DOJ: 'Increase the cost' for nation-state hackers

A top FBI cybersecurity official said the agency has yet to attribute a recent large-scale hack of Sony Pictures to North Korea. In the meantime, an assistant attorney general involved in the investigation is playing the long game, hoping that a potentially months-long probe and possible indictment would deter other cyberattackers.

In doing so, Assistant Attorney General for National Security John Carlin is drawing on a playbook he used to help produce the Obama administration's first charges of state-sponsored espionage against five Chinese military officers.

Speaking generally about what he sees as lawlessness in cyberspace, Carlin said, "We can't accept the status quo, and we need to do more to increase the costs for those [who] are sitting back and thinking that they're beyond the law."

He has been at the forefront of the Obama administration's crackdown on alleged cyber espionage. The young attorney was at the podium announcing the indictment of the five members of China's People's Liberation Army in May and has been a regular fixture at cybersecurity conferences.

When asked how indicting foreign nationals whose extradition is unlikely puts pressure on countries like China, Carlin said he trusted indictments as a deterrent and offered a historical analogy for why.

"At the beginning of when we were [combating] international narcotics, there were those who said, 'You're charging a drug kingpin in another country where they're protected by that person's laws; you'll never get him,'" Carlin told reporters on the sidelines of a Bloomberg Government conference on Dec. 9. "It took years in some cases, but we have" succeeded.

The Thanksgiving week hack of Sony's servers was staggering. The perpetrators dumped nearly 40G of company data online, including the personal information of thousands of Sony employees.

Media speculation, supported by unnamed law enforcement sources, has pointed to North Korea as the source of the cyberattack. For months the country had been threatening retaliation for an upcoming Sony action-comedy film in which actors Seth Rogen and James Franco are asked by the CIA to kill North Korean leader Kim Jong-un.

North Korea has denied hacking Sony's servers, and the FBI has yet to say the North Koreans are at fault. "There is no attribution to North Korea at this point," said Joe Demarest, assistant director of the FBI's Cyber Division, at the Bloomberg Government conference.

If North Korean officials are officially implicated and indicted, the U.S. strategy would likely have little, if any, direct effect on North Korea's near-term behavior in cyberspace. The indictment strategy has not shown outward signs of changing China's behavior, and that country is far less isolated and somewhat more likely to adhere to international pressure than North Korea.

But Carlin and other officials say it is their moral and strategic imperative to use existing law to attempt to preempt future attacks.

Defending people and companies from cyberattacks is "fundamentally the responsibility of us in government," he said at the conference. "And we need to do more, and part of that means publicly saying when we figure out that a nation-state is responsible and using every tool in the government arsenal to increase the cost of that type of behavior until it stops."

In search of stability

It is not all public pressure and prosecution from the U.S. side. The threat of an offensive attack, which would be carried out by U.S. Cyber Command, is among Washington's policy options in cyberspace.

But James Lewis, a senior fellow at the Center for Strategic and International Studies, said offensive deterrence is ineffective in cyberspace.

"One way to look at it is: If we didn't have Cyber Command, would that increase the likelihood of an unhappy cyber incident? And I think the answer is no," he told FCW.

"What deters people is the threat of retaliation by the U.S. with its military forces, not cyber retaliation," added Lewis, who oversaw a 2008 bipartisan project that advised then President-elect Barack Obama on cyber strategy.

Lewis said an arbitration panel at the World Trade Organization could prompt China to curtail its alleged cyber espionage. As a WTO member, China is obliged to protect the trade secrets of foreign firms.

Regardless of whether the Obama administration pursues that particular angle, the administration does believe in using international institutions to build cyber norms. Chris Painter, the State Department's coordinator for cyber issues, said at the conference that the administration aims for a more stable environment in global cyberspace, "where every country has the incentive to keep that stable environment and not this incentive to interfere with it."

So while Carlin pursues indictments, Painter is trying to build confidence with China, Russia and other potential adversaries with whom the United States shares the chaotic realm of cyberspace. Those pursuits can be incongruous, as when China canceled a bilateral dialogue after the Justice Department indictments in May. But U.S. officials are betting and hoping that this multipronged cyber strategy will pay off down the road.