Corporate leaders and government agencies must work more closely together to safeguard computer networks from cyber attacks, President Barack Obama said Friday during a speech at Stanford University.

“This has to be a shared mission,” Obama said. “Government cannot do this alone. But the private sector cannot do it alone, either.”

Following his 30-minute address, Obama signed an executive order creating a framework for how companies can better share cyber data with the government. Obama said the order creates “hubs” that will allow businesses to share security information with one another and will also give corporations access to classified threat information that could potentially help protect them.

And he stressed the need to balance privacy protection with a need for increased security against hackers who threaten the country’s economy and public safety.

“Grappling with how the government protects the American people from adverse events while making sure the government itself is not abusing its capabilities is hard,” Obama said. “The cyber world is the wild wild west. To some degree, we’re asked to be the sheriff.”

And he acknowledged that it’s more than reasonable to ask “what safeguards do we have against the government intruding on our own privacies?”

“When we go online, we shouldn’t have to forfeit the basic rights to privacy we have as Americans,” Obama said.

The president’s remarks were delivered during a White House Summit on Cybersecurity and Consumer Protection hosted at Stanford. The daylong event included panels moderated by Homeland Security Secretary Jeh Johnson and Commerce Secretary Penny Pritzker and attended by other government officials, Stanford scholars and the chief executives of major technology and health care companies, public utilities and financial institutions. He also surprised a group of Stanford students, including three honors students at FSI's Center for International Security and Cooperation, with an in-depth talk about global issues.

“Stanford’s proximity and sustained relationships with Silicon Valley are important assets in building a more secure cyber infrastructure,” Stanford President John Hennessy said in his welcoming remarks Friday morning. “But we need – and we have today – industry from across the country representing the many sectors that are connected to cyber systems.”

Friday’s summit came three months after Stanford launched a major Cyber Initiative. The initiative – funded with a $15 million grant from the William and Flora Hewlett Foundation – brings together faculty and researchers from across campus to address the challenges posed by cyber technologies. It also intends to connect their academic work with policymakers and industry leaders.

"This is the beginning of a new challenge for the government and a new field of study for us,” Michael McFaul, director and senior fellow at the university’s Freeman Spogli Institute for International Studies, said after the president’s remarks. McFaul, who is also a senior fellow at the Hoover Institution, served as Obama’s ambassador to Russia.

“For a president to come and talk about these issues is a huge boost to this as a subject of real inquiry. It's rare that the White House do a summit not at the White House. It shows the importance of this institution, the initiative and the collaboration that need to take place between universities, government and the private sector."

Obama ticked off a number of milestones that are the stuff of Stanford and Silicon Valley lore – the partnership between William Hewlett and David Packard, the creation of the computer mouse, the birth of Google, Yahoo, and dozens of other tech companies that have redefined how life is lived around the world.

“When we had to decide where to have this summit, the decision was easy,” Obama said, adding that Stanford is helping to “lead the way” technology is developed and used.

Those points resonated with students who were able to attend the speech after receiving tickets through a lottery.

"So much that is done in Silicon Valley got its start here," said Jason Chen, a sophomore interested in computer science and foreign languages. "Even though I don't know what exactly I'm going to do, what part I may contribute, (Obama) made us all connected to each other, part of the same community."

Obama also cited the university’s role in keeping a policy-relevant perspective when it comes to addressing issues of personal privacy and security against cyber threats.  He also acknowledged the Stanford graduates and faculty members who have served in his administration – including Pritzker and McFaul; Valerie Jarrett, Obama’s senior adviser; Susan Rice, the U.S. ambassador to the United Nations; and Steven Chu, who served as Obama’s energy secretary.

More multimedia content about the summit here.

President Obama meets with Stanford students, including three from the Honors Program at FSI's Center for International Security and Cooperation, at the White House Summit on Cybersecurity and Consumer Protection at Stanford University on Feb. 13, 2015.

The summit and Obama’s executive order come on the heels of high-profile computer network attacks that helped make the case for Obama to put cybersecurity at the top of his agenda. Hackers have breached the computer systems of  federal agencies, Sony Pictures, Home Depot, Target, and Anthem – the nation’s second-largest health insurer.

The Obama administration also announced this week the creation of the Cyber Threat Intelligence Integration Center, which will share and help monitor cybersecurity intelligence gathered by government agencies.

