So the FBI now concludes that the North Korean government is responsible for attacks on Sony Pictures Entertainment.
This conclusion is based on the Bureau’s analysis of the malware (similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks used before by North Korea); overlap in hardcoded IP addresses in the malware and those in the Sony malware; and similarity in tools used in the SPE attack and a North Korean attack on South Korea last year. Same tools, same IP addresses = same actors? Possibly. Probably.
So what should we do about it? And why does calling this an act of war not really help Sony?
Typically, when you do a risk assessment, you establish your “risk appetite,” assess your risk, and mitigate those risks that are cost-effective to mitigate. You can’t prevent every attack; you can’t secure every computer or bit of information so you prioritize.
You also can’t address every risk, so you address those that are either most likely to occur or that will have the most impact if they do occur. It’s called “probabilistic risk assessment.”
Likelihood x Impact = Risk.
The recent attacks – presumably by either the North Korean military or the Ministry of State Security (MSS) or the Reconnaissance General Bureau (RGB) were not really the kinds of attacks that you would expect a corporation to be prepared to deal with.
Or maybe they are.
That’s one of the problems with “cyber warfare” or “cyberterrorism.” The attackers frequently use the same tools, techniques and methodologies as ordinary criminals. The Sony hack was, at the same time relatively sophisticated and at the same time, perfectly banal.
One expert who has examined both the source code and the methodology involved has described the attack as a “sophisticated use of ordinary tools.” So Sony probably should have been prepared for the attack. Not necessarily this one, but ones like it.
It’s easy to wag a finger at Sony after the fact. Hindsight is an exact science. After every successful breach you learn what you should have been doing, slap your forehead, and wonder how you could have been so stupid.
Perhaps the greatest failing was the inability to detect the massive exfiltration of data from the network. Companies (and governments) typically have been so involved in PREVENTING attacks that they often lose sight of the goal of mitigating the impact of attacks if (I mean when) they do occur. Data segregation, classification, encryption and DLP solutions can all help. But it’s no panacea.
Remember Bradley/Chelsea Manning (25 million classified records)? Edward Snowden? Highly classified NSA records exfiltrated through music CD’s. This stuff is hard. Not impossible though.
Should Sony have been prepared for an “act of war” by the Kim Jung Un regime? Certainly they knew that the hermit kingdom would not be happy with the Franco/Rogan film. But war? Hard to know.
Assuming this was a nation-state attack by North Korea was it an Act of War? Well, we have a legal definition – actually, many.
Under the federal criminal code 18 USC 2331 an act of war is (4) the term “act of war” means “any act occurring in the course of (A) declared war; (B) armed conflict, whether or not war has been declared, between two or more nations; or (C) armed conflict between military forces of any origin.” So it doesn’t meet that criminal code definition. Nor does it meet the criminal code definition of an act of terrorism, which is “activities that (A) involve violent acts or acts dangerous to human life that are a violation of the criminal laws of the United States or of any State, or that would be a criminal violation if committed within the jurisdiction of the United States or of any State;(B) appear to be intended (i) to intimidate or coerce a civilian population; (ii) to influence the policy of a government by intimidation or coercion; or (iii) to affect the conduct of a government by mass destruction, assassination, or kidnapping; …”
The United Nations Charter and various documents refer both to Acts of War, and the broader term “acts of aggression.”
General Assembly Resolution 3314 defines an “act of aggression” as, “the use of armed force by a State against the sovereignty, territorial integrity or political independence of another State, or in any other manner inconsistent with the Charter of the United Nations.”
So was this the use of “armed force?” Well, it used the DPRK’s “armed forces” but whether it was an “armed” force depends on whether “armed” includes armed with guns and tanks, or armed with code and software. Since the Resolution was adopted in 1974, I am going to take the bold step of asserting that they weren’t thinking of that at the time.
But the list of things that constitute “aggression” is not exhaustive. The short answer is, the actions of North Korea (if indeed it is North Korea) are an act of war if we want it to be.
During the Cold War (and today) the Soviets (Russians) would frequently incur into our airspace (and vice versa) to test our defenses and responses. An act of war? An act of aggression? Or just a Thursday afternoon? It depended on how we wanted to respond to it.
Calling the North Korean actions an “act of war” has political, societal, social, diplomatic and legal consequences.
First, it mandates some kind of response by the government. Interestingly, politicians in the U.S. have been demanding a response by the U.S. government even though this was an attack on a Japanese Corporation (albeit a US subsidiary.)
We don’t see politicians in Japan demanding a response by the Abe government. Perhaps the best responses would be for the US government to seize North Korean related assets and provide for a “restitution fund” for victims of the attack – that is Sony Pictures Entertainment. We did this before with victims of the Iranian hostage crisis.
Another possible US response would be to go to the United Nations to condemn the acts of aggression by North Korea. This would have the advantage of helping to define what acts of “cyber-aggression” are prohibited.
