In late December, Washington accused North Korea of being “centrally involved” in a cyberattack against Sony Pictures Entertainment. Agents associated with North Korean leader Kim Jong Un’s regime, U.S. officials said, gained access to Sony’s computer network and released troves of sensitive files. The leak was followed by threats that North Korea would attack any theaters that ran The Interview, a satirical film that pokes fun at Kim. In response, many theaters refused to show the movie, and Sony pulled it (Sony later backpedaled, opting for a limited release). In turn, another film has been scrapped because it was set in North Korea, and Fox Studios decided that it would not risk distributing it. In both cases, the North Korean regime influenced decision makers by threatening punishment. This is deterrence at work.
Unfortunately, deterrence has not worked nearly as well when it comes to cyberattacks against U.S. interests. Colleges, businesses, government agencies, and not-for-profit groups have all suffered, some severely. Few, if any, of the responsible criminals have paid a price for their actions. In fact, cyberattackers, especially those sponsored by states, operate with virtual impunity. If that doesn’t change, cyberattacks will continue to increase in severity. To reverse the trend, the United States needs to establish deterrence in cyberspace.
One way to establish deterrence is to deny the enemy success. In cyberspace, this means establishing defenses to blunt attacks. Many institutions are not devoting sufficient resources to protecting their information, and many people are not adopting best practices to stop hackers from cracking their accounts. Much more can be done to defend networks at relatively low cost—including two-factor identification, complex passwords, access control, automatic patching, and multi-layered firewalls. But people must first take cyberthreats seriously, and many do not.
Nevertheless, defense cannot be the whole answer. In cyberspace, constructing an impenetrable defense is practically impossible. Eventually, the attackers will find a weakness and exploit it. This is especially true with state-sponsored attackers, as states have sufficient
Loading, please wait...