We all know the headlines. The Democratic People’s Republic of Korea, under the personal direction of Supreme Leader (Dear Leader) Kim Jung-Un, launched a sophisticated and devastating attack on Sony Pictures Entertainment (SPE), designed to prevent the release of its motion picture “The Interview” which depicted the assassination of the North Korean leader.
This attack was the first act of cyberwar by a nation-state, and demands immediate and devastating response by the United States – potentially up to and including a military response.
Unless it doesn’t.
I am deeply skeptical about the scenario in which a nation-state, posing as a rogue hacker organization called the Guardians of Peace (the GOP – really?) launches an attack against a Japanese corporation (yes, Sony is a Japanese corporation, and the decisions about whether or not to “pull” the movie would likely have been made by, or in consultation with Tokyo) over a movie. There are too many things that don’t make sense.
And that’s the problem with attribution. It’s hard to do, and critically important. Especially when, as here, all options are on the table. Imagine a screenplay (I have a draft written, SPE) where a nation goes to war with North Korea over a movie.
INT. STARLIFTER CARGO TRANSPORT, DAY
Weary soldiers anxiously mill about. The drone of the jet engines lull some into sleep. A YOUNG SOLDIER takes a drag on an electronic cigarette, while another takes a peek at his best girl’s picture on his iPhone 6 Plus. Another plays a harmonica tune on his iPad.
Ok, Ladies and Gentlemen. Listen up. This is the real deal. War. We’re off to Pyongyang to strike a blow for corporate hegemony forever. Tomorrow is James Franco’s birthday. And years from now, those here will be able to say where they were on Franco’s day. They will strip their sleeve and show their scars. Our children, and their children will not forget, and not one birthday of James Franco will follow but that they will remember this day. For we few, we happy few, we Band of Brothers, and Band of Sisters, (and not the HBO miniseries of that name) for those who shed their blood with me shall be my brother, no matter how creepy you are (and that means you, Brooklyn), and your family, home asleep at the PlayStation 4 will be seriously pissed that they are not here.
Sir. I’m scared. I’ve never been in Mortal Combat before. This is my first Call of Duty. I’ve never been on the Battlefield. Or Battlefield 2. Or even Battlefield Bad Company. I’m not used to Modern Warfare. It’s a Far Cry from anything I have ever done.
Hey kid. Don’t worry. I was in the great VHS/Betamax war of ’78. And the Facebook/MySpace fiasco. It was devastating. Things there got really ugly.
Or something like that. While President Obama has pledged a “proportionate response” to the North Korean hack, there are several unanswered (and possibly unanswerable) questions.
- What if it WASN’T the North Koreans?
There are so many things that DON’T point to DPRK here. First, it’s a stupid thing for a nation-state to do. There’s the old “hammer” problem – if you are a hammer, every problem looks like a nail? If you are predisposed to believe that the attack came from a state sponsor in North Korea (as many in the US Government are) then you will find all the evidence points to North Korea.
For example, the fact that it’s a stupid thing to do, PROVES that it was Kim Jung-Un, because he is an irrational person. It’s like the scene in Life of Brian where Brian denies his own divinity, saying “I’m not the Messiah, would you please listen, I am not the Messiah, do you understand? Honestly!” and a woman in the crowd exclaims, “only the true Messiah denies his divinity.”
Brian shrugs his shoulders and says, “What? Well, what sort of chance does that give me?” Any evidence showing that it was stupid for Kim Jung-Un to be responsible for the attack, well, proves that Kim Jung-Un was responsible for the attack.
So let’s follow Occam’s Razor. What makes more sense objectively? That a brutal, irrational and thuggish dictator would risk his country’s reputation and standing to prevent a silly movie from being shown in movie theaters (and making it look like the actions of a mysterious group called Guardians of Peace), or that a hacker group (or groups) are messing with Sony Pictures Entertainment?
Look at the evidence. Sony’s been hacked a dozen times before – big and small. The initial “demands” of the GOP had nothing to do with the movie “The Interview” and did not demand that it be taken down. The information released was designed to embarrass specific key people at Sony.
It was deeply personal. Like a former employee, or someone with a grudge. The information release showed a deep understanding (OK, a superficial understanding at least) of how Hollywood works, and how to push its buttons. It just doesn’t FEEL like a nation-cyberwar.
Of course to a hammer, this proves it was Kim Jung-Un. Misdirection. That’s just what they’ll be expecting us to do.
But if you are a nation-state, wanting to get a company to stop doing something, and willing to break in and essentially take digital hostages, don’t you WANT attribution? Why do something big and noisy and not take credit for it? Quiet and stealty (think Stuxnet) is the traditional trademark of nation-states. Yeah, yeah. I know. Kim is cray cray.
As Wired’s Kim Zetter pointed out, the initial demands from the hackers (Nov. 21) came from a group calling itself God’sApstls (referenced in the malware too), and stated:
“[M]onetary compensation we want,” the email read. “Pay the damage, or Sony Pictures will be bombarded as a whole. You know us very well. We never wait long. You’d better sandpeoplebehave wisely.”
That really doesn’t seem like the actions of a nation-state trying to prevent a movie from being released. Even the threat of violence, / “remember the 11th of September” is derived from the Guy Fawkes poem, “remember, remember, the Fifth of November…” and of course, the anarchic movie “V for Vendetta.”
I’m not saying the DPRK did not have the motive or ability to do this. Just that it’s very unlikely that they did it in the way described. Or for the reasons described. Or at all. Unless Kim Jung-Un is crazy. Which, to a hammer, proves that he did it, right?