It would also have the advantage of providing a forum for the U.S. government to set out its evidence that North Korea was responsible. It’s not Adalia Stevenson, but I can imagine Ambassador Power calling out Ambassador Pak at the General Assembly (“don’t wait for the translation; yes or no.”) on North Korea’s responsibility for the attacks. Of course these actions would have the disadvantage of requiring the US to lay out its (classified?) evidence against North Korea, and the possibility of a tepid response by the U.N. Or worse.
An aggressive one. One that would define “cyberwar” in ways that would limit the U.S. government’s possible responses to other situations. Sometimes ambiguity is better. It would also require much stronger attribution than we have right now. Before you go to war, you kinda want to make sure that you are going to war with the right people for the right reasons. Remember the Maine? Or the USS Maddox? Or the yellowcake uranium. To quote Young Frankenstein’s Inspector Kemp, “A riot is an ugly thing und once you get one started there is little chance of stopping it.” Same for a war.
Of course there are other options against North Korea, from an actual, boots on the ground kinetic war (hardly likely) to additional sanctions (bombing rubble?) to a US sponsored cyber attack against the upstart regime. (“You realize, of course, this means war!“). So the U.S. government would attack the North Korean government over a movie. And a silly one at that.
But calling this an act of war has consequences to Sony itself. Of course, Sony could claim that it had no duty to its employees or investors or other possible Plaintiffs to prevent an act of war.
After all, they are required to have “reasonable” security – not the kind of security necessary to prevent a nation state sophisticated actor from engaging in warfare. We put doors and locks and alarms on office buildings to respond to thieves and criminals – not to prevent the DPRK Army from getting in.
Problem is, this attack, while sophisticated, was probably not the kind of attack for which companies should not be prepared. I am not prejudging whether or not Sony was negligent in allowing the attack to occur or in its response thereto – that’s a factual and legal question. Just that an APT is a reasonable thing to expect t these days.
But the problem for Sony is that its insurance policies may not cover its losses if these losses are considered to result from an Act of War.
Sony likely has a bunch of different insurance policies covering a bunch of different things. It may have General Liability insurance – but those policies typically carve out (the term is “exclusion”) coverage for cyber-related losses.
It may have cyber breach insurance, but those policies may be geared toward the typical cyber breach – stolen credit cards or personal data – not things like stolen trade secrets, embarrassing emails, or demands by foreign dictators that a movie you just spent $45 million to produce should not be released.
Typically, studios will take out specialty insurance like that offered for example by CHUBB insurance. The policy description says that it provides “protection against loss caused by malicious programming, whether the attack is initiated from inside or outside the company.” That’s cool.
So what about psychotic dictator demands a move not be released or it will disclose embarrassing e-mails insurance? Not so clear.
While policies may protect against acts of governments or military, this typically deals with issues like a coup d’état forcing cancellation of filming or government seizure of production equipment during filming. Extortion by a foreign intelligence agency? Devil is in the details.
Most insurance policies refuse to indemnify losses for what is called “Force Majeure” – things beyond the control of the insured.
This typically includes Act of God, Acts of Terrorism, and Acts of War. So when hijackers took a Pan Am plane, the insurance company refused to pay for damages claiming it was an Act of War or Act of Terrorism.
When a US service member was killed during the Korean Conflict, this resulted in a battle between his life insurer who claimed the death was not covered because it occurred during a time of war, and the family who claimed that there was no legally defined war.
The law deals with concepts like “act of war” or “time or war” in strange ways. For example, federal law exempts liability for carriers’ dumping of toxic materials if this occurs due to an Act of God or an Act of War.
When the USS Vincennes shot down an Iranian Airbus airliner and the relatives of the passengers sued in US Courts the Court had to determine whether the shooting in the Persian gulf occurred during a “time of war” despite no formal declaration of War.
Of course, we are currently at war with North Korea anyway – the 1953 armistice between the nations being nothing more than a cease-fire – and one that North Korea has declared invalid anyway. In 2002, when the Russian government seized a shipment of frozen food, the U.S. exporter’s insurance company refused to pay a claim for damages citing a “war exclusion clause” in the insurance contract.
Similarly, when a Panamanian company’s assets were seized by the Panamanian military during the U.S. “Operation Just Cause,” the company’s insurance company declined coverage for the losses because it was during a war.
So it is possible that the actions of the Korean People’s Army are both an “act of war” which occurred during a “time of war.” And that’s not good for Sony.
Calling the cyber attacks an act of war may mean that Sony can’t recoup its losses for investigation, response, loss of reputation, or even the costs of not distributing The Interview (including potential lost profits.) It depends on what the insurance policy says, and how it is interpreted.
Lesson learned – re-read your insurance polices. Today. And that lesson applies both to the insured and the insurance company.
The bottom line here is that companies must be prepared for a panoply of potential attacks – hackers, thieves, disgruntled employees, hacktivists, and yes, nation-state actors. We’re going to need a bigger boat.