Making Sense of the Sony Cyber Attack

A mural of Kim Il-sung, supreme leader of the DPRK from 1948 to 1994, in Wonsan. (High Contrast/Wikimedia Commons)
A mural of Kim Il-sung, supreme leader of the DPRK from 1948 to 1994, in Wonsan. (High Contrast/Wikimedia Commons)
A mural of Kim Il-sung, supreme leader of the DPRK from 1948 to 1994, in Wonsan. (High Contrast/Wikimedia Commons)

Despite the existence of previous cyber incidents more severe than the recent attack on Sony Pictures Entertainment, the last month has seen cybersecurity penetrate the American psyche and affect day-to-day news like never before. The involvement of a major movie studio, an anticipated film, two famous actors and a direct effect on moviegoers’ holiday plans have caused fallout from the Sony cyber attack to make national headlines over the last few weeks.

Due to the complex nature of these events, I will provide a timeline before presenting my analysis.

June 20: Sony Pictures Entertainment releases the first trailer for its upcoming comedy The Interview, which depicts an assassination attempt on Kim Jong-un, supreme leader of the Democratic People’s Republic of Korea (DPRK), by American celebrity journalists recruited by the CIA. Kim Myong-chol, executive director of The Centre for North Korea-US Peace and unofficial spokesman for Pyongyang, issues the following statement in an interview with The Telegraph:

“There is a special irony in this storyline as it shows the desperation of the US government and American society. A film about the assassination of a foreign leader mirrors what the US has done in Afghanistan, Iraq, Syria and Ukraine…President Obama should be careful in case the US military wants to kill him as well.”

June 25: Pyongyang releases an official statement promising “merciless retaliation” against the US if The Interview is released. Most notably, the statement contains the following excerpt:

“The act of making and screening such a movie that portrays an attack on our top leadership…is a most wanton act of terror and act of war, and is absolutely intolerable.”

November 24: A month before the scheduled release of The Interview (Christmas Day), Sony suffers a major cyber breach caused by unknown attackers identifying themselves only as the “Guardians of Peace.” Sony employees are unable to access the company’s network, and instead see this ominous image (a large red skeleton making a menacing gesture) on their computers instead. Personal information, private emails and unreleased movies such as Annie, To Write Love, Fury, Still Alice and Her Arms are compromised in the attack. The attackers begin releasing the sensitive data in large dumps over the next two weeks. Due to the aforementioned statement from Pyongyang over the summer, some pundits speculate that the attack was perpetrated by the DPRK in response to the imminent release of The Interview.

November 28: After spending several days over the Thanksgiving holiday restoring functionality to its network and mitigating public relations damage, Sony begins investigating the possibility that the DPRK was behind the attack.

December 1: The FBI announces that it is also investigating the possibility that the DPRK was responsible for the attack. It issues a warning to US businesses announcing that unidentified hackers have used malicious software to launch a destructive cyber attack against Sony. The statement describes the nature of the attack: the malware involved overrides all data on the hard drives of computers affected, and even wipes the master boot record (the mechanism that enables computers to boot up). The result of the attack is that employees cannot use their computers at all—they finish the day’s work with pens and paper. The warning concludes by urging companies to contact the FBI immediately if they detect similar attacks.

December 3: An unnamed DPRK diplomat tells Voice of America that the DPRK was not responsible for the attack. The official states: “linking the DPRK to the Sony hacking is another fabrication targeting the country. My country has publicly declared that it would follow international norms banning hacking and piracy.”

December 7: The Korean Central News Agency, a state-run media outlet, issues a statement calling the attack a “righteous deed” but denies any involvement by the DPRK. The statement also says the following:

“We do not know where in America the Sony Pictures is situated and for what wrongdoings it became the target of the attack, nor do we feel the need to know about it. But what we clearly know is that the Sony Pictures is the very one which was going to produce a film abetting a terrorist act while hurting the dignity of the supreme leadership of the DPRK by taking advantage of the hostile policy of the US administration toward the DPRK.”

December 11: The Interview’s West Coast premiere takes place in Los Angeles at a red carpet event. The event is open to photographers, but closed to reporters.

December 15: Two former Sony employees file the first of several class-action lawsuits against the company, alleging that Sony ignored obvious signs that their computer network was vulnerable to attack. The breach exposes tens of thousands of employee Social Security numbers, medical records and personal emails. The plaintiffs also state in their filing that Sony “kept employees in the dark” regarding the extent of the breach for a week after the attack occurred.