Amy Zegart, co-director of the Center for International Security and Cooperation and a senior fellow at Hoover, said Stanford is an obvious place for Obama to discuss the responsibilities of tech companies when it comes to the safety of computer networks.

“The most important message that came across today is that this effort crosses all the traditional boundaries in academia, in industry, in government,” said Zegart, who has been a key player in the university’s Cyber Initiative and met with Obama just before the president delivered his remarks. “Cybersecurity is the ultimate team sport and the summit brought all the elements of the team together."

And Kathy Garcia, a sophomore majoring in management science and engineering, said the president spoke about cybersecurity and consumer protection in a way that everyone could understand.

"He made a good point that to be successful both the public and the private sectors have to work together," Garcia said

Before Obama’s remarks, Apple CEO Tim Cook talked about the privacy concerns that are inherent to data sharing. But he said the private sector and government agencies could work together to protect the safety and privacy of customers and citizens.

“Safeguarding the world of digitized personal information is an enormous task,” he said. “And no single company or organization can accomplish it on its own. That is why we’re committed to engaging productively with the White House and Congress and putting the results of these conversations into action.”

Other business leaders attending the summit agreed.

"I think the president is really trying to come to grips with a really big problem that's ever expanding,” said RSA executive chairman Art Coviello. “He's doing it by executive order, but as was said so many times today, we need congressional action as well. We also need to ensure that we create the trust that we need between government and private sector to ensure that we can have this public-private partnership. As a starting point, I think (the summit) was terrific, but let's see a lot of action coming out of it."

As weighty as the substance of his talk was, Obama opened his talk with some lighthearted comments about the bicycle-riding, fountain-splashing, Cardinal-obsessed Stanford students who have “made nerd cool.”

“Ambassador McFaul told me if I came to Stanford, you'd talk nerdy to me,” Obama said.

Then, getting to business, the president said: “I’m not just here to enjoy myself.”

A half-hour later, he signed his executive order and walked off the stage in Memorial Auditorium with a wave to the audience.

Brooke Donald, Beth Duff-Brown, Amy Adams, Kathleen Sullivan, Ker Than, Bjorn Carey and Tom Abate contributed to this report.

Herb Lin has a long agenda crafted from big ideas.

As CISAC’s inaugural senior research scholar for cyber policy and security, Lin intends to make Stanford the premier hub for academic research and public policy in an effort to protect the world’s computer networks against cyber attacks.

“When I was recruited, Stanford told me to think big. So I’m thinking big,” says Lin, who comes to Stanford from the National Research Council of the National Academies in Washington, D.C., where he was chief scientist at the Computer Science and Telecommunications Board.

“Part of my job is also to find a way to build cyber connections to other parts of the campus – law, medicine, the business school, engineering – so there are a variety of interesting possibilities that I’d like to tackle.”

Even before taking up his new role at Stanford last month, Lin worked with CISAC co-director Amy Zegart to convene a three-day boot camp that brought together Silicon Valley heavyweights and congressional staffers working on critical cyber legislation.

Lin wants to launch a policy journal devoted to research about cybersecurity. He hopes to construct the university’s first undergraduate courses about the foreign policy and economic implications of cybersecurity, as well as the risk analysis of cyberspace. He will represent Stanford's efforts in public commentaries, such as the one he wrote for The Wall Street Journal about how companies can ward off hackers.

And Lin was instrumental in facilitating the Feb. 12-13 White House Summit on Cybersecurity and Consumer Protection at Stanford University. President Barack Obama addressed the summit, the first time a sitting U.S. president conducted business on the Stanford campus in 40 years.

“Obviously the president has a great bully pulpit here, and is highlighting the importance of cybersecurity on the national policy agenda,” said Lin. “We are particularly delighted that he’s come to Stanford – which is recognition of our role in advancing the cybersecurity interests of the nation.”

Lin, who took up his new role at CISAC in January and is also a research fellow at the Hoover Institution, plans to reach across campus to help the university establish a cohesive strategy for the intersection of cyber policy and international security.

“Cyber touches many facets of life,” said Lin, who has a Ph.D. in physics from MIT. “Some of us are interested in the implications of cyber for international security and foreign relations. Others focus on how protect the nation’s critical infrastructure. Still others are trying to develop tools that can be used to make better decisions about consumer protections. I’d like to bring all of that under one coherent theme.”

