WASHINGTON — When the “Wannacry” ransomware attack spread across Britain, Japan Russia, Taiwan and places in between last May, it took only a few days for private firms that looked at the code to come to some pretty quick conclusions. The attack almost certainly came from North Korea. The North Koreans almost certainly used computer code that had leaked from the inner sanctum of the National Security Agency. And the ransomware part was a scam: If you paid off the hackers, your data still wasn’t restored.þþYet it took until October for the British government to identify North Korea as the culprit in an attack that paralyzed its health care system for a few days, and until mid-December for the Trump administration, in a presentation at the White House, to reach that same conclusion.þþSo what was the penalty for the government in Pyongyang for unleashing a devastating cyberattack? There was none. Nothing. Not even the kind of weak economic sanctions that the Obama administration imposed on the North three years before for its attack on Sony Pictures Entertainment.þþ“President Trump has used just about every lever you can use, short of starving the people of North Korea, to change their behavior,” Mr. Trump’s Homeland Security adviser, Thomas P. Bossert, said when he made the “name and shame” announcement blaming the North. “So we don’t have a lot of room left here to apply pressure.”þþSecuring the world against cyberattacks — from nations, criminal groups, vandals and teenagers — will be on the agenda when many of the world’s top leaders gather at the World Economic Forum in Davos, Switzerland, this week. As usual, there is a flurry of reports, and entrepreneurs will declare they have technological solutions at hand. But the fact remains that the major powers of the world have been unable to come up with a viable means of deterring the most damaging attacks. It still takes too long to formally identify the culprits, and the responses, as Mr. Bossert indicated, are insufficient.þþEfforts to establish “norms of behavior” got a promising start, but are now falling apart. No one can even agree on when an act of aggression in cyberspace amounts to an act of war. The Pentagon, in its first nuclear strategy review since President Trump took office, is even proposing to use the threat of unleashing nuclear weapons against a country or group that delivered a devastating cyberattack against the critical infrastructure of the United States or its allies. But that doesn’t help with the problem of everyday attacks.þþThe most talented state sponsors of attacks — mostly Russia, China, Iran and North Korea — have carefully calibrated their operations in cyberspace to achieve their strategic aims while avoiding a real shooting war. So far they have succeeded. While there have been indictments of Iranian and Chinese hackers in major strikes on the United States, they have never seen the inside of an American courtroom.þþNorth Korea has been a case study in how a nation learns to make use of its cyberweapons for disruption, revenge or profit, without fear of serious retaliation. It has learned how to station hackers around the world — in China, Malaysia, Thailand and elsewhere — and has gotten away with bolder and bolder attacks, from Wannacry to its raid on Bangladesh’s central bank, which nearly resulted in the theft of a billion dollars. (The transfers were halted after $81 million had passed through the Swift system, the international clearinghouse for transactions, after someone at the New York Fed discovered a spelling error — the word “fandation” for “foundation” — and stopped the heist. )þþAs James Lewis of the Center for Strategic and International Studies put it recently, “North Korea is both cautious and cunning in its use of force, including cyberattack.” But he added: “The North has been successful only against poorly protected targets, of which there are many, suggesting that there is a relatively low ceiling for its cyberattack capabilities.”þþIn fact, the explosion of state-sponsored, sophisticated cyberattacks over the past seven or eight years has been fueled, in large part, by the expansion of poorly protected targets. Yes, banks and major utilities have, for the large part, tightened their defenses, and tens of billions of dollars have been made by companies promising all kinds of cyber protections, from the most basic programs loaded on your laptop to sophisticated systems designed to anticipate future action, or watch for variations in the normal behavior of users.þþBut none of that has prevented cyberspace from becoming what President Barack Obama termed the “Wild, Wild West,” a territory of anarchy, where adversaries take free shots at one another. In the past five years, these attacks have become the cheapest way for nations to undercut one another in the name of bigger strategic goals.þþYet the world has been unable to decide what constitutes fair game, and what should be off limits. For years officials talked about their fear of a “cyber Pearl Harbor,” a devastating strike against the power grid that would turn out the lights from Boston to Washington, or London to Rome. That has not happened, save for limited strikes in Ukraine, widely attributed to Russian hackers, that seemed intended to send a message that they could attack critical infrastructure at any time. Countries have sensed what would happen if they went too far.þþInstead, cyberattacks have taken a far more subtle turn. The Russian-led attacks on the 2016 American election — and similar efforts in France and Germany last year — are prime examples. While United Nations experts had been struggling to come up with “norms of behavior” in cyberspace, a consensus about what was off-limits — like attacks on power grids or safety systems, for example — few were thinking about the use of the technology to influence elections.þþIn fact, the election systems in the United States — the foundation of American democracy — were never on the list of “critical infrastructure” until Mr. Obama’s Homeland Security secretary, Jeh Johnson, added them in the last days of the administration. By then it was too late.
Source: NY Times
