When Does a Hack Become an Act of War?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.wsj.com/articles/when-does-a-hack-become-an-act-of-war-1434189601

A tremendous number of personnel records—including some quite personal
records—have likely been stolen by computer hackers. The White House won’t
say who did it, but a number of U.S. officials and even some lawmakers have
said all signs point to China.

The Chinese government has denied it, but the staggering haul of records
could amount to one of the biggest feats of espionage in decades.

Right now, the White House and Congress are trying to ascertain what was
stolen and how to protect people whose identifies have been compromised,
not to mention their “foreign contacts” that are listed on the security
clearance forms that could now be on the hard drives of the hackers.

But very soon a much different question will be asked in Washington: If the
White House finds out who stole the information, what will President Barack
Obama do about it?

Even though large-scale cyberattacks have been used for more than a decade,
they have only become extremely effective national-security weapons in the
past few years.

In December, the White House accused North Korea of stealing and destroying
a large amount of records from Sony Pictures Entertainment. President
Barack Obama called it “cyber vandalism,” angering some of his critics who
wanted the U.S. government to retaliate.

But cyberattacks by nation-states are a relatively new phenomenon, in which
there isn’t a road map of deterrents and responses.

Defense Secretary Ash Carter and National Security Agency Director Adm.
Michael Rogers have said in recent weeks that U.S. policy makers need to
decide how they are going to respond to cyberattacks as countries become
more brazen in their attempts.

“What we’ve seen in the last six to nine months in general...trends are
going in the wrong direction,” Adm. Rogers said in January. “Doing more of
the same and expecting different results, my military experience tells me,
is not a particularly effective strategy.”

Mr. Carter told Congress in February that “we need to improve our abilities
to respond. And those responses can be in cyberspace or in other ways, but
certainly they should include the option to respond in cyberspace.”

But is there a difference between stealing security clearance records and
stealing nuclear-launch codes? What about a computer attack that shuts down
an electrical grid or freezes all financial transactions?

The Pentagon in 2011 determined that computer sabotage coming from another
country could constitute an act of cyberwar, which could trigger a U.S.
government or military response.

So far, the White House hasn’t revealed that anything was sabotaged as part
of the recent breach, only that data “was compromised” and likely stolen.

The implications could change, however, if some of the records are used to
blackmail government officials, whose mental-health records, credit
reports, and other files were exposed in the breach. And the debate could
intensify even more if anything happened to any of the “foreign contacts”
listed on page 59 of the background investigation files.

The North Atlantic Treaty Organization, a military alliance that includes
the U.S., has tried to define what constitutes an act of cyberwarfare but
views remain split. Many believe a cyber act of war must demonstrate a “use
of force.”

A “use of force” is somewhat easier to recognize in the traditional
military sense, but it is much harder when the weapons are computers and
malware.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!