Chertoff: We Need a Clear Doctrine of Deterrence to Cyber Attacks

For years, cyber security specialists have reported on intensifying intrusions into the information networks of our major institutions, both public and private. Most of these have involved theft of personal information for financial gain or espionage aimed at stealing valuable intellectual property.

But occasionally we have seen more destructive attacks, aimed at “wiping” or destroying the networks and data themselves. In 2012, Saudi Aramco was a victim of a cyber attacks that destroyed thousands of machines, and in 2013 South Korean banks were also targeted for cyber damage.

The recent Sony attack is a disturbing new chapter in this escalation of cyber conflict, not least because of the reaction we have seen. North Korean sympathizers styling themselves “Guardians of Peace” have claimed credit for cyber intrusions that released substantial amounts of confidential Sony information and intellectual property and subsequently incapacitated Sony’s IT system. The group—thought by many to be directed by or at least complicit with the regime in North Korea—claim to be aggrieved because of a forthcoming Sony comedy that ridicules and ultimately portrays the assassination of North Korea’s dictator. The attack on Sony was followed in recent days by additional threats to cause “another 9/11” at movie theaters that showed the film publicly.

Although Homeland Security Secretary Jeh Johnson affirmed that there is no credible evidence that this is a real risk, several movie chains cancelled showings and the release of the film has been suspended. Regardless of how empty this threat of retaliation really is, some of our theater companies have handed the North Korean regime and terrorists generally a major victory by effectively conceding a terrorist’s veto over our First Amendment.

Terrorist threats of physical or on-line violence to suppress free speech are not new. After a Danish newspaper published a cartoon deemed by some unflattering to Mohammed, some violent Islamist extremists plotted bombings in Denmark. Years ago, the Iranian regime levied a “death sentence” against author Salman Rushdie for his book Satanic Verses, which Ayatollah Khomeini deemed blasphemy. Some publishers were sufficiently intimidated that they self-censored cartoons or writings which might offend violent radicals.

But the wholesale cancellation of film showings in direct response to terrorist bluster is a profile in timidity. Moreover, as is the case when we pay ransom to kidnappers, a craven response to threats simply encourages more threats. Do we really want to hand the censor’s pen to North Korea or to ISIS? Is it really good business if media companies begin to reject books or film ideas because someone might be offended to the point of violence?

What is to be done? First, inasmuch as critical infrastructure companies are treated as national priorities for cyber security, our government needs to afford media companies the same sort of help. Second, as our citizens become the victims of actual destructive attacks by nation states or their proxies, we need a clear doctrine of deterrence and response by the U.S. government. Finally, just as we did not abandon our aviation system after 9/11, we should defy demands that we curtail our free speech. The filmmakers ought to make this new film available as widely as possible as soon as possible.

Michael Chertoff was secretary of Homeland Security from 2005 to 2009. He is now executive chairman of The Chertoff Group, a global security and risk-management advisory firm.