Lin also helped organize the Department of Commerce’s National Institute of Standards and Technology workshop at Stanford on Feb. 12. The roundtable, which was in coordination with the White House summit, brought together chief technology and security executives to discuss the challenges of implementing consumer protection technologies in real-world conditions.

Lin moderated a panel at that workshop about academic research that has applications for consumer protections against cyber threats. Michael Daniel, special assistant to the president and cybersecurity coordinator at the White House, gave the keynote at the workshop.

Cybersecurity has become a priority for the Obama administration. The White House in October launched the BuySecure initiative, which includes reforms such as securing payment systems and preventing identity theft. Obama also spoke about cybersecurity in his State of the Union address on Jan. 20.

“No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets or invade the privacy of American families, especially our kids,’ Obama said.

Track II Diplomacy

Just as CISAC scholars have for decades been involved in Track II diplomacy in foreign policy, nuclear arms control, and counterinsurgency, Lin would like to see Stanford build on that by facilitating dialogue with other nations about ways to protect and defend their digital networks against cyber attacks and breaches.

“CISAC, as you know, has a long tradition of having nuclear dialogue with China and Russia, even during the coldest periods of the Cold War,” said Lin. “I’d like there to be a Track II diplomacy effort for cyber based here at Stanford, which many Chinese regard as the world’s No. 1 university.  That’s a very attractive platform from which a cyber dialog can be started and sustained.”

CISAC Senior Research Scholar for Cyber Policy and Security, and a research fellow at the Hoover Institution, says to understand cybersecurity you must first understand the basic components of locks and keys.

Finally, Lin intends to work with academics and scientists at Columbia University and the American Academy of Arts and Sciences to establish a boot camp for scholars of international relations and political science who want to work on cyber issues.

Last August, Lin worked with Zegart – who is also a senior fellow and associate director for academic affairs at Hoover – to bring in two dozen senior congressional staffers for a rigorous boot camp that paired them with military, academic and technology experts working at the highest levels of cybersecurity.

The three-day camp drew such names at Google Chairman Eric Schmidt and Facebook’s Chief Information Officer Joe Sullivan. Many of the congressional staffers said it was the first time they’d had the chance to closely interact with the very tech executives for whom they are working on protections and legislation.

Stanford announced in November it had launched the Stanford Cyber Initiative with the support of a Hewlett Foundation grant of $15 million. The initiative will take an interdisciplinary approach to address the challenges raised by cyber technologies.

Michael McFaul, director of CISAC’s parent organization, the Freeman Spogli Institute for International Studies, said Stanford is poised to lead in the cyber arena.

“We have a tradition and an ability to do things in an interdisciplinary way,” said McFaul, a professor of political science and a senior fellow at Hoover.

“I think we’re uniquely qualified and uniquely placed to tackle all those here at Stanford, especially because we sit at the heart of Silicon Valley,” said McFaul, who was the U.S. ambassador to Russia for President Obama before returning to Stanford last year. “I expect to see Stanford become the leading institution in the world for addressing cybersecurity issues.”

Readers can learn more about Stanford University’s push into cybersecurity here.

Stanford will welcome President Barack Obama to the campus Friday, Feb. 13, where he will address the White House Summit on Cybersecurity and Consumer Protection.  The president will join top-level government officials, corporate CEOs and Stanford faculty members who will gather to discuss pressing issues at the all-day summit organized by the White House.

President Obama is expected to deliver the keynote remarks at the event, which will be held in Memorial Auditorium and in the Cemex Auditorium at the Stanford Graduate School of Business. The invitation-only event will not be open to the public, but Stanford students can register for a lottery to obtain tickets.  Stanford faculty, students and staff members currently researching cyber-related issues have been invited to take part in panels and conversations.

The summit will be Webcast live in its entirety here for those unable to attend in person, and more details will be posted at WhiteHouse.gov/CyberSummit.

The event will mark the first time that a sitting U.S. President has made public remarks at Stanford since 1975, when then President Gerald Ford dedicated the Crown Quadrangle at the Stanford Law School. President Herbert Hoover addressed students at Stanford in 1932, and President Theodore Roosevelt spoke at Stanford in 1903.  President Bill Clinton was a visitor to campus during his presidency, but in his private capacity as a Stanford parent to daughter Chelsea Clinton.

