Now that Sony Pictures Entertainment has cancelled the release of the movie “The Interview” (to the chagrin of the Hollywood cognoscenti) the conventional wisdom is that Sony was eye to eye with the enemy, and Sony blinked.
Assuming that the attacks on Sony’s infrastructure came from the Democratic People’s Republic of Korea (an assumption I am not quite ready to make yet) then North Korea won and Sony lost. After all, Sony caved, the movie isn’t being released, and we are giving in to terrorists.
We can expect cyber attacks to be part of any political or other protest in the future. With the exception of that last statement, the others are not so clear.
1. Is North Korea Responsible for the Attack?
The US government says “yes.” But absent the release of a smoking gun, I’m not so sure. I half expect Secretary Kerry in the U.S. Secretariat shouting at Ambassador Pak Kil-yon, “are there offensive cyber capabilities in Pyongyang? Don’t wait for the translation…”
There are lots of pointers to North Korea. Target (Sony – distributor of The Interview); motive (stop the movie); IP information; compiler information; traffic analysis; spelling and grammar of demands. And, I assume the folks in Langley, and Fort Meade will have more information.
But they could be wrong. Deadly wrong.
As a former prosecutor, I am used to looking for evidence beyond a reasonable doubt—something we are unlikely to find here. But even so, it’s squirrely. The original attack mentioned nothing about the movie. The original attack demanded ransom. The attacker has been playing into the media – using it to disseminate the purloined information, and playing to the media with threats of mysterious “9-11” attacks if the movie isn’t pulled. Not the kinds of actions you expect from a nation state. Well, not a typical one.
But the dear leader is something of an upstart.
There are other indications that the links to the Democratic People’s Republic of Korea (DPRK) is a “false flag.” The broken English in the ransom and other demands seems stilted and contrived. Babelfish on bourbon. The attack is both stealthy and persistent and noisy and sudden. Not what you expect of a nation-state. There’s a demand for ransom – why would a state do that?
So it’s either a nation-state trying to look like a hacker, a hacker trying to look like a nation state, or option (c) – none of the above.
Attribution is hard. Very hard. And it matters if we get it right.
2. This means WAR!!
You hear the term “cyber-war” bandied about a lot. Is this action – if conducted by the DPRK military – and act of war?
War, like beauty, is in the eye of the beholder. In other words. It is an act of war if we want it to be. And we may or may not want it to be depending on the politics of the situation rather than the facts or the law.
It’s not typical for a war to break out over a movie. Or over an attack to a company. “Remember the Tom’s of Maine?” or “Yesterday, December 7, a date which will live in Infamy, Proctor and Gamble was suddenly and deliberately attacked by forces…”
This was the ultimate “thumbs down” movie review. But an act of war? If we treat it as an act of war, that has consequences. And I’m not sure we want those right now. Are we prepared to use the US military to battle over this particular attack? I’m not so sure.
3. Respond
So who responds to this attack and how? If it’s an act of War, then the response can vary from kinetic (bomb ‘em) to cyber (US Cyber Command gets more funding) to targeted attack (go after the DPRK’s cyber capabilities.) But at what targets?
DPRK is isolated and mostly dark to the outside. And who attacks – Sony with the USG blessing or the US government (reminiscent of the Dole Pineapple company in the Spanish American War.) Do we do so overtly, or covertly? And an overt attack by the U.S. Military against the North Korean military is clearly an act of war. So are we willing to go to real honest to goodness boots on the ground war over a movie? One that doesn’t even star Jennifer Lawrence?
4. Neville Chamberlin
The Interwebs are lighting up over the fact that Sony agreed to withdraw the film. This is a dark day for creative people, and no studio will ever take a risk ever again.
Remember, the movie theaters themselves were refusing to show the movie, and were worried that showing the movie could put patrons of other movies at risk. And going to the movies is kinda what movie theaters are all about, right?
So, IF this was North Korea, and IF their goal was to get the movie pulled, and if they were willing to dedicate the resources of the North Korean intelligence, military and cyber apparatus, and the politics and prestige of the nation to ensuring that a silly move not be shown, then yes, it worked. For now.
But in the end, it makes North Korea look weak. And Sony looks like what it is – a victim.
5. Lessons Learned
Final lessons learned. You will be hacked. By people you don’t know and for reasons you can’t fathom. Silly, stupid inexplicable reasons. You won’t be prepared. You are vulnerable. For great damage. That’s the plot of a movie.