Now that the devastating cyber attack on Sony has been declared to be the result of an attack by North Korea, there are a couple of serious questions to be answered:
- Is North Korea actually responsible?
- If North Korea is responsible, is this an act of war?
Now, I have no inside knowledge on the FBI (and probably NSA) investigation, so everything here is pure speculation. Getting attribution right is damn difficult in cyber attacks! It is very difficult because:
- Cyber weapons can be used by a wide range of actors. For example, the weapon could have been created in North Korea, but used by someone else. This is no different than blaming the US if someone using one of the tanks we sold to another country to do harm.
- Cyber weapons can be “launched” from anywhere on the internet. Unlike conventional weapons, you can’t necessarily follow them back to the source. Now in this case, where they stole massive amounts of data, if you are able to find out who received the data that would be a huge clue.
- The nature of cyber weapons open them up to easily laying down a false trail. For example, want to have the Russian’s blamed, borrow some of their code and hire a coder that knows Russian. If you want to really blame someone else, then have the stolen data go to them. Want to blame the Brits, have the stolen data land on a server in London.
Simply put, you can’t trust much of the evidence you collect during an intrusion investigation. You must have a whole separate analysis if you can believe the evidence before you, and you may not be able to make a determination.
The only fool-proof way of attributing an attack is to match a wide range of evidence to include spies within the guilty government, and then capture the digital fingerprints coming out of their hacking organization. You almost need to have an insider in their hacking group that could provide you written evidence that they did it. Anything else might be compelling but is more likely to be circumstantial at best, and intentionally misleading at worse.
I suspect the FBI and the NSA understand the challenges of attribution and would not have gone public with such accusations without solid evidence. I don’t know how much filtering of the evidence has taken place from the front-line analyst to the President, but let’s hope that all of the uncertainty caveats floated to the top (no Iraqi WMD otherwise).
Did North Korea do it? Personally, and without any specific insight, doubt it. Here’s why I believe so:
- Based on news reporting, it looks like the attackers would have needed detailed inside information to be so successful… this is more consistent with a disgruntled Sony employee that North Korea. North Korea could have infiltrated Sony, but why?
- If North Korea had this level of capability, why use it to stop a movie from being released. They are a country constantly preparing for war, and I doubt they’d show off this capability to South Korea or the West. Doing so, give South Korea and the US time to harden the systems required to conduct war against North Korea.
- I’d like to think that during the discussion within North Korea on doing this, someone spoke up and mentioned that this might backfire. I didn’t want to see the Interview until this happened. Now I want to see it just to piss off the hackers.
- While no one claims North Korea to be a “rational actor”, following the attack with a threat to attack movie goers at the theaters is beyond stupid for a Nation State. What once was a mere at of sabotage is quickly elevated where a Nation State response would be called for. To go after a company you disagree is one thing, but to threaten to murder innocent crosses the line for a Nation State capable of sending snipers into America. Now, if it was a hacker group without any such capabilities, this threat could be considered a hoax and an empty threat, and perhaps not taken as seriously.
I really don’t know if North Korea did it or not. If they did, it was a stupid move on them. Maybe they did it and they are stupid, or maybe someone has set them up to take the fall.
Let’s assume now look at is if this is an Act of War. No, it wasn’t. At least I don’t think it was. I’ll admit that I’m not a lawyer with an expertise in international conflicts, so maybe I’m off on this. But here’s why I think it wasn’t an Act of War.
- The attack was on a company and not on any Government institution. The company selected is an entertainment company and not an American vital interest (like a power company for example).
- The attack wasn’t even an act of terrorism. It was not designed to influence the behavior of the US Government, but of a single corporation. For it to be terrorism, they have to be trying to influence the behavior of the US Government. Now, if someone besides North Korea is trying to frame North Korea, then you might be able to argue that it is trying to influence the US Government’s behavior towards North Korea.
- Nothing in the attack suggest that it is an attempt to topple the US Government. It appears that their goals were limited to stopping the distribution of a single movie. Maybe we’ll learn more later and there is a bigger goal here that hasn’t been seen yet, but it was just Sony.
Now, you’ll notice that I didn’t include “because North Korea denied doing it”, and that is because it is hard to believe anything coming out of North Korea, even if it is true. Their propaganda is so strong, who knows anymore what is true and what is a lie.
So, what is this? It is:
- A wake-up call to corporations that haven’t thought them a target in the past. Why should Sony have top notch cyber security, it is only an entertainment company. Well, we know know why.
- A criminal act that should be treated as such. Don’t give these attackers any more clout than they deserve. They are criminals. Let’s not raise them to be the next all-powerful terrorist organization that casts a shadow on our Country for the next twenty years.
- A case for strong encryption throughout the enterprise. If all they got was an encrypted blob then it would have been bad, but not devastating. Design your systems with this attack in mind. What if this data was stolen.
- A reminder that you shouldn’t put something in email that you don’t want to be made public. If you really need to have a discussion on how bad famous actors are, call a meeting or get on the phone. If you write it down in an email it will never go away.
- If this was an inside job, it highlights why a good work environment for the IT staff is important. Now do you understand the power they have? If you have a staff you can trust, then this wouldn’t happen. Also, it reminds you that you should have corporate processes in place to see who may be a disgruntled system admin, and to quickly remove that person’s accesses if there is suspicion that they may be planning something like this. Not a fool-proof approach, but more likely to catch someone before the big hack than doing nothing at all.
I’m hoping that they catch these criminals soon. I’d like to know with some confidence who did it and why? Was this a prank gone overboard? Was a hacker inspired by North Korea responsible? Was this actually done at the direction of North Korea? There are a lot of unanswered questions that remain. Perhaps the FBI has a better understanding and maybe even some answers. I wish them the best of luck bringing them to justice.
Even if the FBI is convinced that North Korea did it, I think we should agree to their joint investigation. What an interesting experience that would be, and we might get some real insight into their cyber forensics capabilities. Who knows, maybe if they didn’t do it, maybe they could actually help us find the actual culprits. Or, maybe it would be something akin to a show trial. In any case, if it happens, will someone please make a movie out of it. I have to wonder what studio will pick up the movie rights to Sony’s experience?