The campus community can expect further information about parking and transportation changes as a result of the president's visit as event details are finalized.

President Obama announced the full-day White House cyber summit during a Jan. 13 speech and said "It's going to bring everybody together – industry, tech companies, law enforcement, consumer and privacy advocates, law professors who are specialists in the field, as well as students – to make sure that we work through these issues in a public, transparent fashion."

From increasing cybersecurity information sharing to improving adoption of more secure payment technologies, topics listed by the White House that the summit will address:

• Public-Private Collaboration on Cybersecurity;

• Improving Cybersecurity Practices at Consumer-Oriented Businesses and Organizations;

• Promoting More Secure Payment Technologies;

• Cybersecurity Information Sharing;

• International Law Enforcement Cooperation on Cybersecurity;

• Improving Authentication: Moving Beyond the Password.

The White House summit is also the next step in the President's BuySecure Initiative, which was launched in November 2014, and will help advance national efforts the government has led over the last two years with executive orders on consumer financial protection and critical cybersecurity infrastructure.

Stanford announced a major Cyber Initiative in November that will apply broad campus expertise to the diverse challenges cyber-technologies pose for virtually every facet of our personal, governmental and economic lives. Funded with a $15 million grant from the William and Flora Hewlett Foundation, the Stanford Cyber Initiative draws upon Stanford's experience with multi-disciplinary, university-wide initiatives to focus research on the core themes of trustworthiness, governance and the unexpected impacts of technological change.

While the agenda for the White House summit has not yet been finalized, among the Stanford faculty members and researchers invited to participate are Amy Zegart, co-director of the Center for International Security and Cooperation (CISAC) and a senior fellow at the Hoover Institution; Stanford Law Professor George Triantis, who chairs the Cyber Initiative; John Mitchell, vice provost for teaching and learning and professor of computer science; and Herb Lin, senior research scholar for cyber policy and security at CISAC and a Hoover research fellow. Stanford President John Hennessy is slated to open the summit and will have the honor of introducing President Obama.

Stanford is preparing for a significant media attendance for the event, and coverage is expected by major television networks and more than 200 journalists from around the world. 

Students interested in registering for the student ticket lottery can consult the Stanford Ticket Office website for further information Monday.  Registration will close Tuesday at 11:59 p.m.

We will be updating this social media story about the summit:

The United States has thrust itself and the world into the era of cyber warfare, Kim Zetter, an award-winning cybersecurity journalist for WIRED magazine, told a Stanford audience. Zetter discussed her book “Countdown to Zero Day,” which details the discovery and unraveling of Stuxnet, the world’s first cyber weapon. 

Stuxnet was the name given to a highly complex digital malware that targeted, and physically damaged, Iran’s clandestine nuclear program from 2007 until its cover was blown in 2010 by computer security researchers. The malware targeted the computer systems controlling physical infrastructure such as centrifuges and gas valves.

Reports following its discovery attributed the creation and deployment of Stuxnet to the United States and Israel. The New York Times quoted anonymous U.S. officials claiming responsibility for Stuxnet. 

Zetter began reporting on the cyber weapon in 2010.

“When the first news came out, I didn’t think much of it,” Zetter told a CISAC seminar on Monday. The title of her book refers to a “zero-day attack," which exploits a previously unknown vulnerability in a computer application or operating system.

“Watching the Symantec researchers unravel Stuxnet, I knew what fascinated me was the process and brilliance of the researchers. The detective story is what pulled me in.” 

Zetter’s book follows computer security researchers from around the world as they discover and disassemble Stuxnet over the course of months, much longer than any time spent on typical malware. The realization that Stuxnet was the world’s first cyber weapon sent shock waves throughout the tech community, yet did not create as much of a stir in mainstream society. 

“It’s funny because a lot of people still don’t know Stuxnet or haven’t even heard of it,” Zetter said. “The recent vandalization of Sony seems to have finally gotten people’s attention. It was not a case of true cyber warefare, but I'm glad that my book came out right before it happened because its perception as a nation-state attack has led to interest in all nation-state attacks, including Stuxnet. The Snowden leaks also put cyber warfare on the map.” 