December 16: The Guardians of Peace release the following message (note: nonsensical in some places):

“We will clearly show it to you at the very time and places ‘The Interview’ be shown, including the premiere, how bitter fate those who seek fun in terror should be doomed to. Soon all the world will see what an awful movie Sony Pictures Entertainment has made. The world will be full of fear. Remember the 11th of September 2001. We recommend you to keep yourself distant from the places at that time. Whatever comes in the coming days is called by the greed of Sony Pictures Entertainment. All the world will denounce the SONY.”

Immediately following the threat, a number of major theater companies announce that they will no longer be showing The Interview at all, Christmas Day or otherwise. Sony cancels the New York City premiere of The Interview. Homeland Security releases a statement saying that “there is no credible intelligence to indicate an active plot against movie theaters within the United States.”

December 17: In light of the threat made by the Guardians of Peace, Sony announces that it will no longer release The Interview on Christmas Day.

December 19 (morning): The FBI’s National Press Office releases a statement announcing that “the FBI now has enough information to conclude that the North Korean government is responsible” for the attacks on Sony. The FBI’s conclusion, according to the statement, is based on the following pieces of evidence:

  1. Technical analysis of the data deletion malware used in the attack revealed links to other malware that the FBI knows to have been developed by DPRK actors.
  1. The FBI observed “significant overlap” between the infrastructure (hard-coded IP addresses that indicate the origin of an attack, for example) used in the Sony attack and the infrastructure used in other malicious cyber activity that has been linked to the DPRK.
  1. The tools used in the Sony attack displayed “strong similarities” to a cyber attack in March 2013 that the DPRK propagated against South Korean banks and media outlets.

December 19 (afternoon): In an end-of-the-year press conference, President Obama says the following about the Sony cyber attack:

“I think they [Sony] made a mistake…I’m sympathetic that Sony as a private company was worried about liabilities and this, that and the other, but I wish that they had spoken to me first.”

Mr. Obama also warns:

“We will respond…we’ll respond proportionally, and we’ll respond in a place and time and manner that we choose…if somebody is able to intimidate folks out of releasing a satirical movie, imagine what they start doing when they see a documentary that they don’t like, or news reports that they don’t like.”

December 21: David Boies, a top lawyer for Sony, says in an interview with Meet the Press that while Sony will not show the movie in theaters over the Christmas holiday, the film will eventually be released.

December 22: For reasons currently unknown to the American public, the DPRK’s entire Internet system fails for about 10 hours. The country’s computer connections were limited to begin with (roughly 1000 IP addresses compared to billions in the United States) and connections to the outside world were available to only the elite, but networks across the country fail nonetheless. Some people speculate that the outage was the result of a cyber counter-attack.

December 23: Sony announces that The Interview will have a limited theatrical release on Christmas Day (roughly 200 independent theaters). Michael Lynton, Sony’s Chairman and CEO, says that the company will continue its efforts to secure more platforms and theaters to show the film.

December 24: Google announces a partnership with Sony whereby users of Google Play and YouTube Movies can rent or buy The Interview on their computers and phones.

December 25-28: More cybersecurity experts begin to doubt that the DPRK propagated the attack.


Even the smallest details of the above events are worth noting because of the implications that this saga has for future cybersecurity incidents against both private companies and national governments. Although previous cyber attacks against the US have succeeded – and thousands of unsuccessful attacks occur every day – there has never been an attack that has elicited such strong responses from both the American public and American officials. Furthermore, if indeed propagated by the DPRK, then the attack was orchestrated for ideological reasons rather than financial reasons. This fact alone is a new development in large-scale cyber crime.

I will present my opinion on the following questions in this whirlwind of activity:

  1. How confident can we be that the DPRK indeed propagated the attack?
  2. Did Sony provide a befitting response for private company?
  3. Did Mr. Obama provide a befitting response for a US President?
  4. Was the US behind the DPRK’s recent Internet outage?

1. How confident can we be that the DPRK indeed propagated the attack?

Despite the ostensible confidence by the FBI in its findings, not enough evidence was released to prove that the DPRK was behind the attack.

Discounting potential motives and past behavior, the situation is still essentially a “he said, she said” situation. The FBI has clearly stated that it believes that the DPRK propagated the attack, and the DPRK still denies its involvement. Pyongyang even offered its assistance: “As the United States is spreading groundless allegations and slandering us, we propose a joint investigation with it into this incident…we have means to prove that this incident has nothing to do with us.”

The statement ends with a promise of “grave consequences” if the US rejects the joint inquiry proposal, also noting that the accusations by the FBI have “hurt the dignity of the supreme leadership.”