The other evidence pointing to DPRK is flimsy as well. The forensics points to other similar attacks which we attribute to North Korea. Like the attack on South Korean nuclear plants. Similarity does not prove the same actors, and of course, that depends on the fact that we have authoritatively authenticated the DPRK attacks on South Korea and properly attributed them.
The tools used (like a Korean language compiler [actually not a compiler, but close]) simply show that someone was trying to make it look like it came from North Korea. “It looks like Sandpeople did this, all right. Look, here are Gaffi sticks, Bantha tracks. It’s just…I never heard of them hitting anything this big before.”
The embedded IP addresses and other data point to “similar” attacks from which we are inferring that they came from North Korea. Yes, it’s possible. They point to PWN’d computers with various IP addresses – one of which is a laptop in the United States. A possible diversion. Misdirection.
Let’s face it, which is more likely. North Koreans pretending to be hackers, or hackers pretending to be North Koreans? And if each are equally plausible, why go for the one that leads to war?
- What if it IS the North Koreans?
An equally disturbing scenario is that it is, in fact, the DPRK government with a design to attack U.S. companies and critical infrastructure.
I’m shocked, shocked to see that critical infrastructure is vulnerable to attack. By foreign nation-states. That’s because “ordinary” security – the kind that is “reasonable” to expect of a company, is not the kind of security you need to have to prevent a military apparatus from successfully attacking you.
The guns, guards and gates mentality doesn’t cut it when the adversary has Mi-14 and Ka-60 attack helicopters. That private corporations are vulnerable to Advanced Persistent Threats (APTs) is hardly surprising. Even in the critical infrastructure. We can do better. A lot better. But then again, so can the hackers.
A forensics friend who has analyzed the Sony malware has described it as relatively sophisticated software deployed in a very sophisticated way. But certainly not beyond the ken of most hacker organizations.
So for defensive purposes it doesn’t matter if it’s a nation state or a hacker group or an insider. Just make it stop.
But from a government standpoint, it does. What are the laws of cyber-war? What are acceptable targets? Can the U.S. government now attack the Pyongyang Chewing Gum Factory or the Taedonggang Brewing Company in retaliation? Is the Scientific Educational Korea (SEK Studio) which makes children’s animated programs in North Korea a legitimate target? Tit for tat?
Do we go after the Korean government? Sanctions? Military? Bombs? Nukes? What’s a proportional response to an attack that embarrasses U.S. companies? I know one – release a movie that depicts their leader in a farcical manner. Sounds like a job for Gary Johnston and the rest of Team America, World Police.
- Let Loose the Dogs of TEGWAR
There is no Geneva Convention of cyberwar. Attacking the North Korean cyber infrastructure is not only counterproductive, but establishes a precedent that we may not want to live with. Similarly, I can’t imagine a scenario where we appear before the UN to denounce the DPRK over cyber-activities without similarly exposing our own offensive cyber activities and capabilities.
And will this be an “Ambassador Zorin” moment, with Adalai Stevenson bringing charts and photographs of Soviet SAM and ballistic missiles in Cuba, or Secretary Powell appearing before the same body espousing George Tenet’s “slam dunk?” War demands a very high level of attribution.
Before we can declare that North Korea did it, and it violated the rules, we need to prove they did it, and actually have some rules. Right now, Cyber war is TEGWAR” The Exciting Game Without Any Rules. It’s all about perception.
- The Bottom Line
It’s a dangerous world out there. And it’s getting more dangerous. And everyone is a target. This is not FUD. Just fact. The world is NOT coming to an end, though. We’ve been under attack for 30 years. More. And we survive just fine. Most of the time.
Yes, the nuclear infrastructure, the power grids, the dams, the chemical plants, the banking infrastructure, and just about everything else is vulnerable to hacking. Always has been. Always will be. It’s also vulnerable to flooding, power failures, earthquakes, blood, locusts, cattle disease, and slaying of the first-born. Assess risk. Minimize risk. Insure against risk (SONY had 60 million in coverage, probably wants more.)
The actual dollar value harm to Sony may not be that bad. There’s the costs of investigation. Order of magnitude guess – half a million. There’s the sunk cost of making the movie which may not be distributed. Forty million – but it may yet be released, and probably will make more money than it would have (Anonymous is now threatening Sony if it doesn’t release the film!) So we’ll count that as, say a ten million dollar loss.
Then there’s the cost of the lawsuits by employees for failing to protect their data. Problem here is showing monetary damages to the employee. But the lawsuit at least has settlement value in the tens of thousands? Maybe? Reputation cost to SONY? Their stock price is relatively constant, PS4 sales continue, and I defy you to tell me which films you are going to see this holiday season are “Sony” pictures. Short term embarrassment.
Now there’s the reputation of Sony executives. That’s been damaged. Maybe irreparably. Both from the fact of the breach, the muddling and inconsistent response to it, and the contents of the documents stolen and disseminated. And possibly more to come. Priceless. Every CISO at every major company is one breach away from unemployment and banishment. No matter how good or bad they are.
Lesson learned. Look for large exfiltrated files. Encrypt or delete what you don’t need. Don’t say stupid things. Don’t piss off people who are elected by the Electoral College or buy their ink by the gallon. And how you RESPOND to incidents is at least as important as how you attempt to prevent them.
More lessons next time as the story unfolds. And Michael Lynton. Call me about data breaches. And about my screenplay. It’s the bomb.