“Countdown to Zero” also places Stuxnet in political context. The first version of Stuxnet was built and unleashed by the Bush administration in 2007, according to Zetter. Iran accelerated its enrichment process in 2008, leading to fears it would have enough uranium to build a bomb by 2010. President Barack Obama inherited the program; he not only continued it,but accelerated it. Another, more aggressive version of Stuxnet was unleashed in June 2009 and again in 2010. Obama gave the order to unleash Stuxnet while publicly demanding Iran to open itself up to negotiations. 

The effectiveness of the world’s first cyber weapon remains a subject of debate. The most optimistic assessment of Stuxnet is that it delayed and slowed Iran’s uranium development enough to dissuade Israel from unilaterally striking the country, and it afforded time for intelligence and diplomatic efforts. Stuxnet contributed to dissension and frustration among the upper ranks of Iran’s government (the head of Iran’s nuclear program was replaced) and bought time for harsh economic sanctions to impact the Iranian public.

“Stuxnet actually had very little effect on Iran’s nuclear program,” said Zetter. “It was premature, it could have had a much bigger effect had the attackers waited.” Iran still made a net gain in their uranium stockpile while being attacked and they are updating their centrifuges, which would make Stuxnet obsolete.

The more unsettling parts of Zetter’s book catalog security vulnerabilities in America’s public infrastructure, which could easily be victim to a Stuxnet-style attack, and consider the implications of the era Stuxnet heralded. For example, in 2001 hackers attacked California ISO, a nonprofit corporation that manages the transmission system for moving electricity throughout most of California. More recently, Zetter writes, in 2011 a security research team “penetrated the remote-access system for a Southern California water plant and was able to take control of equipment the facility used for adding chemicals to drinking water.”

The Obama administration has publicly announced that shoring up infrastructure security is a top priority. Zetter finds this ironic, because unleashing Stuxnet has opened the U.S. up to attacks using the same malware.

“When you launch a cyber weapon, you don’t just send the weapon to your enemies, you send the intellectual property that created it and the ability to launch the weapon back against you,” writes Zetter. “Marcus Ranum, one of the early innovators of the computer firewall, called Stuxnet ‘a stone thrown by people who live in a glass house.’”

More broadly, Stuxnet heralded an era of cyber warfare that could prove to be more destructive than the nuclear era. For Zetter there is also irony to the use of cyber weapons to combat nuclear weapons. She quotes Kennette Benedict, the executive director of the “Bulletin of the Atomic Scientists,” pointing out, “that the first acknowledged military use of cyber warfare is ostensibly to prevent the spread of nuclear weapons. A new age of mass destruction will begin in an effort to close a chapter from the first age of mass destruction.” 

Zetter has similar fears.

“The U.S. lost the moral high ground from where it could tell other countries to not use digital weapons to resolve disputes,” Zetter said. “No one has been killed by a cyber attack, but I think it’s only a matter of time.”

Joshua Alvarez was a 2012 CISAC Honors Student. 

The White House announced it will host a Summit on Cybersecurity and Consumer Protection at Stanford on Feb. 13, convening major stakeholders to help shape public and private sector efforts to protect consumers and companies from growing network threats.

The all-day event will include senior leaders from the White House and across federal government; CEOs from a wide range of industries including financial services, technology, retail and communications companies; law enforcement officials; and consumer advocates. Stanford faculty members and students currently researching cybersecurity issues will be involved throughout the summit.

"We are honored to host this White House summit at Stanford University and are excited to play a pivotal role in convening experts from government, industry and academia," said Amy Zegart, co-director of the Center for International Security and Cooperation at Stanford. "Stanford is very engaged in studying cyber-related issues, and we look forward to enhancing this work by sharing our expertise on the cybersecurity issues that are so critical for the United States, its consumers and its businesses."

Topics at the summit will include "increasing public-private partnerships and cybersecurity information sharing, creating and promoting improved cybersecurity practices and technologies, and improving adoption and use of more secure payment technologies," the White House said in a statement.

Stanford announced a major Cyber Initiative in November that will apply broad campus expertise to the diverse challenges cyber-technologies pose for virtually every facet of our personal, governmental and economic lives. Funded with a $15 million grant from the William and Flora Hewlett Foundation, the Stanford Cyber Initiative draws upon Stanford's experience with multi-disciplinary, university-wide initiatives to focus research on the core themes of trustworthiness, governance and the unexpected impacts of technological change.

