Jay P. Kesan, the H. Ross & Helen Workman Research Scholar at the University of Illinois College of Law, is a leading national scholar in the areas of technology, law and business.
Kesan, who directs the Program in Intellectual Property and Technology Law, spoke with News Bureau business and law editor Phil Ciciora about the cybersecurity implications of the theft of confidential information from Sony Pictures.
U.S. officials have identified North Korea as playing a role in the Sony hack. Should it be considered an act of cyberwar?
No. First, North Korea's role in the attack is far from certain. A number of cybersecurity experts have refuted the conclusion that North Korea was behind the attack. Second, the attack on Sony captured the American public's attention and imagination, but it is far from the first significant international cyberincident.
There were attacks on Estonia in 2007 and on Georgia in 2008. The U.S. and Israel have been tied to Stuxnet, a computer worm discovered in 2010 that destroyed potentially hundreds of Iran's centrifuges that were being used to enrich uranium. Last May, the Department of Justice indicted several hackers working for the Chinese army for hacking into and stealing information from companies in the U.S.
What we have going on right now is more akin to a cyber Cold War than anything else. Some experts estimate that dozens of countries are developing cyberconflict capabilities. Many people know that China and Russia have a presence in this battlefield, and now they are also learning that North Korea does as well.
Even if North Korea were responsible for the attack on Sony, I would hesitate to categorize it as an act of cyberwar. This was an attack on a private company, and while the attack was severe, it is not clear if the destruction of data should be considered a use of force under the laws of war. There is a body of established law that governs international conflicts, and while the law is not clear in terms of how it applies to cyberconflicts, it is unlikely that the attack on Sony would rise to that level, based on the current laws. The reality of cyberwarfare issues is that these issues arise in an environment that has specific ideas of what international conflicts look like.
The holes in international law when it comes to cyberconflicts lead me to believe that the next step should be a comprehensive international treaty on cyberconflict so that the rules of engagement can be conclusively laid out with regard to a battlefield of bytes.
Even in the aftermath of other high-profile data breaches, from JPMorgan Chase to Home Depot to government agencies, does the Sony hack underscore just how vulnerable our cyberdefenses are? Should this give the average person pause as to how much their personal data is at risk?
Yes, the hack underscores the multitude of vulnerabilities that are found throughout our digital society. Our infrastructure relies on networking systems together to facilitate the efficient transfer of information. The danger is much more serious than individual users and the security of their passwords.
One of the dilemmas of cybersecurity right now is that consumers are not demanding it, so companies may not have a strong incentive to provide it. It may cost a little bit more for companies to adopt more protective security practices, but if consumers make it clear that the market is willing to pay a little bit more for stronger security, this could improve the current security environment. This should involve stressing security at all levels, from retail to banking to utility companies.
What (if anything) can the government do to ensure that something on par with the Sony hack does not happen again, or are cyberattacks the new normal?
In our forthcoming article "Creating a 'Circle of Trust' to Further Digital Privacy and Cybersecurity Goals," Carol M. Hayes and I argue for the creation of an information-sharing regime between the private sector and the government. This circle of trust would allow private companies and the government to share information about cyberthreats, while retaining their own respective circles of privacy.
Currently, private companies may not want to share information about cyberincidents because of the possible reputational harm that could result. Civil liberties advocates also oppose sharing information with the government because of the danger that the information of citizens could be included in that shared information, thus contributing to a culture of mass surveillance. That is why a new information-sharing paradigm is needed. Cyberattacks are driven by information, but if the right people have the right information, the effectiveness of the attacks should be reduced. I believe that this can be achieved without sacrificing privacy in favor of security.
Sony eventually relented and released "The Interview" as planned on Christmas Day but at a limited number of independent movie theaters. Will their waffling over a wider theatrical distribution for the film at movie theater chains across the country ultimately have a chilling effect on speech? Is it also likely to set a precedent and encourage other "hacktivists" - activists who use technology to target people, governments and ideas they don't like - to follow suit?
Hacktivists have been very active in recent years, so I don't think this will inspire more of them. Sony's ultimate decision to release "The Interview" as a video on demand on services like Google Play and YouTube ensures that the long-term effects should be minimal. It also signals that the industry is adaptive, but that it recognizes the potential threats posed by hacktivists.