Monday, December 22, 2014

The Sony Hack And Sony's Response: Caution or Cowardice?

On November 22 of this year, employees at Sony Pictures Entertainment were greeted by images of skulls on their computer screens, and experienced other problems that severely compromised the company's IT systems.  A message accompanying the hack warned that "secrets" would soon be disclosed to the world.  The firm was in the last stages of preparing for release on Christmas Day a film called "The Interview," which includes an unflattering portrayal of North Korean dictator Kim Jong Un.  Back in June, after the film's planned release was announced, North Korea called it an "act of terrorism" and threatened consequences if the film was released as planned. 

A group calling itself "Guardians of Peace" claimed responsibility for the hacks, and expanded their efforts by revealing reams of private emails and video files of both released and unreleased films, all stolen from Sony through sophisticated hack attacks.  When the Guardians issued threats to movie theaters that dared to show "The Interview," major theater chains began telling Sony that they would not run the film.  Faced with this situation, last week Sony announced that they were cancelling the release altogether. Sony executives received a message from the Guardians on Dec. 18 congratulating them on their "very wise" decision to cancel the release.  The FBI has confirmed that the attack originated from North Korea, which has denied that it has anything to do with it.

The situation is this:  Sony made a movie poking fun at Kim Jong Un, and Kim Jong Un retaliated with probably the most serious cyberattack on a non-governmental entity in history.  And he got more or less what he wanted—Sony cancelled the film's release.

I have not yet seen any estimates of the monetary damage Sony has sustained in this attack, but it clearly amounts to many millions of dollars, both in potential revenue lost from the film's cancellation and in the illegal downloading of other intellectual property of Sony's made possible by the massive cybertheft operation.  I have also not seen anyone comment on the Japan-Korea angle of this attack.  From 1910 to 1945, what was then the united country of Korea was essentially a Japanese colony, and forced conscription and other abuses soured the relationship between the two countries.  Sony is a Japanese firm, and so there may be a settling of decades-old grudges mixed into this situation, in which the U. S. assets of Sony are simply a means to an end.

Whatever North Korea's motivation was, the fact remains that they succeeded not only in a transnational cyberattack of unprecedented size, but also in blackmailing Sony to cancel the release of a major film.  Was this a prudent and "very wise" measure on Sony's part, or an act of cowardice?   

I say it's neither.  What this situation says to me is that the United States government has failed in this instance to carry out its constitutional obligation to "provide for the common defense."

If North Korea had managed to shoot a missile across the Pacific and blow up Sony headquarters in Culver City, everyone would recognize that as a clear act of war in which a state's boundary was violated and assets destroyed by the concerted action of a foreign country. But cyberattacks are so new, and their heritage so different from conventional acts of war, that we have trouble recognizing them for what they are. 

As far as Sony is concerned, the firm has sustained serious damage at the hand of a foreign power.  One of the essential functions of modern states is to provide security for its residents against attacks by foreign powers.  The U. S. government clearly dropped the ball in the case of the Sony hack.  In the absence of any assured forthcoming protection against similar attacks in the future, I understand why Sony pulled the picture, and why theater chains refused to show the film.  Fears of physical attacks on individual theaters were probably exaggerated, but now that most movies are digitally projected and shipped around as bits rather than celluloid, theaters are potentially as vulnerable as Sony to cyberattacks as well.

Now that the gangster regime of North Korea has shown it can attack U. S. assets with impunity, it is time to admit that the U. S. military, or something like it, needs to have a cyber-corps to defend U. S. citizens and corporations against cyberattack.  At present the situation is rather like the following.

Suppose the U. S. military did a good job of protecting the country against attacks by land and sea up to, say, 1910.  But then, private firms began flying airplanes, and, wonder of wonders, someone figured out how to drop bombs from an airplane.  Suppose the U. S. government had said in response to this innovation, "Look, we'll fight foreign attackers if they cross our borders on land or by sea, but as for attacks from airplanes, you're on your own.  Everybody has to have their own private AD (air defense) department, and if you're attacked by air successfully, well, we may be able to tell you where the planes came from, but you just weren't paying enough attention to your air defense and we're sorry.  And the President will badmouth you in a news conference if you cave to the attacker's demands."

Fortunately, this fictional history of private air defense didn't happen.  The Wright Brothers flew their first flights on U. S. soil, and America arguably led the world in air defense and attack, which was a major reason why we won World War II and defeated the international thug and blackmailer Hitler.

But something like the above wacko private-AD scenario is going on right now with regard to cyberattacks on U. S. firms by foreign countries.  The U. S. government is into a lot of things that it probably has no business being involved in, but if there is one thing almost everyone except the deepest-dyed libertarians can agree on, it's the fact that defending the nation against attacks by foreign powers is one of the federal government's main responsibilities. 

We have just seen a demonstration that at least one foreign power can attack and blackmail a major U. S. firm with impunity.  Perhaps Sony was low-hanging fruit in terms of cyber security.  At least one report mentioned the possibility that the attackers had some inside information, but spies have been around ever since warfare has been around, and there are ways of dealing with them too.  The fact remains that North Korea has revealed a serious vulnerability in our national defense, one that needs to be addressed with a serious rethinking of what cybersecurity of a nation really means, and what we are willing to give up in order to have it. 

Unless we want to get used to the idea that cyber-blackmail by foreign powers is going to become a way of life in America, we need to wake up to the reality that cyber assets are just as valuable as brick-and-mortar assets.  And a government that protects one and not the other is simply not doing its job.

Sources:  I relied on two recent reports of the Sony hack and its consequences, one from CNN on Dec. 19 at and another from the BBC at  The Wikipedia article "History of Japan-Korea relations" has some information on the complex backstory of Japan's dealings with Korea and Koreans. 

No comments:

Post a Comment