Five questions (and answers) about North Korea and the Sony hack

It seems like Sony was hacked either by North Korea or its affiliates over the forthcoming release of the movie “The Interview.”  The story will remain in the news because of the high profile of the infiltration, but also because of volumes of juicy gossip found within the troves of information released. Just what does this event mean for the dialogue surrounding cybersecurity, and what can international-relations research say about the event?

1. Who is responsible – attribution in cyberspace?

Too much is made of attribution issues in cyberspace; there is little doubt that North Korea was connected to the attack, even if it did not conduct it directly. The problem is not in attributing blame, but in attributing blame with evidence. There is just too much doubt with cybersecurity issues because it is nearly impossible to catch a government in the act of cyber malevolence unless it admits to it.

In the cybersecurity field, we do not have an attribution problem; we have a plausible-deniability problem.  It is not that any cyberact is a mystery, given the great context of international events and history, but that cyberattacks can be conducted by a few individuals and those individuals can be disavowed by governments. Even punishing individuals who conduct attacks will do little damage to the country that orders the attacks. In a world where evidence is key to conviction and guilt, we will always be hampered by the limits of blame in the cyber field.

2. What was the impact of the attack?

As devastating as the infiltration was to Sony daily business, just what was the impact?  Computer security experts assert this attack will cost Sony more than $100 million.  Sony needs to hire a forensics team, repair and rebuild its networks, protect them in the future, and hire several public-relations firms to cover the action. This will all add up and be costly, but just how costly will it be in the long run?

I heard many people say earlier that they were interested in “The Interview,” but many have given in to watching movies when they appear on streaming services. Since the cyberattack, more than a few people have told me that they will see “The Interview” in the theater, and I feel the same way. While the action was costly, the publicity this brought the movie would be tough to estimate. I would think Sony now has a very massive and global hit on its hands, the exact opposite of what North Korea might have intended. Often in cybersecurity, the means never achieve the ends. Most of the time the complete opposite happens. and in trying to shut the movie down, North Korea probably crafted a global movie event.

3. Is cyber conflict a new domain of war?

Many have suggested that cybersecurity is the fifth domain of war — after land, air, sea, and space.  The problem with that framework is that in reality, cyber-conflict concerns operate not at the level of war, but a bit below that, in the context of espionage and infiltrations. These are old domains that are becoming dominated by digital concerns now, but this in no way suggests a shift in the methods, processes and contexts of warfare, or even diplomacy for that matter.

North Korea argues that the hack on Sony was a “righteous deed” and a response to an act of war and terrorism by Sony and the United States. Yet North Korea’s response is not to escalate diplomatic tensions at the border or threaten nuclear action like in the past, but to hack the networks of the company making a film that Pyongyang finds terribly offensive. Cyber aggression is a dangerous method to utilize as leverage against international issues, yet if this is the result, no matter the cost to Sony, then we may actually be witnessing positive development with the advent of cyber-tactics. If these tactics are mostly restrained from doing severe damage (a line of argument I advance throughout my empirical cyber research), this might be a step forward on the diplomatic battlefield.

4. Who should be blamed?

Obviously, North Korea has taken things a bit too far in being insulted by a movie it probably has not even seen, but in preparing for the potential offensive age of cyberwarfare, we have missed dealing first with critical defensive issues. Our networks are not really secure, especially nongovernment-based systems.  Sony had a directory listed as “passwords” with hundreds of social media and other types of accounts simply saved on an external hard drive. While the forced move back to the age of paper and pens has been devastating for the company, it will recover and probably thrive in the future.

Investigating the forensics of the action will take a few more weeks and months, but it is likely that the infiltration happened because of both internal errors and the persistence of the attacker. There is really no such thing as a secure system, but there are things one can do to boost protection. Redundancy, resilience and backup networks, we well as decentralization, are all tactics that need to be used by important government branches and corporations. One attack took down Sony’s entire network, but these things do not happen to companies active in vigilantly protecting their networks. That this has happened before to Sony, with the 2011 PlayStation hack, only suggests that it has a serious problem.

5. Why is it important to moderate cybersecurity claims?

In the field of cybersecurity, we have a very definite task of moderating claims and hype around the cybersecurity discourse. Currently the debate revolves around a division between cyber-skeptics and cyber-revolutionists. The problem is that this frame is wrong. There really is no such thing as a cyber-skeptic.  There are mainly people skeptical of the transformative claims about the domain of cybersecurity. Instead the real division is between what might be called cyber-moderates and cyber-revolutionaries. A cyber-moderate wishes to consider the nature of cyber-dynamics given the reality of the threat. If the Sony hack really had a limited impact and only reinforced the perception that the North Korean regime was just a bit more than a little insane, what changes with cybersecurity? In fact, this attack appears to be just more of the same by North Korea using new methods. What does this mean for cooperation and conflict in the global system? These are the questions that should motivate the cybersecurity discourse, not inflated claims of revolution and change.