When a cyberattack has been carried out, at least one party, the attacker, knows about it immediately. Sometimes, the attack’s target quickly becomes aware of what happened, but often, because of the confusing and covert nature of cyberwar, the victim remains in the dark for months or even years. When Chinese hackers stole personal data on more than 22 million Americans from the Office of Personnel Management, they gained access to two database systems in May and October of 2014—but OPM didn’t discover them until May and April 2015, respectively.
Once aware of a cyberattack, the governments involved have to decide whether or not to publicize it. Sometimes, it’s in the best interest of both the attacker and the attacked to keep a hacking incident quiet. The reputation of the target country might suffer if it acknowledges that a successful attack was carried out against it, and it could even feel pressured to strike back if it became public. Meanwhile, the aggressor may benefit from keeping its cyber capabilities secret from other adversaries.
As the Times worked on the story about last year’s cyberattacks on North Korea, it was in contact with the Office of the Director of National Intelligence, and agreed to withhold certain details from the final story “to keep North Korea from learning how to defeat [the attacks].” James Lewis, a security-policy expert at the Center for Strategic and International Studies, said one of the Times reporters reached out to him several months ago. Lewis recommended the reporters check in with the DNI before publishing, which they did.
“It would have been better unpublished (unless the North Koreans finally woke up, and there was then no harm to going public),” Lewis wrote in an email. Now that they’re widely known, the cyberattacks may prompt Russia and China to take risky new moves to protect their own nuclear arsenals from American malware, James Acton, a nuclear-policy expert at the Carnegie Endowment for International Peace, told me this weekend.
When neither side is willing to go public, it takes dogged reporting to uncover a cyberattack. The Reuters story about the failed Stuxnet-style cyberattack on North Korea was sourced to several anonymous high-level intelligence officials, and came about five years after the initial incident. The Times story was a year in the making, and was assembled through interviews and a thorough review of public records and information.
But sometimes, it is in the best interest of the government that’s been hit by hackers to publicly attribute the strike to its perpetrator. The U.S. has shown a willingness to do this: On three separate occasions, the intelligence community has pointed fingers for a cyberattack, either through official statements or more subtly through the press.
After sensitive emails and documents from Sony Entertainment officials were leaked in 2014, the FBI said it had determined that North Korea was behind the hack. The OPM hack took place that same year, and after the hack was made public in 2015, although the government never released a formal statement, top members of Congress consistently blamed China for the incursion. And when WikiLeaks began to publish private emails from top Democrats, all 17 agencies in the intelligence community put out a joint statement singling out Russia as the aggressor.