"Stanford has tremendous depth in the information security field, which is playing a deepening role in every facet of our lives," said Stanford Law Professor George Triantis, who chairs the Cyber Initiative. "Stanford is conducting extensive research into Internet security across a wide swath of disciplines – computer science, law, engineering, medicine, political science, economics and education. Collaborations with industry and government are vital, and we applaud the White House for drawing us all together here at Stanford."

Cybersecurity is expected to be raised as a key priority by President Obama in his State of the Union address next week. The White House Summit is also the next step in the President's BuySecure Initiative, which was launched in November 2014, and will help advance national efforts the government has led over the last two years with executive orders on consumer financial protection and critical cybersecurity infrastructure.

Details are still being finalized for the summit at Stanford, which will feature keynote speeches, panel discussions, and small group workshops, allowing participants to build on efforts in the public and private sectors to further improve cybersecurity practices.

Stanford units expected to be involved in the summit include the Freeman Spogli Institute for International Studies, the Stanford Cyber Initiative, the Center for International Security and Cooperation, the Hoover Institution and the schools of Engineering, Law, Business, Medicine and Education, among others.

Sony Pictures Entertainment was set to release a satirical comedy, “The Interview,” in late 2014, but a cyberattack hit the organization that leaked corporate information, leading the company to initially pull the film and opening up a string of theories over who was behind the attack and how to respond.

Speculation began to mount as a clearer picture of the unprecedented hacking, both comprehensive and large in size, began to emerge. The breach is thought to be retribution for Sony’s production of the film, which carries a plot to assassinate North Korean leader Kim Jong-un.

Then, a threat was directed at movie theaters and moviegoers planning to screen and see “The Interview.” The message warned those against involvement ahead of the film’s Dec. 25 opening, indicating a “bitter fate” and alluding to the 9/11 attacks in the United States.

An unknown group, The Guardians of Peace “GOP,” claimed responsibility for the cyberattack. Media and those familiar with North Korea began to point blame on the country, which had already publicly condemned the film last June and has a history of cybercrime. Responding to accusations, top North Korean leadership rejected any involvement in the attack.

Image

The White House responded as Sony canceled the film’s New York premiere and said it would discontinue distribution. Following his year-end press conference, President Barack Obama condemned the hacking, citing the Federal Bureau of Investigation’s conclusion that North Korea was behind the attack. The President said the United States would respond “proportionally,” and on Jan. 2, signed an Executive Order that put into action a series of sanctions imposed by the Department of the Treasury.

David Straub, a Korea expert at Stanford University, answered questions about the Sony hacking and its policy implications for the United States and North-South Korean relations. Straub is the associate director of the Korea Program at the Walter H. Shorenstein Asia-Pacific Research Center. He formerly served as the State Department’s Korean affairs director.

What do we know about the Sony hacking? Who’s responsible?

Based on many types of evidence, including confidential information, U.S. government officials appear to be quite confident that North Korea did in fact conduct this operation. There’s still some disagreement in the media and among tech experts over who is responsible. They’ve cited a number of reasons but the main one is that the FBI’s official statement attributing the attack to North Korea provided evidence that they believe is far from conclusive. I myself am not a technical expert, but based upon my following North Korea for many years – the attack strikes me as being very likely to have been a North Korean operation. The FBI statement noted that the Sony attack is similar to an attack that the North Koreans conducted against South Korean banks and media outlets in March 2013. In that attack, many South Korean banks had their hard drives completely wiped clean. It was a hugely destructive attack and very similar to what happened to Sony.

Does North Korea’s response to the Sony hack coincide with past behavior?

In addition to the 2013 South Korean bank cyberattack, the North Koreans apparently sank a South Korean naval vessel in 2010, killing 46 sailors. In both instances, the North Koreans denied that they did it, expressed outrage over being accused, demanded that the South Koreans produce proof, said that they could prove that they didn’t do it, and then requested that the South Koreans conduct a joint investigation. These same demands are being made in response to the U.S. blaming Pyongyang for the Sony cyberattack. It couldn’t be more similar. More generally, the North Korean regime is very calculating. They know they can’t win an outright military confrontation with South Korea, much less the United States, so what they do is try to find a weak link and go after it in a way in which they have plausible deniability – a situation where it’s very difficult for the attacked party to prove who did it.

