Bruce Schneier has two typically fine new essays on the Sony hack. The first (at the Atlantic.com) argues that “we still don’t know who’s behind” the Sony hack, and the second (at Time.com) explains why the government should “be much more forthcoming about its evidence” about attribution. I generally agree. But matters are even more complex that Schneier lets on.
The problem with saying that the “secrecy of the NSA’s sources and methods is going to have to take a back seat to the public’s right to know” is that public knowledge could exacerbate the cyber threat. For when other countries know those aspects of those sources and methods, they can hide their tracks better in the next attack. The U.S. Government might think that the credibility hit it takes for not revealing more in the face of this relatively mild attack on Sony is outweighed by the longer-term advantages – to meeting and defeating greater cybersecurity threats – of having penetrated networks and conversations in unknown ways. The game is iterative, and the proper balance of secrecy and disclosure at any particular time is tricky. (Schneier acknowledges that “in cyberspace, we’re going to have to accept the uncomfortable fact that there’s a lot we don’t know.”)
Schneier also says, “We need international agreements defining what counts as cyberwar and what does not.” Maybe, but we cannot get them. The very problems of anonymity and attribution that Schneier emphasizes in his essay make such agreements practically impossible (or so I argued, here).