101 comments

[ 3.1 ms ] story [ 96.1 ms ] thread
I'm a little surprised that this BBC article doesn't mention the ongoing DDoS attack on GitHub by China.

Does it seem like this programme could give US authorities the power to sanction the Chinese government over something like a DDoS attack?

EDIT: Ah, looks like GitHub is back to normal. Maybe the attacks are over now?

This is exactly what this is. China and Russia have legitimized cybercrime. Its done openly with approval of the goverment. See Brian Kreb's expose on various cyberwarrior Russian companies that operate with impunity.

The US can identify these companies and sanction them, which is something they should have done long ago. If you don't want sanctions, don't attack our infrastructure or citizens. Autocratic one party states need to be reminded that we won't stand for this shit any longer. What China did to Github is inexcusable and deserves a response.

> What China did to Github is inexcusable.

How do you know it was China? An IP address does not mean the person sitting behind the computer is Chinese. The person could just as easily be controlling a botnet from a VPN while sipping a latte in a coffee shop in Palo Alto.

Read the details of the attack. It's not a botnet. The attack works by injecting malicious JavaScript into common websites within Chinese borders, and doing this only for visitors of these files from outside China.

Only the Great Firewall (or the website owners, ie. government-controlled Baidu) can possibly do that.

http://www.netresec.com/?month=2015-03&page=blog&post=china%...

>What China did to Github is inexcusable and deserves a response.

Github arguably operates in China by offering their website there. At the same time Github is refusing to meet demands by the Chinese government. Their refusal to meet those demands directly undermines policy enacted by the Chinese government. Now the Chinese government tried using their power to enforce their policy decisions.

I'm not saying it's right, but it doesn't seem that different from what's the norm these days. The only difference between China and powerful western countries is the kind of policy they enforce (censorship, not copyright protection or nuclear arms treaties etc).

> sanction "individuals or entities" that pose a cyber threat to the "national security, foreign policy, or economic health or financial stability of the United States,"

If you detangle the weasel words, this is basically "emergency executive powers to do whatever we want to people we don't like, as long as we can tie it back to the internet". Combined with the existing surveillance dragnet, that's horrifying.

Speaking of those words, it's worth noting that those points (national security, foreign policy, economic health/financial stability) are the same that GCHQ [is charged][1] to protect (I'd cite NSA, but I'm not familiar with where to find a list of their responsibilities).

[1]: https://en.wikipedia.org/wiki/GCHQ#Legal_basis

It's sad that this is the exact same conclusion I came to. I have zero confidence that executive powers like this won't somehow be abused to target Americans that pose no threat to national security.
I think "zero confidence" underplays it. The U.S. Government has a history of abusing their executive powers. Given their past behavior and not only a complete absence of remorse, but proactive justification of their abuses, it seems as though abuse of those powers is almost a foregone conclusion.
The cliche's were right all along. It does corrupt absolutely.
No, it doesn't mean that the executive branch can do "whatever [it] wants", it means that the executive branch can seize US assets from certain people outside the US or prevent them from accessing the US financial system.

That's a lot of power, but it isn't unlimited power.

> it means that the executive branch can seize US assets from certain people outside the US or prevent them from accessing the US financial system

You must be new to this brave new world. In 2012 the US seized $26000 from a Danish businessman while being transfered to a German bank within an electronic banking system that the US is not a part of (SWIFT): http://en.wikipedia.org/wiki/SWIFT#US_control_over_transacti...

8-| I hadn't come across this one before. I can't honestly believe they could have gotten away with that. They're enforcing an embargo under U.S. Law on finance being transferred between two countries that they have no jurisdiction in? That's er... I can't even come up with a word to describe that audacity.
It is too bad Europe does not have the guts to stand up for itself.
(comment deleted)
It can seize assets from any foreign national based on the standards of evidence they've used in the past to declare someone a "hacker".

Under the CFAA, accessing a web page as an unauthorized person would probably be justification enough.

