Sony hack could be game changer
The high-profile hack at Sony Pictures has injected new urgency into the years-old push for cybersecurity legislation, with a broad spectrum of lawmakers suddenly vowing to take action in the new Congress.
“It’s basically fair game for everything cyber” after the cyberattack on Sony, said Jessica Herrera-Flanigan, a lobbyist at Monument Policy Group, which represents tech giants like Microsoft.
The recent cyber assault caused Sony to briefly pause the release of a multi-million dollar movie, spurred a White House response and escalated tensions between the U.S. and North Korea, which the FBI has blamed for the attack.
It has also transformed what some viewed as a stale debate on Capitol Hill over cybersecurity issues.
“We’ve been having the same discussion on information sharing … since the mid-90s,” said Herrera-Flanigan, referring to various long-stalled cybersecurity information-sharing measures that would give legal protections for companies exchanging cyber threat information with the government.
After years of narrow congressional focus, the Sony cyberattack has put an array of new cyber topics on the table, including offensive cyber tactics, cyber crime laws and the international community’s definition of cyber warfare, to name a few.
Lawmakers have pledged to hold hearings on these topics, called on the White House to declare cyber war with North Korea and pressed for heightened economic sanctions on the reclusive East Asian regime.
The sudden attention springs directly from the movie studio’s decision to temporarily scrap the Christmas Day release of a film in the wake of violent threats from the hackers. The controversial comedy, “The Interview,” portrays the assassination of North Korean leader Kim Jong Un.
“If they would have just released the God—- movie, the president wouldn’t be talking about it,” said Jason Healey, a director at the Atlantic Council who has worked on cyber defenses at the White House and for Goldman Sachs in Hong Kong.
“This would have just been another company being hacked and having their personal emails and such put out there,” Herrera-Flanigan said.
Even though Sony recanted a week later — releasing the film online and in several small theaters — the initial decision set off a firestorm in Washington. Lawmakers scrambled to denounce the encroachment on Americans’ free speech and decry the weak White House response.
That rhetoric puts the onus on Congress to actually do something when it reconvenes in January.
“A lot of members who had not previously dedicated a lot of their own time and resources to cybersecurity … are going to get smarter on it in 2015,” said Andrew Borene, a fellow with the Truman National Security Project who teaches a class on transnational crime at American University. “I think that’s inevitable.”
But what can lawmakers actually achieve legislatively to back up their calls for action?
Despite passing a flurry of small-bore bills in late 2014, Congress has not moved major cybersecurity legislation in years. And the issues raised by the Sony incident — cyber relations with China, United Nations guidelines for how countries handle cyber issues — are not necessarily areas where Congress wields a heavy hand.
“I’m not sure there’s such a direct output for Congress on the international side of things,” said Kristen Eichensehr, an international security professor at the University of California, Los Angeles, School of Law and former State Department attorney.
House Foreign Affairs Committee Chairman Ed Royce (R-Calif.) has called on Congress to ratchet up economic sanctions on North Korea — a realistic step Congress could take, according to Scott Snyder, a Korean studies fellow with the Council on Foreign Relations.
“I think there’s going to be pressure to move forward with the resolution that the House has already passed to essentially bring the level of North Korean financial sanctions up to the level we currently have on Iran,” he told reporters last week.
Incoming Senate Armed Forces Committee John McCain (R-Ariz.) has been outspoken in his criticism of President Obama for not classifying the Sony hit as a North Korean act of cyber war. Eichensehr expects to see an “increased questioning of the executive” from McCain’s committee as a result, but not necessarily specific cyber bills.
For years, the Capitol Hill cyber conversation has revolved around a bill that would enable the private and public sectors to exchange cyber threat information. Industry groups and intelligence agencies argue such a measure is necessary to defend the country’s critical infrastructure against destructive cyberattacks. Privacy advocates are concerned such a bill could further enable government collection of Americans’ sensitive data.
Some speculate that the intense public attention the Sony attack has brought to cyber issues could move an info-sharing bill to the fore in 2015.
“It may be enough to reopen the possibility,” Borene said.
Still, others suggest that the Sony flap has actually pivoted the cyber narrative away from domestic information sharing and toward a broader discussion of international cyber responses.
“It’s not clear how that info sharing piece plays into what happened with Sony,” Herrera-Flanigan said.
Robyn Greene, policy counsel for New America Foundation’s Open Technology Institute, was more direct.
“It is unlikely that information sharing would have prevented the Sony hack,” said Greene, who supports increased cyber information sharing, but not Congress’s most recent proposal. “Eighty to 90 percent of all attacks are the result of poor cyber hygiene and internal system monitoring.”
While the Sony hack has generated an unprecedented congressional response on cybersecurity, it remains to be seen if lawmakers’ attention will last. Cyber issues tend to follow a boom and bust cycle on Capitol Hill following major data breaches, experts said.
“I don’t know if they stay in the long run,” said Herrera-Flanigan. This could be another situation, she said, in which Congress decides, “We deal with this main crisis and then we’re through it.”