Cyberwar on North Korea Could Be Illegal

North Korea’s limited connection to the Internet was temporarily severed Monday, just three days after President Barack Obama promised a “proportional” response for what he said was Pyongyang’s brazen hacking of Sony.

It’s too soon to say whether the United States knocked the Hermit Kingdom offline, or persuaded China to do it, or whether the North Koreans did it to themselves. One hacktivist group appears to be taking responsibility for the denial-of-service strike that targeted mostly North Korean government-operated sites.

But the outage has raised the question of what that proportional response would look like, and whether it would be legal.

Any retaliation by the U.S. government for the Sony hack would be significantly constrained by some very tricky and nuanced aspects of international law, according to former officials at the National Security Agency and U.S. Cyber Command. Hacking the computers of an American company and stealing and erasing confidential information likely doesn’t rise to the level of an “armed attack” against the United States.

That means any response that could result in physical damage inside North Korea is off the table. Obama can’t bomb Pyongyang for hacking a movie studio. Nor can he order a cyberattack that cripples the country’s infrastructure—causing a blackout, say.

“The doctrine now is that if a cyberattack has effects, like those of a kinetic attack, we may treat it as an act of armed conflict,” said Joel Brenner, a former senior official with the National Security Agency whose last job in government was combating the proliferation of cyberespionage directed at U.S. corporations. “It’s unclear whether that’s exactly what’s happened here [in the Sony hack]. I think that’d be a difficult case to make.”

As damaging as the intrusion was to Sony’s reputation, the hack wasn’t an “attack,” legally speaking. No one was killed. Nothing blew up. Sony decided not to distribute the controversial comedy The Interview after hackers threatened to launch physical attacks on any theaters that showed the film, which depicts the assassination of the North Korean dictator Kim Jong Un.

“The majority reading of international law is that, because the Sony hack had no ‘kinetic’ effect, it wouldn’t constitute a use of force or armed attack, and so a kinetic military response would be inappropriate,” said Gary Brown, a retired Air Force colonel and former legal adviser to U.S. Cyber Command.

So when, and how, can a country respond to an aggressive action by another state in cyberspace? There are no hard and fast rules, and legal experts warned that any response Obama ordered would wade into legal terrain that is hotly contested within the United States and around the world. Even the authors of an exhausive document that’s widely regarded as the most definitive legal analysis of how international law applies in cyberspace, known as the Tallinn Manual, couldn’t reach a strict, legal definition of what consitutes a use of force online. The best they could come up with was an agreement that countries would decide on a case-by-case basis how to respond to aggressive cyberoperations against them.

But just because the United States is constrained doesn’t mean it’s without options. Indeed, some experts said that a massive denial-of-service attack that knocked a country offline—possibly what happened in North Korea on Monday—would be “proportional” because it would be an attack only on computer systems. If the operation caused no physical damage, it would be in bounds.

To justify hacking back against North Korea, the U.S. would still need some tangible and persuasive evidence that the country’s government was behind the Sony intrusion—either conducting it using its own personnel or outsourcing to other hackers. And the information that the FBI has presented so far strikes many experts as hardly a slam dunk against Pyongyang.

The bureau says that technicians have linked the malicious computer code used in the Sony hack to others “that the FBI knows North Korean actors previously developed,” and through specific Internet addresses. The FBI also found “similarities to a cyberattack” North Korea is believed to have launched in March against South Korean media companies and banks.

The public case is, so far, largely circumstantial. A former administration official who worked on cybersecurity issues told The Daily Beast that the FBI and intelligence agencies almost certainly have other information that points to North Korea, but that they won’t reveal it for fear of divulging classified sources. The fact that Obama himself went on television and pointed the finger at Pyongyang means the government is confident who was behind the Sony operation, the former official said. “There’s never been an announcement of culpability like that, [and] it wouldn’t be done lightly.”

But good luck convincing other countries that the case against North Korea is airtight.

“If protection of ‘sources and methods’ prevents the United States from publicly revealing a lot more evidence, including intelligence beyond mere similar characteristics to past attacks, then there is no reason the rest of the world will or, frankly, should believe that a response on North Korea is justified,” Jack Goldsmith, a former director of the Justice Department’s Office of Legal Counsel, wrote on the blog Lawfare. “And if the United States’ response is significant, and has wider geopolitical implications, this inability to prove attribution could be a huge problem.”

That suggests that if the U.S. does intend some proportional response that is hard to hide—like knocking an entire country offline—officials will have to publicly reveal more information about why they think North Korea is the guilty party. But in his remarks Friday, Obama suggested that any retaliation won’t be advertised: “[W]e’ll respond in a place and time and manner that we choose. It’s not something that I will announce here today at a press conference,” he said.

There are other reasons why North Korea’s Internet could have gone dark, including a preemptive pulling of the plug by the government in anticipation of some U.S. counterstrike.

“I have been told that there are either theories or reports that [North Korea] took down their network themselves as a defensive measure,” said Doug Madory, the director of Internet analysis at Dyn Research, which has been monitoring the outage. “While it may be true that they are no longer trying to keep it up right now,” Madory said, based on information he’s been tracking, the North Korean “routers were trying to restore connectivity.”

In the end, however Obama chooses to hit back at North Korea, his decision won’t rest on the law alone. “These decisions also have a political element as well as a legal one, and national leadership—not lawyers—decide what constitutes an ‘act of war,’” said Brown, the former legal adviser to U.S. Cyber Command.

“It seems to me that the operative questions are political and strategic, not legal,” said the former administration official. “A cyber-response would likely cause escalation and keep American companies most at risk. Responding out of band would make much more strategic sense,” the former official said, meaning imposing financial sanctions or taking some action that doesn’t interfere with or disable North Korean computer networks.

“A much more powerful retaliatory and deterrent signal would be an effort to provide Internet access to North Koreans,” the former official said.