A Chinese nuclear plant suffered a massive meltdown left dozens dead after a hacker shut down the reactors’ water pumps used to keep the plant cool. Soon after, the financial markets bombed with stock prices dropping across the board, spiking for a select few.
That’s the world depicted in film director Michael Mann’s “Blackhat,” starring Chris Hemsworth and Viola Davis. The movie, which hit theaters Jan. 16, showcases Hemsworth as a blackhat hacker — a criminal according to U.S. law — who gets sprung from prison to help the Chinese and American governments find the villain behind the deadly attack and stop the next one.
“Blackhat” revolves around sort of cyber version of Pearl Harbor experts warn about and not only serves as what experts say is a pretty accurate depiction of what hacking is like — tedious, complex and time-consuming — but how responding to cyberattacks is more of a nebulous mission, like chasing vapors in the dark.
“With this specific threat [in the film] on critical infrastructure, power grids, water distribution — there’s a growing concern that all of those things are increasingly connected to the internet … but we’re not yet at the point where we’ve felt like we’ve secured those [technologies],” said Michael Panico, a former special agent for the Federal Bureau of Investigations (FBI) and cybersecurity expert who consulted on the film.
Former legal counsel for the National Security Agency (NSA) Joel Brenner wrote, “Internet was not built for security, yet we have made it the backbone of virtually all private-sector and government operations, as well as communications.” That trade-off has added a bit of enchantment to everyday life but also welcomed a host of dangers.
By 2025, most Americans — 61 percent — believe there will be a “major cyberattack” a la “Live Free Or Die Hard” that will jeopardize the country’s national security, according to a Pew Internet study.
Right now, the public is well aware of comparatively small hacks where someone hacks a government agency’s Twitter account or the more invasive iCloud hack that leaked dozens pf celebrities’ nude photos. And then there are the intangibly widespread attacks like Sony’s where it’s almost impossible to gauge how widespread the damage could be until the next document leak.
As these hacks continue to make headlines, spreading from retailers such as Target and Home Depot to government agencies such as the National Oceanic and Atmospheric Administration and State Department, U.S. officials grow more concerned.
President Obama has made it clear that cybersecurity is one of his top priorities for 2015. So far this month, the White House has unveiled three major proposals that would bolster the country’s cyber defenses in hopes of preventing the next Sony breach.
But Obama has been very careful not to call what happened to Sony an attack or an act of war — something that warrants a strategic, military-grade response. That’s because the U.S. doesn’t quite consider hacks true threats, and neither does international law.
“The rules of cyber warfare are still being written,” said Panico, who used his own experiences in the field to make the FBI’s investigation in “Blackhat” look and feel real. “Let’s say you have a group of hackers that represent ISIS (Islamic State Of Iraq and Syria). Are you going to send the military to go find them? How do you find them? Do you use law enforcement or the military or both?”
Those are good questions that still have to be answered. Retired Air Force Maj. Gen. Charles Dunlap, Jr. said “One of the most difficult aspects of designing policies for cyber incidents is the fact that we simply don’t know what the capabilities are — either our own or others — nor do we have much evidence of state practice.” That is, the government doesn’t definitively know the kind of damage other countries can inflict through a cyberattack.
“We don’t have that [knowledge] not only because of the inherent secretive nature of these incidents, [but because] there just haven’t been enough incidents that are publicly known,” to develop guidelines on how to respond, said Dunlap, a national security law and ethics professor at Duke University in Durham, N.C.
Without it, international law can’t evolve with the technology. “There’s no consensus in the international community when a cyber incident rises to the level of an armed attack,” Dunlap said. The United Nations Charter lists an “armed attack” as the basis for responding in self-defense against physically destructive deeds, like detonating a bomb at the Super Bowl or hijacking Amtrak’s operating system and causing passenger-filled trains to run off track.
But everyday cyberattacks don’t meet that criteria because they’re disruptive, not destructive. The U.S. could respond to hacks as we know them, without force, through sanctions or an equally proportionate cyberattack. However, a response may not be worth the manpower, taxpayer dollars or political consequences.
The point is to not respond unless absolutely necessary, Dunlap said.
“[W]hen warranted, the United States will respond to hostile acts in cyberspace as we would to any other threat to our country,” said Harold Koh, State Department legal adviser, in a speech at a cybersecurity law conference in 2012, quoting the country’s international cyber strategy.
But even if no one’s life is at risk — or hasn’t been so far — hacks can be destructive. Six of the 10 biggest breaches in the past decade were from hacks, according to a data breach report from Morgan and Morgan. Such breaches are expected to happen more frequently: Almost 45 percent of firms in the U.S. experienced a breach in the last year, such as the one at JPMorgan Chase that exposed information from over 80 million households and businesses.
Breach victims — at least one in seven Americans — suffer in other ways: They’re more likely to get their identity stolen, which can lead to bad credit and lost job opportunities.
Moreover, true damage from internet security flaws such as the Heartbleed bug discovered last year that affected most of the world’s website, often isn’t fully known until years down the line.
To combat that, the White House wants to increase information sharing between the government and tech companies. Experts agree that’s a step in the right direction, the more information available, the faster bad actors can be identified and stopped.
But “if we’re really worried about China being inside our electric grid, nothing we’re talking about in Congress would help,” said Paul Rosenzweig, cybersecurity legal consultant for Red Branch Law and Consulting in Washington, D.C. “Bureaucracy doesn’t move as fast as the technology, so we will always be a little behind the curve.”
“Even if [Obama’s proposals] passed today, we wouldn’t have authorization for information sharing under this plan for a couple of years. This isn’t to say anything bad about Congress or the president it’s just who we are.” Also, these policies won’t prevent the next Sony attack, Rosenzweig said.
In the meantime, there are housekeeping things that can be done such as “writing code that’s less susceptible to attack,” making code patchable, creating systems where people can easily report flaws and bugs can be fixed quickly.
But policy-wise, Rosenzweig believes making companies accountable would best protect us while Congress contemplates legislation. “If Sony owed money to people whose information they lost, they’d be a lot more cautious. If banks owed money to people whose accounts got hacked, they’d be more cautious” — and thus more secure.
But the question remains, how serious does a cyber attack need to be before the U.S. responds openly?
“I think we’re still struggling with that,” Dunlap said, in part because any policy could hinder the U.S. from launching its own cyberattacks. For example, the FBI quickly blamed North Korea for the Sony hack, but didn’t immediately let on that it knew because the NSA hacked first.
But knowing who committed the attack is only part of the battle.
“Attribution, we often do that well,” said Stewart Baker, attorney and former policy assistant secretary for the Department of Homeland Security. “What we’re missing is retribution; we need to punish those who are engaged or enabling these attacks.”
“It’s a solvable problem. But it takes a certain amount of gumption and technical expertise,” to find who’s responsible, impose sanctions, or institute trade boycotts to stop bad actors in their tracks. (North Korea’s internet went dark soon after the Sony attack but the U.S. didn’t take responsibility.)
“We should think seriously about attacking the infrastructure North Korea has built to conduct these attacks — by electronic means or otherwise,” Baker said. “It doesn’t have to be reduced to a set of rules.”