Suspected North Korean cyber attack highlights dangerous "mist and haze" affecting cybersecurity
FOR IMMEDIATE RELEASE
Aug. 31, 2011
BLOOMINGTON, Ind. -- Media reports of a suspected North Korean cyber attack against a South Korean bank raise fresh concerns about threats to cybersecurity. However, according to an Indiana University Maurer School of Law cybersecurity expert, reporting on this event reveals confusion and controversy about what such incidents mean in policy and legal terms, which heightens the growing dangers in this area.
"In the Washington Post story alone, the incident is described as an act of war, terrorism and computer sabotage," observed David P. Fidler, the James Louis Calamaras Professor of Law and a fellow at the Center for Applied Cybersecurity Research. "Everyone assumes that North Korea was responsible, but reactions to this event demonstrate a lack of consensus about the legal and policy implications of these incidents.
"Pinning this attack on North Korea, by itself, does not tell us what responses are appropriate by South Korea and its allies," Fidler said. "Policy responses to cybersecurity incidents should be determined by norms and rules designed for the specific types of threats presented. But, instead of clarity on how to classify cybersecurity events, 'war' and 'terrorism' get liberally tossed around."
Confusion about categorizing cybersecurity events as crime, terrorism, covert operations, or war is not new, Fidler said, because it has appeared with other incidents, including distributed denial-of-service attacks against Estonia in 2007 and South Korea in 2009 and the Stuxnet attacks against Iran discovered in 2010. Part of the problem stems, Fidler believes, from politicians and experts hyping events in the media. But, he added, this phenomenon has more serious implications.
"This incident reveals states continuing to explore the possibilities of offensive cyber capabilities -- behavior that empty rhetoric about 'cyberterrorism' and 'cyberwar' actually facilitates," Fidler said. "Those exploring these capabilities know these labels don't, at present, mean anything, so they continue to test and push the boundaries of cyber means and methods. They also know that the more serious their intrusions, the more certain the victim has to be of both the nature of the attack and the attacker's identity before responding robustly. This is not the 'fog of cyberwar' problem; it is policy and legal mist and haze in which the fog of cyberwar is forming and coming closer to reality."
Fidler is available to comment on these and other implications of cyber attacks. He can be reached at 812-855-6403, or at dfidler@indiana.edu.