From a technical perspective, attribution is usually difficult with cyber attacks. The FBI could have a smoking gun, or they could have little actual evidence. The uncertainty stems from the lack of evidence released, and some experts are beginning to question the validity of the FBI’s accusation. Kurt Stammberger, a senior vice president with the cybersecurity firm Norse, said: “We [Norse] are very confident that this was not an attack masterminded by North Korea and that insiders were key to the implementation of one of the most devastating attacks in history.”

On December 23rd, two scholars at the War Studies Department of King’s College London published a scholarly paper describing the key challenges in attributing cyber attacks. The authors, Thomas Rid and Ben Buchanan, conducted focus groups with commercial security software vendors and spoke to intelligence officials to survey the state of attack attribution practices. Their paper outlines the process of finding a culprit and communicating that information.

The authors’ first point is about the victim’s ability and willingness to respond to the cyber attack with an investigation. Although seemingly obvious, this assertion raises an interesting question about the FBI’s resources: “The more severe the consequences of a specific incident, and the higher its damage, the more resources and political capital will a government invest in identifying the perpetrators.” The Sony attack was certainly prolific enough in terms of reputational and financial damage done to the company (Variety estimates that the company stands to lose $75 million) to warrant a large amount of leeway given by Washington for an FBI investigation of the attack.

Furthermore, the attack struck a nerve with many Americans, who judged Sony’s response as a failure of free speech and an act of censorship. Given the attack’s impact on Sony, as well as the strong emotional reaction from the American public, I believe it likely that the FBI was given adequate resources by Washington to conduct a thorough investigation. Nonetheless, the fast turnaround time (18 days from announcement to conclusion) still raises questions about the investigative methods employed, and calls into question the conclusion that the DPRK did indeed propagate the attack. The majority of Rid and Buchanan’s 30-page paper, in fact, deals with the challenging issue of determining who propagated a cyber attack. The authors argue that attribution is rarely an open-and-shut case. “On a strategic level, conclusions are further removed from forensic artifacts, and may contain a significant amount of assumptions and judgment,” they write.

The authors’ third point is about communication of the results of an investigation. The FBI’s statement clearly outlines the reasons why it believes that the DPRK instigated the attack, but fails to provide actual evidence. I do not mean to imply here that I think that they should provide evidence, as doing so would jeopardize their sensitive process, but I do mean to say that the lack of evidence is ample cause for numerous experts to question the validity of the result. Rid and Buchanan seem to agree: “Publicising intelligence can harm sources as well as methods,” they write. Unfortunately, there is no easy solution here. The tension between the public’s desire for hard evidence and the FBI’s need to protect its information-gathering process cannot be resolved.

The authors’ final point is about the credibility of all parties involved. As mentioned previously, few can doubt the resources or capabilities of the FBI. The DPRK, though, may be a different story. Is it possible that the DPRK could have executed such a successful cyber attack on American soil? Previous cyber incidents, such as the DPRK’s attack on South Korea, would seem to indicate so, but this question may never be answered definitively.

While arguably lacking capability, the DPRK did not lack motive. The DPRK’s propaganda machine is well oiled; decades of history have shown that the government will go to extreme measures to defend the sanctity of the supreme leadership. Furthermore, The Interview charted new territory: never before has the assassination of a current government official been so prominent. Imagine if a major Russian movie studio had planned to release a comedic movie about the assassination of Mr. Obama on its most celebrated national holiday. Needless to say, there would have been plenty of uproar from the American public; it is not a large leap to say that many would have believed the movie to be anti-Western and anti-American.

Although the threats and extreme statements about war and merciless retaliation seem to be empty, they are threats nonetheless. While it is unlikely that the DPRK would resort to physical violence or acts of war over just The Interview, it is obvious that Pyongyang wanted to send a strong message and assert itself. If the DPRK was indeed behind the attack, then Pyongyang certainly celebrated a wide victory given Sony’s strong response.

2. Did Sony provide an appropriate response as a private company?

As mentioned above, the American public reacted strongly to Sony’s decision to pull The Interview from theaters. Despite the numerous allegations that Sony “let the terrorists win” and “sacrificed free speech,” I believe that the company responded appropriately to the threat.

First of all, a threat with the magnitude and seriousness of the one that Sony received can never be taken lightly. The reference to September 11th alone is an immediate red flag that demands a thoughtful response. The threat by the Guardians of Peace to target movie theaters also triggers an emotional response, given the history of incidents like the Aurora shooting in recent memory.