Describe North Korea’s hacking capabilities.

North Korea is a very secretive country, so it’s hard to be completely certain of their cyber capabilities. However, according to many accounts, the North Korean government has established professional hacking schools and units over the years, resulting in hundreds if not thousands of trained hackers. North Korea has engaged in a number of attacks in the past, the most prominent one was the attack on South Korean banks in March 2013. But also, a few years ago, North Korea conducted less sophisticated attacks on major U.S. government websites.

Why would they conduct an attack?

The North Koreans appear to have both the capability and the motivation to attack Sony. The nation’s entire political system rests on a cult of personality – now a cult of family, actually – that began with the founder of the regime, Kim Il-sung, and extends to his grandson today, leader Kim Jong-un, who has been in power since Dec. 2011. It’s the only thing holding the political system together at this point. The cult of personality is so strong that any direct criticism of the top leader is something that North Koreans will compete among each other to reject. From this standpoint, it seems very likely that they would feel they had to prevent the showing of a movie that features an assassination of Kim Jong-un. And, the hackers had plenty of time to prepare for and implement the attack because everyone knew well ahead of when the movie would be released.

The United States placed new financial sanctions on North Korea. What impact will the sanctions have?

President Obama made it clear that the U.S. government would respond at a time, in a place, and in a manner of its own choosing. Not all measures taken would be made public. So far, the first publically announced measure was the President’s Executive Order on Jan. 2 imposing additional sanctions on a number of North Korean agencies and officials. This in itself is unlikely to have major consequences because most of those entities were already sanctioned. But, the Executive Order states that the sanctions are being implemented not only because of the cyberattack against Sony, but more generally because of North Korea’s actions and policies, including its serious human rights abuses. So in a sense, the North Koreans got the United States to expand its reasons for sanctioning them.

President Obama addresses the Sony hacking, saying the United States will "respond proportionally," at his year-end press briefing on Dec. 19.

President Obama addresses the Sony hacking at his year-end press briefing on Dec. 19. Photo credit: WhiteHouse.gov

What other steps will the United States likely take?

President Obama left open the possibility that North Korea might be returned to the U.S. State Sponsors of Terrorism list, from which the nation was removed in 2008. I think it was a mistake to remove North Korea from that list in the first place. It was done to promote progress on the nuclear talks, which eventually failed, and ignored a number of terroristic actions that North Korea has committed in recent years. Another possibility, which is being pushed by Republicans in Congress, is to increase financial sanctions that mirror the type that were successfully implemented in Iran.

How will the U.S. response influence cybersecurity policy going forward?

The attack on Sony is a huge wakeup call to American businesses, and even to the U.S. government. It’s the first attack of this size on a company located in the United States. It got tremendous profile in the media and the President has been personally engaged in responding. Nearly everyone has heard about it, so U.S. companies are now going to be focused much more on cybersecurity because it has exposed some potential vulnerabilities – a “if North Korea can do it, presumably others can too” mentality. Moreover, if an attack can be executed on a film company, it could also be done to other businesses and even to elements of U.S. critical infrastructure.

How do you view North Korean leader Kim Jong-un’s possible offer to meet with South Korean leadership this year?

Kim Jong-un said that he was open to the possibility of a summit with South Korea in his annual New Year’s address, although he made no specific proposal. He made clear that the summit would be conditional on actions to be taken in advance by South Korea. Among these, Kim demanded ending U.S.-South Korean military exercises and halting the flow of propaganda-filled balloons sent over the border into the North by non-governmental activist groups in the South. Moreover, North Korea has a history of expanding its conditions later, without any warning. So, I think one has to be skeptical. The signal is unfortunately less likely to be a sincere effort toward real, sustained dialogue, and more likely to be a North Korean propaganda effort devised to confuse, divert and divide international public opinion. That said, South Korea has acted entirely appropriately in welcoming the signal and reiterating its own offer of high-level talks. Let’s hope for the best.

David Straub also participated in an interview with Public Radio International on Jan. 1 about the prospect for North-South talks, the audio can be accessed on the PRI website.