You're missing the part where criminal intent is required.
Without a jury trial [which isn't required for this], it is just the prosecution deciding the target has criminal intent.

There is no check or balance as you imply. The Treasury and Executive are jury, judge, and executioner.

Aaron Swartz didn't have criminal intent. Look how that turned out. Even if he hadn't committed suicide, look at how that would have turned out.

Intent speaks to motivation, which speaks to the internal workings of one's mind. That may be relevant in a criminal trial. But it's far too nebulous of a concept to be considered when they're deciding whether to freeze your bank account. So they won't, no matter what lip service they pay.

They will "freeze first and ask questions later." We all know it's the truth.

He certainly did have criminal intent in that he knew what he was doing was against the law.
Criminal intent has been ignored left, right and center already. I certainly wouldn't want to bet that it will matter here.
Don't know about it not being unlimited as any case will tried in an American court, go see what happened to Kim Dot Com. The government court upheld the governments seizure of his money.

When you control the legal system your not going to have much difficulty prosecuting the unpopular.

2015 seems to be the year for multi-national globalization to really kick into gear.

TPP, this, what's next?

>Combined with the existing surveillance dragnet, that's horrifying.

The cruel creep of tyranny. "Cyber-terrorism" is the new bogeyman, or the new "terrorism" but instead of using a real catastrophe like 9/11, the incident they're going to use to justify this is a "hack" on Sony pictures with probably the weakest links to North Korea that could be?

There was no proof issued that North Korea were behind that attack. All the evidence that came out of it made it look as though they almost certainly were not behind it. So instead we're just going to repeat it as fact until it's accepted as true?

This is horrifying but it's just another turd thrown onto the pile of horrifying things the powers in the US are doing now.

Without even touching the USA's utterly toxic foreign policy:

- NSA mass surveillance that has eroded everyone's privacy on any communication device they may own, stomping on their own people's 4th Amendment rights in doing so.

- NSA lying barefaced to congress and facing no punishment

- CIA overthrowing or attempting to overthrow governments in sovereign countries who aren't explicitly under the thumb of the USA, throwing these countries into disarray

- CIA torturing untried suspects in the most brutal ways that we've seen in modern times.

- CIA arming and training "rebels" abroad who've went on to cause absolute atrocities across the middle east.

- Creating a militarized police force in the USA despite violent crimes decreasing year on year. Hell, the NYPD wanted portable, mounted machine guns to deal with protestors!

- Supporting a police policy of no-knock raids which have lead to the deaths of an unfortunate number of totally innocent people, over nothing.

- Rallied against whistleblowers while at the same time claiming to be working toward transparency and support for whistleblowers.

The list just goes on and on.

USA--
The SONY hack was almost assuredly NK or at the very least NK sympathizers. There are technical reasons (malware fingerprints, servers, tactical similarity to similar operations against SK media outlets). But the best way to link them is to see that the motivation was specifically anti-The Interview.

The important emails leaked by the Guardians of Peace (their 'Christmas Gift') show that CEO Lynton, a boardmember of the RAND Corporation, had been discussing with the State Department and RAND Corporation specialist on nuclear deterrence, NK and regime change since June the same year how the film should end and what was most likely to cause instability in NK when CSOs introduced them to the NK population.

That is to say The Interview was a 'diplomacy product' of the US government and the NK hacking of SONY was a retaliation for that - and in fact the cyber team retaliating against SONY specifically punishes media outlets for running adversarial messages about the Kim regime.

So the story here isn't that NK probably wasn't behind the attack - they probably were. The reason people are so skeptical is that they don't understand why NK would attack SONY, a movie seeming to be too petty a reason. It's easier to see when you read the leaked emails and ascertain that the US government was involved in crafting the film for its purposes.

There's a lot of toxic stuff in US foreign policy - and not just US but every nation. We believe in myths about our countries because they perform these actions in covert ways, and propel a lofty image of themselves in public interactions and through the media. The US does some very ugly, dirty stuff. But I take exception with some of the things in your list - specifically the characterization that the CIA's torture is or was somehow the 'most' brutal we've seen in modern times. That's some hyperbole and I think you know it. It may seems like picking on details but there is absolutely more heinous forms of torture (dissolving people in acid, using power tools to remove limbs and digits, etc) practiced at large in other nations.

