Sony and North Korea: Making the Case
December 5, 2014
The world of espionage is murky and uncertain. Cyberspace, given its links to espionage, shares these characteristics. This troubles many scholars, who would prefer certainty, and clear, easily discernable responsibilities for action, such as public statements that would say the Russian government was responsible for Estonia and the American government was responsible for Stuxnet. This is not how the world works.
The recent incident with Sony is another example of the predominance of ambiguity over certainty. We are not presented with conclusive evidence on responsibility or intent, but we can identify a sequence of known events and can decide what best explains them. These events are:
• Sony produces a comedy on the assassination of North Korea’s leader, who is accorded god-like status by his subjects. The North Koreans are displeased with this and say that Sony will suffer retribution.
• Sony is hacked, with data erased, personal information of Sony employees is posted online, and several unreleased Sony films posted on the internet for illegal downloads. The posting of personal data is suggestive. The norm is for personal data obtained through breaches to be sold by the hackers; in this case, it was made public, suggesting that profit was not the primary objective of the hackers.
• Some of the malicious code contains Korean language elements, suggesting that the programmers were Korean or, possibly, non-Korean programmers who learned Korean and wrote it into the code to confuse efforts at attribution.
• The Sony incident is very similar to earlier actions taken against South Korean banks and television stations. These incidents were attributed to North Korea, which had threatened the South Korean media outlets with retribution for some perceived slight against North Korea’s leader.
• No one has taken credit for the incident, but several days after an attack, an unnamed North Korean source denied that it was responsible for the Sony action.
This is the information that is publicly available. As with Estonia and Stuxnet, even when it is aggregated, this does not meet rigorous academic or legal standards of proof, but holding to these standards is a recipe for paralysis. In examining the data, there are three possible explanations:
1. This was an act of retribution by the North Korean government similar to previous acts of retribution against South Korean media outlets. The action against Sony is consistent with previous North Korean cyber “attacks.”
2. Activist South Korean programmers were responsible.
3. Activists outside Korea were responsible, learning enough Korean to confuse matters.
In 2009, less sophisticated denial of service attacks were used against U.S. and South Korean government agencies. The perpetrators have never been identified and no one has claimed responsibility, although both North Korea and South Korean activists were suspects. The attacks against Sony were more sophisticated, had a clearer potential motive, are consistent with past North Korean activity, and are similar to the attack against Saudi Aramco used by Iran, with whom North Korea has some relationship or consultative nexus on unconventional weaponry. This is by no means conclusive, but it is suggestive. We know that North Korea, beginning under the previous leader Kim Jong-il, has invested in developing cyber capabilities and official South Korean sources say these capabilities, while not yet very advanced, have been used perhaps six times by the North for political purposes.
One possible explanation would note that the Sony incident follows a predictable trajectory. In 2004, North Korea was unhappy with the comedic representation of Kim Jong-il in the film “Team America,” but lacked the ability (or perhaps sufficient intent) to retaliate. In 2009 and in the years since (notably April 2013), North Korea has used cyber “attacks” against South Korean targets for political purposes. Hacking Sony, if North Korea is responsible, shows consistent progress in cyber capabilities and a new willingness to use hacking against targets outside of North Korea.
Iran has similarly used hacking to make a political point against U.S. companies, as has the Syrian Electronic Army. Russia has also skillfully used cyber activities for political purposes, albeit not against U.S. companies. The list of countries – North Korea, Iran, Syria, and Russia – is telling. These countries largely lie outside the reach of jurisprudence and have demonstrated their disregard for international norms of behavior. This is unlikely to change any time soon. In the interim, companies have a new source of risk to both reputation and data assets. Corporate planning should include planning for how to continue and restore operations after a cyberattack, how to create redundancy in essential data and, of course, how to ensure that at least minimal standards for cybersecurity are being met. Sony offers an easy test. Companies can ask how long it would take to restore operations if something similar happened to them.
Sony has few legal options for response. The U.S. government response is limited by the great range of sanctions and other punitive measures already placed on North Korea for its nuclear activities, but there are responsive actions that could be taken that fall below the level of the use of force (North Korea already complains that the United States has hacked its computer networks). Public condemnation faces the problems of both evidentiary limits and the residue of the Snowden leaks, which still make it hard for the United States to take the role of the injured party.
Global norms on responsible state behavior in cyberspace are emergent, but as with nuclear weapons, there will be a few countries that ignore them. For now, this means that what is needed is more attention to cyber defense by companies and more planning by states on how to respond both overtly and covertly.
James Andrew Lewis is a senior fellow and director of the Strategic Technologies Program at the Center for Strategic and International Studies in Washington, D.C.
Commentary is produced by the Center for Strategic and International Studies (CSIS), a private, tax-exempt institution focusing on international public policy issues. Its research is nonpartisan and nonproprietary. CSIS does not take specific policy positions. Accordingly, all views, positions, and conclusions expressed in this publication should be understood to be solely those of the author(s).
© 2014 by the Center for Strategic and International Studies. All rights reserved.