Unlike a conventional military strike, state-on-state cyberattacks can go unreported for years.
U.S. government hackers began developing destructive malware meant to disrupt Iran’s nascent nuclear program as early as 2006, and deployed an early version of the worm in Iran the following year. But it wasn’t until 2010 that the first public reports about the cyberattack—dubbed Stuxnet—began to surface.
At around the same time as the U.S. was working on Stuxnet, it attempted a similar attack on North Korea’s nuclear program. That effort failed: The malware never reached the computers that controlled the country’s nuclear centrifuges. But it wasn’t reported until 2015, years after it happened. Just this weekend, The New York Times described a series of cyberattacks on North Korea’s missile launches that took place in 2016, during Barack Obama’s final year as president.
The timing of these landmark reports emphasizes the yawning gap that often opens between a high-profile state-on-state cyberattack and the moment it’s revealed to the public.
For one, the effects of a military cyberattack often aren’t observable to civilians or journalists. Unlike a conventional strike—which might feature planes streaking across the sky or troops deploying on the ground—a cyberattack can be launched remotely and silently, and inflict damage only on a very limited target. (It’s also a lot easier to experiment with destructive malware in secret than it is to quietly test a nuclear bomb.)
When a cyberattack has been carried out, at least one party, the attacker, knows about it immediately. Sometimes, the attack’s target quickly becomes aware of what happened, but often, because of the confusing and covert nature of cyberwar, the victim remains in the dark for months or even years. When Chinese hackers stole personal data on more than 22 million Americans from the Office of Personnel Management, they gained access to two database systems in May and October of 2014—but OPM didn’t discover them until May and April 2015, respectively.
Once aware of a cyberattack, the governments involved have to decide whether or not to publicize it. Sometimes, it’s in the best interest of both the attacker and the attacked to keep a hacking incident quiet. The reputation of the target country might suffer if it acknowledges that a successful attack was carried out against it, and it could even feel pressured to strike back if it became public. Meanwhile, the aggressor may benefit from keeping its cyber capabilities secret from other adversaries.
As the Times worked on the story about last year’s cyberattacks on North Korea, it was in contact with the Office of the Director of National Intelligence, and agreed to withhold certain details from the final story “to keep North Korea from learning how to defeat [the attacks].” James Lewis, a security-policy expert at the Center for Strategic and International Studies, said one of the Times reporters reached out to him several months ago. Lewis recommended the reporters check in with the DNI before publishing, which they did.
“It would have been better unpublished (unless the North Koreans finally woke up, and there was then no harm to going public),” Lewis wrote in an email. Now that they’re widely known, the cyberattacks may prompt Russia and China to take risky new moves to protect their own nuclear arsenals from American malware, James Acton, a nuclear-policy expert at the Carnegie Endowment for International Peace, told me this weekend.
When neither side is willing to go public, it takes dogged reporting to uncover a cyberattack. The Reuters story about the failed Stuxnet-style cyberattack on North Korea was sourced to several anonymous high-level intelligence officials, and came about five years after the initial incident. The Times story was a year in the making, and was assembled through interviews and a thorough review of public records and information.
But sometimes, it is in the best interest of the government that’s been hit by hackers to publicly attribute the strike to its perpetrator. The U.S. has shown a willingness to do this: On three separate occasions, the intelligence community has pointed fingers for a cyberattack, either through official statements or more subtly through the press.
After sensitive emails and documents from Sony Entertainment officials were leaked in 2014, the FBI said it had determined that North Korea was behind the hack. The OPM hack took place that same year, and after the hack was made public in 2015, although the government never released a formal statement, top members of Congress consistently blamed China for the incursion. And when WikiLeaks began to publish private emails from top Democrats, all 17 agencies in the intelligence community put out a joint statement singling out Russia as the aggressor.
State-on-state cyberattacks are a new enough phenomenon that international norms for dealing with them are still developing. Part of the U.S. government’s willingness to call out foreign state-sponsored hackers comes from a belief that doing so—and imposing consequences—will act as a deterrent against future cyberattacks.
But under President Trump, the U.S. government may be less willing to attribute cyberattacks than it was under Obama. As I wrote in December, Trump’s hostility toward investigations that focused on Russia’s election-related hacking, and his repeated public skepticism about the possibility of attributing hacking accurately at all, suggests he won’t put a premium on tracking down the origin of a cyberattack—or might avoid making such a determination public, if it’s ever reached.
This weekend, Trump made the unfounded claim that Obama ordered surveillance on his presidential campaign in the leadup to the election, and demanded that congressional investigators fold that question into their ongoing inquiry into Russian electoral interference. In the past, Trump has also called for investigations into leaks to media about Russia-related intelligence reports—a move that was seen as designed to distract from questions about Russia’s role in cyberattacks on Democrats.
If the U.S. becomes unwilling to come forward with details about cyberattacks that target American government agencies, businesses, or individuals, they may not come out for years—surfacing only when journalists connect the dots and publish the details.