But really the thing I want to leave here is that there is a tragedy at the commons. Torture and rendition, surveillance and propaganda, coups and proxy wars, theft and sabotage - all of these things are alive and well. The US is one of many nations involved in these activities as the planet races to establish water and food security before our planet exhales.

It's for dealing with foreign parties, and the executive branch has always had a lot of leeway to decide for itself how to handle international relations.
First of all, this article doesn't have a single criticism of this?

It is really scary to me that our lawmakers are enacting legislation for topics they have absolutely no personal experience with. Their decisions are based on what can only amount to 100 hours, optimistically, of information sessions given by people representing multinationals with agendas.

All I want to know is what the hell constitutes a "malicious cyber activity". Is that as innocuous as U.S. v Auernheimer?

No lawmakers voted on anything. It's an executive order.
I know. I'm just saying in general.
I understand your comment, and I agree that there have been plenty of examples of lawmakers misunderstanding technology, but this isn't really an issue that's unique to technology. Lawmakers vote on bills on dozens of extremely complex subjects, ranging from agriculture to foreign policy. No single person could have a deep understanding of all the issues that come up in Congress. I don't think that cybersecurity is any more complicated than health care economics or agricultural subsidies.

It's just the nature of trying to govern an incredibly complicated country.

Lawmakers voted on 50 U.S.C. 1702, which is what gives the President the ability to issue this executive order. The President can't just make up powers. He's been delegated a whole mess of them by congress, contingent on the declaration of a national emergency.
> No lawmakers voted on anything. It's an executive order.

How do you think that all the laws that the President cites at the top of the order that provide the authority under which the order is issued were passed? [0]

[0] "By the authority vested in me as President by the Constitution and the laws of the United States of America, including the International Emergency Economic Powers Act (50 U.S.C. 1701 et seq.) (IEEPA), the National Emergencies Act (50 U.S.C. 1601 et seq.) (NEA), section 212(f) of the Immigration and Nationality Act of 1952 (8 U.S.C. 1182(f)), and section 301 of title 3, United States Code, [...]" -- https://www.whitehouse.gov/the-press-office/2015/04/01/execu...

This article is by the BBC. Most of us Brits consider it a national treasure for providing relatively unbiased and often deadpan reporting on news topics. :)

That's not to say that there couldn't have been criticism if another source provided them with some, but the BBC tend not to provide their own 'opinion' as a criticism (think Wikipedia).

Also, BBC seems to be a great channel to where both the UK gov and the US gov can send their propaganda pieces.
It leans heavily left but prints propaganda for the right wing UK gov and the (right wing compared to UK) US gov?
Seriously, that's really refreshing. There's a lot of bias bullshit in the US, so I love getting foreign perspectives because there's no reason to be bias .
If that's true, why does propaganda exist?
It's actually quite refreshing to listen to British news after being bombarded with the hyperbole of U.S. news. But don't be naive, the propaganda is still there, it's just far more subtle and much more refined.
Every news source is biased. Your job is to understand what that bias is and compensate. By following multiple news sources with different bias you can discern somewhat the truth of matters is as it lies somewhere in the center. Some outlets are more predictably and openly biased towards one direction.
I work with a bunch of Brits and they say the BBC leans heavily left like NPR here.
"leans heavily left" and "like NPR" are not mutually consistent descriptions.
NPR does lean heavily left. I listen to it every day. I wasn't implying anything other than the BBC and NPR both lean left.
I think calling something that leans left "left leaning" rather than "unbiased" while in a left-leaning crowd like news.y is going to be a dead end.
I read/listen to a bit of both (despite living in Denmark), and they strike me as leaning upper-class more than anything else, especially NPR. High culture, art museums and classical music, cultured fancy vacation destinations (Venice! Paris!), that kind of thing. Which all strikes me as more bourgeois than left. The upper classes aren't very culturally conservative, and are embarrassed by reactionary groups with lower-class bases, like UKIP or the Tea Party, so could be grouped on the left if your idea of left is opposing such groups. But they aren't very left economically, and keep their distance from lower-class movements on the left too, anything that gets too "red".

