of distrust leveled at the U.S. government. This was not basic anti-Americanism; some of the most strident doubters of the government were its own citizens. They just would not accept the government’s assertion to “trust us.” “It’s not OK” one noted blogger opined about this, “I’m not sure if it really ever was, but even if it was…It’s not anymore.”
This lack of confidence seriously undermines the ability of the United States to improve overall protection from serious cyberattacks. But neither the FBI’s partial disclosure of its evidence (most recently on Wednesday), nor the White House pronouncements about the attacks were in any way sufficient to address the growing skepticism.
Many of the experts casting doubt on the U.S. government position know that U.S. intelligence does not depend on computer forensics or the analysis of network data to deliver plausible attribution. The government’s ability to conduct vast signal intelligence gathering over a variety of communications media, meshed with the computational power to make sense of all this data, gives it unrivaled investigative abilities. Leaving aside the very justified moral qualms about this “collect everything” type of espionage, the government’s superior technical sleuthing should have given the outside voices pause.
It didn’t. And that’s a big problem for the United States. As recently as a few years ago, the security community would have given the official narrative the benefit of the doubt. Not anymore. Indeed, it suddenly seems reasonable to suspect the White House of knowingly falsely identifying North Korea, rather than, if the attribution turns out to be wrong, being simply incompetent. When even professionals dwell in conspiracy theories, there is something obviously going wrong.
Better communication alone will not suffice. The original FBI statements on the Sony investigation specifically did not mention intelligence-gathering means, and various half-leaks muddled the waters further. As another expert quoted in the New York Times said, a partial disclosure of evidence—being only “a little bit exposed”—was probably the worst thing the FBI could do.
One possible measure could be to review secrecy laws so that more people outside of the government and the closeted group of those with above-Top-Secret clearance can be briefed on the evidence in future cases. But most important is an awareness that trust in the national-security apparatus needs to be rebuilt, from the top down.
There have been some modest steps in this direction. In February 2013, the White House issued an executive order that also facilitated the sharing of classified information on cyberattacks, after Congress failed to approve a wider-ranging bill. It has also tried to clarify its legal position on serious state-sanctioned cyberattacks, which potentially could constitute a use of force or even an armed attack under international law. However, in January 2013, Obama also gave his memorable speech on changes in U.S. intelligence gathering in a bid to restore confidence and trust. Nearly exactly a year later, it seems apparent that this effort fell somewhat short.
Leaving the public in a state of confusion and doubt—a state of cyberaporia, if you will—may at times seem to be good national-security policy. But it is horrible public policy to lose the trust of the private sector and cybersecurity community upon which most defense depends. Without their help, the U.S. government will find it increasingly hard to ward off cyberattacks in the future.
Alexander Klimburg is an affiliate of the Harvard Kennedy School's Belfer Center, and author of a forthcoming book about global cyber security trends published by Penguin Press.