More importantly, though, we have to remember that Sony is a private company with business interests. Its decision to pull The Interview was not, in fact, a loss for free speech, as so many would like to believe. As a company, Sony received a threat that promised horrible violence and death to moviegoers. Even if the chance of those events actually occurring was slim, Sony made the correct decision. Why endanger the lives of thousands of people and risk the reputational ruin of the company?

Furthermore, the issue was determined by the FBI two days later (after Sony’s decision not to show The Interview) to involve a foreign national government. Do we expect a private American company to have a standoff with the government of the DPRK? Such issues are meant for the American government, not private sector, to decide. Sony had to protect its own interests (not to mention the public safety of moviegoers) immediately.

Finally, it is important to remember that individual movie theaters (both large movie chains and independent theaters) acted even before Sony did. Especially given the unwillingness of theaters to screen The Interview, Sony was wise to avoid risking a humanitarian tragedy.

3. Did Mr. Obama provide a befitting response for a US President?

First of all, the fact that Mr. Obama has been talking openly over the last few days about the DPRK as instigators of the attack seems to indicate that the FBI’s unreleased evidence may be stronger than most experts think it is.

I believe that Mr. Obama’s categorization of the attack as “cyber-vandalism” and not cyber warfare is correct. Despite the strong rhetoric from the DPRK, it is unlikely that the attack was intended as a true act of war. It seemed to be a long shot revenge attempt on Sony that resulted in surprisingly successful chaos on American soil due to discord between the company and the American people.

The problem with Mr. Obama’s response is that he bought into the public rhetoric that Sony’s business decision to pull The Interview was somehow an act of censorship. This meme is convenient because it provides an easy explanation for an otherwise complex situation. Unfortunately, it is misleading. In an interview with CNN, Mr. Obama said the following: “If we set a precedent in which a dictator in another country can disrupt through cyber a company’s distribution chain or its products, and as a consequence we start censoring ourselves, that’s a problem.”

Again, there is nothing about the situation that involves censorship. Sony made a legal and measured business decision. Unfortunately, Mr. Obama has offered the company little support, while repeatedly vowing a “proportional response” on a national level to the DPRK. The President’s first priority here should have been supporting Sony in its decision to protect the safety of the American people. Instead, he publicly criticized Sony and offered little understanding of the company’s business decision.

This case is an example of having your cake and eating it too. If Mr. Obama wants to categorize the act as cyber-vandalism and make the issue one of censorship, then perhaps the government could have subsidized Sony for some of its losses or supported an online release of The Interview. The main problem here is that the American government left a private corporation with the responsibility to manage the fallout from an attack by a foreign government. Mr. Obama offered nothing himself but a vague and predictable threat.

4. Was the US behind the DPRK’s recent Internet outage?

While some have speculated that the DPRK’s Internet outage was also the result of a cyber attack, this possibility is unlikely. Although Mr. Obama promised a response to the attack, disabling the country’s limited computer connections would hardly qualify as proportional to the attack on Sony. China has also denied its involvement in the outage (the DPRK’s Internet is provided by a Chinese company).

In reality, the DPRK or its Chinese provider may have taken the system offline in advance of a possible cyber threat. It is also possible that independent hackers took down the system. Given the timing of the outage, though, mere coincidence was probably not the cause. Regardless, I think that the outage is unlikely to affect directly any relations or talks between Washington and Pyongyang in the future.

In conclusion, I believe it unfortunate that the narrative regarding the fallout from the Sony cyber attack has been centered on the future of Hollywood and free speech. The lesson to be learned from this situation is instead about the relationship between the private sector and the government in the wake of cyber incidents. In this case, the United States may have set a dangerous example for the future. That a private company is being so widely blamed – by both the public and the American government – for being the victim of an attack ostensibly propagated by a foreign government is troubling, to say the least.

The views expressed by the author do not necessarily reflect those of the Glimpse from the Globe staff, editors, or governors.

Comments

Jeff Grimes

Senior Correspondent Jeff Grimes is a senior at the University of Pennsylvania pursuing dual degrees in Computer Science and Economics, with a concentration in Entrepreneurial Management. He has experience in software engineering, product management, entrepreneurship and app design. Jeff has interned for Google, Facebook, Klout and Foundation Capital. He is an iPhone app developer with three apps published in the App Store. Although he has never studied politics in an academic setting, Jeff enjoys following the news and staying current on issues related to cybersecurity, technology and the Obama administration’s business policies. After graduating in May, Jeff will work fulltime for Google as a Product Manager in the San Francisco Bay Area.