In a Danish context I would imagine the archetypical NPR listener voting for the Social Liberals, who are basically in the exact center (socially liberal, economically free-market, but not radically so in either category).

In the US there is no economic left. The left and right are distinguished by their social policy.
Then your coworkers are idiots.

People in the US have absolutely no idea what "heavily left" means in Europe.

Er... that's the official stance. There are linguistic undertones to how they lean while maintaining their "unbiased objectivity". It's nowhere near the level of obviousness of North American news, but it's there if you listen closely.
If you're new to European news then I can imagine your incredulity but state news agencies typically report the news, they don't interpret it.

Of course this varies from country to country with some countries being quite far from neutral in their reporting but the 'beeb' is pretty good at this.

If you want to get away from such bias the best trick that I've found is to go to the news sites of three different countries not directly implicated in the news item and figure out the common elements. Everything else is likely bias or interpretation.

Yep, typically you have to go to CBC, CNN, Al Jazeera and BBC and correlate it all yourself. It can be a lot of work. At least the BBC typically gives you enough facts that you can just about read between the lines yourself. American news in contrast picks up on a specific point or perspective, sensationalises the shit out of it and sweeps all the details that don't support their narrative under the rug. It can make for hilarious or completely frustrating watching depending on your mood or perspective at the time. It does tend to rile you up in a completely irrational fashion though, very un-British.
> First of all, this article doesn't have a single criticism of this?

In some places, there is still a distinction between:

(1) Reporting on the news,

(2) Reporting on reactions to the news, and

(3) Providing an outlet's own commentary/opinion on the news.

Its true that a number of popular news outlets try to pass off (2) and even (3) as (1), and that if you are used to that an article that sets out to do (1) and ends up only doing (1) may be confusing.

On the contrary, I believe they have criticized it but not in a way that's especially overt. Specifically, I would consider their choice of images intentional. If you'll indulge me:

Image 1: [CC on keyboard] - Followed by text about "foreign hackers", "The US Treasury" and "economic ... security challenges."

Image 2: [Anonymous] - Proceeded by text about "individuals or entities that pose a cyber threat", both of which the image presumably represents.

Image 3: [Switch Rack] - Proceeded by assurances regarding the use of this power, followed by FUD and vague threats justifying it.

The final image is critical. It simultaneously represents the Internet, what is an obvious mess and, to those in the know, extremely poor cable management. Each of these associations imply something damning about the order.

I would absolutely expect a BBC reporter to have so carefully crafted such implications.

Respectfully, I think you are overthinking this.

One could use the same logic to make the argument that this article strongly supports the sanctions:

1: [CC on keyboard] "Hackers are trying to steal your money. We need these sanctions to protect you" 2: [Anonymous] "Look at the scary hacker. Don't you know kids these days can do anything with your computer?" 3: [Switch Rack] "See how complicated the internet is? Don't think about it too much, just let us protect you"

Personally I consider it more likely that those were the first results on the stock image site when the reporter searched for "internet, security, hackers" :-)

So, are the U.S. going to sanction themselves?
Good question. Should the US be sanctioned for DDoSing North Korea? Should the US be surprised when China enacts similar legislation?
> Should the US be surprised when China enacts similar legislation?

I wouldn't be surprised to see Obama label such an act by China as an "act of war".

I would. Doing that without any follow-up erodes your credibility. And the US is not going to go to war with China.
You seem confused. Watch a few seasons of Homeland and it will all become clear: no matter what atrocities the good guys are doing, they always have good justifications. Which may need to remain secret, just like the proof that NK was involved in the Sony breach, but it's all for the common good.
(comment deleted)
I guess its a start, even if the irony seems a bit thick with NSA on the forefront with offensive cyber operations.

