In May, North Korea’s WannaCry virus encrypted hundreds of thousands of devices across the world, halting production at companies, slamming hospital infrastructure, and causing serious problems.
In a press conference Tuesday, Tom Bossert, the White House’s Homeland Security Advisor, and Assistant Secretary for Cybersecurity and Communications Jeanette Manfra officially attributed the attack to North Korea and called for increasing “collective defenses.”
It was a call for cooperation and action against a global antagonist. As Manfra put it, “a company can’t single-handedly defend itself against a nation-state attacker.” But the announcement also brought up a suite of issues for companies as they step into an increasingly murky cybersecurity landscape.
A U.S. company is not the U.S.
The White House officials made one thing clear: an attack on a U.S. company was not tantamount to an attack on the U.S. as a country. (In reverse, this does not apply, as many countries direct private citizens to carry out attacks at their behest.) But at the same time, Manfra said, “our adversaries are not distinguishing between public and private, so neither should we.”
This may sound like doublespeak, but it’s a good illustration of how complicated cyber-issues are today. “Cyber norms” are not in place yet. Cyber norms, according to Alex McGeorge, head of threat intelligence at cybersecurity firm Immunity Inc., are essentially a framework for what is acceptable and unacceptable behavior. (Akin to a regular norm like how corporate espionage is frowned upon generally, but state-run espionage is generally accepted as common practice.)
“Cyber norms are really interesting because how each country views them is very different,” said McGeorge. For example, the U.S. can’t make a private citizen hack on its behalf, but in China, he says, it’s common practice. “The establishment of cyber norms is the next great challenge of the next few decades.”
Figuring out what’s normal is just the first hurdle, however. Deciding how to respond is the next problem. According to Larry Johnson, CEO of CyberSponse and a former lead cyber investigator with the U.S. Secret Service and Treasury, criminal acts by states usually flow out of law enforcement and into State Department diplomacy.
For example, in the past, when North Korea was counterfeiting U.S. currency (“they were buying the same ink and paper because they could go to the suppliers as a nation-state,” said Johnson) — the case was closed and the State Department resolved the matter diplomatically, with North Korea making concessions.
Another option is to not interfere and collect intelligence. “You let the criminal activity go so you can gather intelligence,” said Johnson.
Are companies on their own? Sort of.
The US government exploits gaps in companies’ security for intelligence collecting. According to Bossert, only 10% is kept for intelligence gathering and the rest is given to companies so they can patch them and keep their customers’ data safe. (WannaCry was made from a leaked NSA tool, which itself came from the 10% of vulnerabilities the government uses.)
This is 90/10 framework of ethical disclosure of bugs is another example of a contentious cyber norm, and it has been in debate since the ‘90s. “We have a lot of smart people and little headway,” said McGeorge. “It’s going to continue to be a murky issue but now with more people with less tech expertise [start getting involved].”
Besides continuing to turn over most of the vulnerabilities the government finds and notifying companies when they’ve been hacked, it’s not clear what the public-private cooperation will look like, even though Bossert and the DHS have promised to help.