It is healthy to be a cynic sometimes. Taking information as it is handed out as fact is dangerous. The goal should be to investigate, to interrogate the nature of our beliefs as they meet the facts and context to settle on some wisdom as to what actually happened. The problem with the emerging narrative on the Sony hack is that in the convergence of evidence and cynicism, some still side with the idea that North Korea did not perpetrate an attack on Sony’s networks.
The Sony hack was perpetrated by either the North Korean government itself or by its third-party proxies. There is really no doubt about this. It’s not that we need to accept U.S. government sources on this or the FBI, but the context of the attack leaves little doubt. This is often the flaw in the logic of the cybersecurity narrative. The engagement of cybersecurity issues often is done completely devoid of knowledge of the wider international security processes of the time. Dissecting the case against North Korea with little reference to history, culture, or capabilities leaves much of the story out.
North Korea had the motive, the means, and the ability to carry out the attack on Sony. It has been repeated quite a bit that North Korea would be insane to attack Sony’s networks. The assumption is that this sort of hack could be done only by someone who does not correctly calculate the costs and benefits of his actions. I would not suggest that North Korea is insane or irrational, only that we misunderstand its intentions and objectives surrounding the issue. In international relations, events do not happen without some sort of push surrounding a salient issue. For North Korea, questions of the status and prestige of its leader are paramount. When tasked to avenge the harm done to its leader, there is little question that North Korean operatives know exactly what their county wants and needs in terms of a response. The oft-repeated trope to save face fits here, but it might be even more important to examine this issue under the avenging-wrongs framework.
North Korea hacked Sony to avenge the wrongs it felt were done by the corporation, an entity it feels is directly connected to the U.S. government. No matter that within the trove of information released shows no direct connections between the U.S. government and the plot and writing of the movie The Interview. For the North Koreans, there is a direct line between the government and Sony. Since their hacking abilities do not extend beyond the capability of attacking private industry, they struck out at Sony, not the U.S. government.
This brings us to the means; the North Koreans have shown ability before, but not in attacking governments, in attacking private industry. Last year’s attack against South Korean banks and media corporations only reinforces these points. North Korea is not weak if we were to rank states by cyberpower. This was not a complicated hack against Sony, but it was novel and exhibits the trends developing in the field as the technology is used by nation-states. The Sony hack delivered a combination methods used in past hacks against the South Korean corporations, the computer wipes initiated against Saudi Arabian oil industry in the Aramco attack likely by Iran, and the public relations information dumps of WikiLeaks and the Snowden leaks.
Adding all this together, the remaining question is whether North Korea had the ability. Some say this attack had to be perpetuated by a Sony insider since the attacker grabbed so much information and seemingly understood the company’s systems. This conjecture assumes too much about a lone disgruntled operative. A lone disgruntled operative whose only demand seems to be to ask for money but to give no suggestions about how much, how it can be delivered, or when? While reports are correct to note that the movie The Interview was not mentioned with the first threat, back in June North Korea warned that it would seek revenge for the movie, which it considered an act of war and terrorism. North Korea often threatens to turn its enemies’ cities into a “sea of flames” and nothing comes of it. But it’s entirely possible, even likely, that this time it made good on its promise, in a way.
If this was a disgruntled employee, he or she is really bad at setting demands and achieving ends. South Korean intelligence claims that North Korea has 5,900 cybertroops. It is not tough to assume that at least a small percentage of these people are capable of gathering enough information about Sony and its employees online to be able to penetrate, map, and dissect Sony’s networks. This counters the most convincing claim about the nature of the attack, that there was too much knowledge and insider information about the corporation for North Korea to do it. Hire 100 capable hackers and you can pretty much map any corporation, given enough time. We must remember that this was not a sudden operation; one security firm says that its analysis of the malware suggests the hackers lurked within the Sony network for months.
It is often said the biggest reason cyberattacks are so dangerous is the attribution problem—the difficulty of assigning blame. This misstates the issue a bit too much; we have not an attribution problem but a plausible deniability problem. By nature, cyberattacks are carried out by small teams of operatives working off-site and off the books. There will never be a smoking gun with a cyberattack, but we know exactly who did this. Catching them red-handed and in the act is impossible; the only thing possible would be to wait for hubris on the side of the state perpetuating the attack or finding financial links between the groups committing the action and governments. In the end, the only real clues we have are the wider geopolitical landscape and the nature of the issues dividing countries. To truly understand cybersecurity, we must understand the nature of the conflicts that are endemic to the international system.