Has there been anything similar to Stuxnet from China?

Sidestep Congress with a 'national emergency.' Really necessary?
A national emergency declaration doesn't sidestep Congressional oversight; in many cases, its a required condition of exercising powers granted by Congress. An executive action that includes or is supported by a national emergency declaration is no less subject to oversight by Congress than any other executive action.
The mechanisms of "national emergency" and the IEEPA are both products of congressional oversight. If they didn't want him to be able to do that, they could repeal the IEEPA. Of course, this is pretty silly: if they put this executive order to a vote in the House, the only flak Obama would get is that he is not also bombing China.
I haven't done any research into what this executive order actually does but language like "not one we expect to use everyday" makes me nervous. This sounds like down-playing. Laws written with good intentions are often used later in ways and at frequencies with which they weren't designed.
If they say "we don't expect to use it everyday", that means they expect to use it every hour.
no, just on days where they need to shut someone up ;)
I submitted the Politico article yesterday:

http://www.politico.com/story/2015/04/new-us-sanctions-forei...

> President Barack Obama said Wednesday that the U.S. will now treat foreign hackers and cyber spies like terrorists and nuclear arms dealers.

There is also the medium post he made about it [claiming legitimate security researchers won't be targeted, not that I really believe that]:

https://medium.com/@PresidentObama/a-new-tool-against-cyber-...

To be honest, it sounds like Obama is positioning all "hackers" as "terrorists" and "foreigners" in the public view. I fully expect him or the next President to declare a "War on Cybercrime".

It also means, as of today, the Treasury can literally freeze all of the assets of any non-US citizen on circumstantial evidence. Lets face it, the case against North Korea for the Sony Hack is primarily based on circumstantial evidence. Its indicative but none of it truly is proof.

It also pretty much creates a situation where the Executive can freeze the accounts of anyone it doesn't like on circumstantial evidence. Eventually, if they continue the "hackers == terrorists" mantra...they'll start throwing them in prions without trials. And let us be honest, we all know this is where it is going to go eventually.

To the average person, the computer is a magical box. This makes it the perfect weapon for a terrorist group with the right type of fanatic to engage in cybercrime to fund their operations while simultaneously the perfect tool to suppress people on the basis of circumstantial evidence that the public, frankly, doesn't understand.

I doubt it would ever be used against a US Citizen but already we have security researchers being treated like criminals when they try to enter the US. And, frankly, we have some obligation to say "Hey, this isn't right".

I think this is a pretty clear sign that hackers should seriously consider a mass exodus from the United States. This decision might not be right for everyone, of course, but neither is having your life destroyed because of the foolish executive orders.
Can we get spammers labeled as terrorists?
Can we also get the guys who keep leaving unsolicited advertising on my car at the station and also on my front doorstep despite a sign on my front door saying "No junk mail" classified the same?
Given the U.S. Government's laughable ability to properly classify "hackers" apart from script kiddies, security experts, programmers, I.T. admins and any other computer "expert" where does that leave anyone in the I.T. industry that a politically influential corporation [i.e. Sony et al.] takes a dislike to? A software engineer posts a politically embarrassing YouTube video and is arrested as a hacker and thus a cyber terrorist under the guise of "national security"?
Reminder that not using a browser to access a website has been construed as hacking.

Reminder that 90% of development tools are hacking tools. Subversion has subversion right in the name.

> not using a browser to access a website has been construed as hacking.

Huh? I haven't heard that one before?

The whole 'hacking tools' thing is just ignorance. As if wireshark and port scanners have no legitimate use. "We don't understand these things therefore they are scary"

(comment deleted)
I got voted down yesterday for linking this kind behaviour to the Salem Witch Trials... but I stand by my point: Fear of what they're ignorant about and starting witch hunts to eradicate it is part of American history... you may cast it to the annals of history, but with the undertones of Islamophobia, xenophobia and racism that constantly play out in the media demonstrate that it's still alive and kicking in the halls of politics. This is just another form of the same thing - fear of their own ignorance.
http://arstechnica.com/security/2013/05/reporters-use-google...

http://www.washingtonpost.com/blogs/worldviews/wp/2013/07/30...

