By now, almost everyone is familiar with the attack on Sony and the fallout that ensued over the Christmas holidays. The data exfiltrated from Sony’s digital coffers included all sorts of intriguing tidbits to keep drama flowing over the holidays, such as: studio execs’ hatred for Adam Sander, allegations of abuse on the set of American Hustle, possible racism towards Denzel Washington (who they can continue casting as much as they like as far as I am concerned), and George Clooney not actually being a cyber security expert, but playing one on TV.
With this kind of dirt kicked up in the wake of the Sony attack, it would be easy to think this attack to be the work of an overzealous fan of TMZ rather than that of a hostile nation that enjoys threatening the United States with nuclear holocaust on a semi-regular basis and whose usual work looks more like this. Indeed, it would be tempting to think the Sony attack more along the lines of digital mischief than international espionage, until the apparent motivation of the attack became seemingly clear – stoping the release of the Sony film, The Interview.
The Interview, as most know, is a fairly juvenile film sporting lack-luster reviews (53% on Rotten Tomatoes) in which the CIA approaches two reporters to assassinate Kim Jong-un. One can see in the Google search trend graphs that, when compared to other Christmas release films, The Interview was not faring well even after the initial data loss, and search interest was flat when compared to interest in Unbroken and from last year’s The Wolf of Wall Street. Thanks to the Sony cyber attack coupled with “terrorist threats” against theaters, release cancellation, and finally a selected release in mostly smaller theaters, The Interview went from a film that seemed to be dead on arrival to a film that not only had a pulse, but to a film in which there was actually a fair amount of interest.
Now, I am not willing to go so far as to suggest that the Sony attack was a planned public relations stunt as has been suggested by many. Make no mistake, Sony has suffered as a result of the data that has been leaked. Some of that has been in the form of lost or diminished value of intellectual property (specifically related to pre-release films that were stolen and posted online). Other losses cannot be quantified, particularly those with respect to lost good-will in working relationships that comes with the airing of dirty laundry. Though the PR stunt theory is intriguing, I cannot see Sony going that far simply to save one floundering film, and would be the Hollywood version of cutting off the nose to spite the face.
Nevertheless, this creates a context in which it becomes easy to see potential motive for other parties to be involved, and where others may have more to gain from Sony’s embarrassment than North Korea. This seems to be bolstered by the fact that many in the security community are seeing evidence that the exfiltration of data may have been an inside job. Bruce Schneier has a good article sifting through some of the various viewpoints as well as a previous article discussing some of the possible attribution scenarios, for those who are interested in delving further. The technical details of who attacked Sony are really beyond the scope of my concern at the moment.
The primary fact of interest is that despite the FBI’s continued insistence that North Korea is directly responsible for the Sony attack, many very capable members of the information security community are not thusly convinced (including this shredding of the FBI’s initial statement). Put another way, we have a very big problem with attribution. We think we know that North Korea is responsible, but do we really trust the FBI’s determination both in light of previous intelligence failures in recent American history and in the face of so much skepticism from within the information security community?
This might not be such a big deal… yet.
President Obama, despite some rather harsh rhetoric, has been pretty emphatic that (assuming you buy the North Korean involvement in the first place) this is not an “act of war,” but instead an act of “cyber-vandalism.” This, I believe, is the most alarming thing about the Sony attack and its attribution to North Korea, whether right or wrong. We are now making judgments about whether or not cyber attacks on corporations constitute acts of war.
Fortunately, the President’s position on this question seems to be reasonable, but there are two things to consider. First, we must consider that the next attack may not be so easy to dismiss. A major cyber-attack on military systems, some government systems, and possibly some civilian infrastructure (like power generation) could create legitimate pretext to launch military operations in real life. Secondly, we must also consider a changing political environment and that the next President of the United States might have a lower threshold for what constitutes an “act of war.”
It may well turn out that North Korea is indeed responsible for the attacks on Sony. Then again, it may turn out that North Korea is a scapegoat and that The Interview has been nothing more than a red herring for garden-variety cyber-punks.
What is certain is that we really don’t know who is responsible, and with the rhetoric swirling the Sony attack that is a scary thing. Not so much because the rhetoric is dangerous in this particular case, because North Korea and the U.S. are both given to hyperbole when addressing one another. No, what is scary is that is that we seem to lack the ability identify cyber-attackers with a high degree of certainty, and eventually this will be a problem when the inevitable day comes that Americans are gearing up for a war that began with a digital Pearl Harbor. When that day comes (and it will) we have a responsibility to be certain we are gearing up for war against the correct guilty party. Proper attribution becomes imperative when the stakes are nothing short of war.
Featured Image: Collage of American and North Korean flags (Wikimedia Commons) and Promotional Artwork for The Interview (Copyright, Sony Pictures; use believed to fall under Fair Use Doctrine).