A December blackout of North Korea’s Internet was retaliation for that nation’s hacking of computers at Sony Corp.’s Hollywood studio, a top U.S. lawmaker on cybersecurity issues said without identifying who was responsible.
Representative Michael McCaul of Texas, Republican chairman of the House Homeland Security Committee, on Tuesday became the first U.S. official to link the outage as reprisal for disrupting computers at Sony Pictures Entertainment.
“There were some cyber responses to North Korea,” McCaul said earlier in his public remarks at the event hosted by the Center for Strategic and International Studies, a Washington think tank.
Asked after the talk if the North Korea Internet outage was one of the responses, he said yes. He declined to say if the U.S. was behind the action.
The country’s Internet was disrupted for about 10 hours on Dec. 21 and 22, a few days after the Obama administration accused Kim Jong Un’s government of hacking Sony. North Korea’s government has denied involvement. Thousands of computers were crippled as Sony prepared to release a movie mocking Kim. Sony delayed showing the film, “The Interview.”
President Barack Obama’s administration had vowed to retaliate against North Korea. White House spokesman Mark Stroh Tuesday declined to comment on McCaul’s statement, pointing instead to comments that U.S. officials made in December that a variety of responses to North Korea was under consideration.
U.S. officials have said hackers are costing the economy as much as $400 billion a year. The Obama administration, lawmakers and company executives are struggling to come up with policy and laws to prevent increasingly sophisticated and destructive digital attacks.
McCaul said companies want the U.S. to do more to retaliate against hackers. “What they’re telling me is that the government isn’t doing their job,” McCaul said.
McCaul discussed what constitutes a proportional response to hacking attacks during the event, saying the U.S. faces different types of adversaries. Government-sponsored attacks come from China, North Korea, Iran and Russia, he said. Meanwhile, terrorist groups like the Islamic State are seeking to acquire capabilities to carry out destructive digital attacks, he said.
McCaul and Representative Ed Royce, a California Republican who heads the Foreign Affairs Committee, wrote to Obama on Feb. 27 seeking clarification about how the administration defines different hacking attacks and how it will respond to them.
Obama said on Dec. 21 that the Sony hack was “an act of cybervandalism” that requires the U.S. to “respond proportionately.”
Obama’s comments “have generated a debate over terminologies,” McCaul and Royce wrote in the previously unpublished letter. “As lawmakers, we want to work with you to ensure that our legal code and government policies reflect the threats that occur in cyberspace.”
McCaul said he plans to introduce a cybersecurity bill this week that would clarify what kind of actions companies can take to defend their networks. It won’t give them legal protections for retaliating against hackers because doing so is illegal, McCaul said.
“We’re not going to provide protections for hack back,” he said. McCaul said it’s the government’s job to retaliate against hackers, although he said there’s a gap in U.S. policy between what the government can and will do.
While there is broad agreement that companies should get legal protections for sharing data about online threats, efforts to pass legislation have stalled or failed during the past four years in part due to concerns over privacy and government spying.
“We are really in uncharted territory,” McCaul said. “We must map out the rules of the road and clarify responsibilities inside and outside of government.”
McCaul said his bill would shield U.S. companies from lawsuits when they share information about hacking threats with the government and each other. McCaul said he expects the bill to be brought to the House floor for a vote in April.
The House intelligence committee also is writing its own version of the legislation. McCaul wasn’t sure if the two bills would be combined or each given a vote, saying that decision would be up to House leaders.
The Senate intelligence committee voted 14-1 on March 12 to advance a similar measure in that chamber, which could go to the full Senate for a vote in April.
Companies have resisted providing data to the government about hacking attacks out of concern they could be sued if they accidentally included private information about their customers. They’re also wary of violating antitrust laws if they share information with competitors.
Information sharing is needed to help prevent attacks that are growing more sophisticated and dangerous, according to the Obama administration.