> That Manning was convicted of computer fraud seems to suggest that using wget on a U.S. government computer to download large numbers of files can be considered the digital equivalent of trespassing – even if it's on turf you're otherwise allowed to access.

I think is what he means.

What the... This is a simple distinction.

Computer fraud means using a computer to do something you're not authorized to do. He was not authorized to use wget, he used it, thus he committed fraud.

He was authorized to access that "turf," but not with wget. Why? Specifically for the reason he did it: it's a risk.

Whatever your opinion on whistleblower protections, this is not a risky judgment.

Does any American website enumerate in their terms of use the software that you are allowed to use to access them? Could they?
No, but I'm almost certain that the DOD's filesystem likely includes a "using any unapproved software to access this system is considered unauthorized."

It's almost as if there's a difference between DOD classified file storage and google.com.

Could it be done with a non-DOD site? If not, why not?

Could I make a website that immediately drops you onto a landing page that says "The rest of this website may only be accessed using Safari. Use of Firefox, Chrome, or any other software constitutes unauthorized access."?

Yes, you could make such a website, but I doubt that it would mean anything in court.

Manning was active-duty military, accessing classified military systems. There are all sorts of duties, laws, and regulations that apply to that situation that don't apply to a civilian accessing some random website on the web.

> He was not authorized to use wget

I'd be interested in seeing the exhaustive list of programs they are authorized to use.

Get a job at the DOD and I'm sure they'd be glad to share it with you.

Is it really that unbelievable that the Department of Defense would have a strict set of software that's allowed to utilize their network, for a variety of reasons, including Manning's usecase or just simple security concerns?

Is your employer comfortable with you sharing encryption keys via post-it notes stuck on your monitor?

Should the DOD be comfortable with people accessing classified filesystems with any software they please?

This is simply a non-argument. I think it's a tacked-on charge meant to take down a maybe-legitimate whistleblower, but it's not like you can say it's actually unreasonable/unrealistic.

For one thing, I'm pretty sure a browser already contains everything necessary to do what manning did with a few lines of javascript.
A lot of government computers have VERY limited capabilities. No right click, no JS, no modifier keys, no copy/paste, etc.

These are the real limitations of the real world and they're there by design.

Manning skirted them, and he got hit for it.

About 10-11 years ago, I was contacted by an employee at NOAA who needed sha1 checksums of open-source software I released. He needed it so that it could go on their whitelist of usable software, but he couldn't generate them himself due to policy.

Whitelisting acceptable software really isn't a bad idea, especially for organizations that care about safety and security of data. The next step is to lock down the platforms to only execute whitelisted software (similar to how Apple tries to lock down iPhones, iPods, and iPads).

With the addition of developer tools to every major browser these days you don't even need to step outside your browser... your browser is a hacking tool. Every time you do F12 and navigate your way through the HTML to remove the annoying paywall mask to read an article rather than pay for the subscription is hacking. You are using a site with a behaviour that was not explicitly intended by the owner and that theoretically could get you charged as a hacker, without you ever leaving your browser.

Blurred lines. [Apologies if that song is now stuck in your head as it is mine]

Subversion was called Subversion because it was subverting CVS, which it meant to replace. Not to mention the nice double meaning of sub-version.
Can you provide a reference for your claim that the US government's "ability" to classify hackers is laughable?
Look up anything that Bruce Schneier has written on the subject and correlate it with Government statements on the subject.
As Bruce once said" "Hacker" is a mindset and a skill set; what you do with it is a different issue.

So what does it matter what the government calls them? The government reaction to a security threat should not depend on the classification.

'Laughable' can be defined as 'absurd'. Absurd things aren't trustworthy. Here's your reference on something that may enable untrustworthy behaviors: https://pdf.yt/d/DvKApeRf6FHiJZ7t/download. That's the Executive Order, and within it is a declaration of a 'national emergency' which gives the government sweeping powers to seize assets if they think someone is cyber-enabling anyone. That statement is absurd, and presumably enables untrustworthy behaviors when put into practice.
It is like the only tool the US government has to handle this problem is a hand grenade. No precision.

All it is going to take is one lazily worded law / executive order, and anyone in the security space could have the possibility to go to jail if enforced broadly.

You'll be fine, just don't piss off anyone that has influential lobbyists... like the communications, media, banking or oil & gas companies, the NRA, any corporations or financial transactions that politicians have stakes in, anyone in authority or anyone that could make your life... uncomfortable. You'll probably be fine. Maybe :P
(comment deleted)
I'm pretty sure if the government wanted me in jail, they could do so.

As the machine gears turns and laws are created as time moves forward, I don't see any other outcome then total lock down. All liberties and freedoms are gone.

I submitted the RT story yesterday: https://news.ycombinator.com/item?id=9305942. The RT article has a copy of the executive order, which is a legally binding law enabling "promulgation of rules and regulations" until it (hopefully) is reviewed and struck down by the judicial system as being unconstitutional. Given what we've seen historically from this White House and Congress, I'm not holding my breath.

This legally binding order gives the US Government the right to lay claim to assets held by individuals and corporations who may "constitute an unusual and extraordinary threat to the national security, foreign policy, and economy of the United States", all without prior notice.

Laws and legal contracts provide us a trusted system by which we may operate within a society. By 'sweeping off' certain rights, that trust is effectively eroded to the point implicit trust is all that remains of the 'contract' held with the governing body, in this case the US Government. This opens up the path to abuse of power by certain individuals by enabling them to hack the remaining (implicit) trust to suit their own needs.

While cyber criminals should be held accountable for their actions and the acts they commit can create additional suffering for individuals, corporations and communities, I don't feel eroding trust of the governing body of a country is the most logical approach to combatting crime committed by the criminals. Implicit trust in things of importance, especially infrastructure, never ends well for the parties trying to trust each other. FWIW, this is an opinion based on trust observations seen while working on infrastructure, which is not necessarily a fact of all our reality. At the very least, this is a complicated issue.

There are certainly other avenues available to us for addressing criminal behavior on the Internet. Those avenues are most likely technical in nature, and are clearly well beyond the responsibilities (or abilities) of The Office of the President of the United States.

It feels like the US is currently in a massive bought of cognitive dissonance: wanting to stop attacks while (at least for some) holding our freedoms as individuals to high levels. As with most duality situations, this will resolve itself at a future date in one way or another. For all of us, I hope this is done in a transparent, trustworthy and LEGAL way.

I would add that implementing technical measures to combat these attacks in and of themselves could be considered violations of this Executive Order as they may judged by the government at will: "any person determined by the Secretary of the Treasury, in consultation with the Attorney General and the Secretary of State, to be responsible for or complicit in, or to have engaged in, directly or indirectly, cyber-enabled activities originating from, or directed by persons located, in whole or in substantial part, outside the United States that are reasonably likely to result in, or have materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States".

Cyber-enabled activities likely to result in a threat. Think about it.

DPRK attacks film studio = sanctions, counterattack, TO WAR!

China attacks Github = nothing, silence, heads kept in sand.

The attack itself is irrelevant. The scale of response is only related, inversely related, to the political size of the attackers. Small countries and individuals are to be punished. Large countries holding billions of US debt are to be forgiven. The extent of damage done doesn't enter into the equation.

The United States hacks and counterattacks China all of the time.

The reason for calling the DPRK's attack on the propaganda creation of the State Department 'cyberterrorism' and 'cyberwar' is that it aligns with US foreign policy (SK's official policy now is to pursue reunification).

NK is going down - China is more complicated. We do hack and counterattack China though, all the time.