On November 22 of this year,
employees at Sony Pictures Entertainment were greeted by images of skulls on
their computer screens, and experienced other problems that severely
compromised the company's IT systems.
A message accompanying the hack warned that "secrets" would
soon be disclosed to the world.
The firm was in the last stages of preparing for release on Christmas
Day a film called "The Interview," which includes an unflattering portrayal
of North Korean dictator Kim Jong Un.
Back in June, after the film's planned release was announced, North
Korea called it an "act of terrorism" and threatened consequences if
the film was released as planned.
A group calling itself
"Guardians of Peace" claimed responsibility for the hacks, and
expanded their efforts by revealing reams of private emails and video files of
both released and unreleased films, all stolen from Sony through sophisticated
hack attacks. When the Guardians
issued threats to movie theaters that dared to show "The Interview,"
major theater chains began telling Sony that they would not run the film. Faced with this situation, last week
Sony announced that they were cancelling the release altogether. Sony
executives received a message from the Guardians on Dec. 18 congratulating them
on their "very wise" decision to cancel the release. The FBI has confirmed that the attack
originated from North Korea, which has denied that it has anything to do with
it.
The situation is this: Sony made a movie poking fun at Kim
Jong Un, and Kim Jong Un retaliated with probably the most serious cyberattack
on a non-governmental entity in history.
And he got more or less what he wanted—Sony cancelled the film's
release.
I have not yet seen any
estimates of the monetary damage Sony has sustained in this attack, but it
clearly amounts to many millions of dollars, both in potential revenue lost
from the film's cancellation and in the illegal downloading of other
intellectual property of Sony's made possible by the massive cybertheft
operation. I have also not seen
anyone comment on the Japan-Korea angle of this attack. From 1910 to 1945, what was then the
united country of Korea was essentially a Japanese colony, and forced
conscription and other abuses soured the relationship between the two
countries. Sony is a Japanese
firm, and so there may be a settling of decades-old grudges mixed into this
situation, in which the U. S. assets of Sony are simply a means to an end.
Whatever North Korea's
motivation was, the fact remains that they succeeded not only in a
transnational cyberattack of unprecedented size, but also in blackmailing Sony
to cancel the release of a major film.
Was this a prudent and "very wise" measure on Sony's part, or
an act of cowardice?
I say it's neither. What this situation says to me is that the United States government has failed in this instance to carry out its constitutional obligation to "provide for the common defense."
If North Korea had managed to
shoot a missile across the Pacific and blow up Sony headquarters in Culver
City, everyone would recognize that as a clear act of war in which a state's
boundary was violated and assets destroyed by the concerted action of a foreign
country. But cyberattacks are so new, and their heritage so different from conventional
acts of war, that we have trouble recognizing them for what they are.
As far as Sony is concerned, the
firm has sustained serious damage at the hand of a foreign power. One of the essential functions of
modern states is to provide security for its residents against attacks by
foreign powers. The U. S.
government clearly dropped the ball in the case of the Sony hack. In the absence of any assured forthcoming
protection against similar attacks in the future, I understand why Sony pulled
the picture, and why theater chains refused to show the film. Fears of physical attacks on individual
theaters were probably exaggerated, but now that most movies are digitally
projected and shipped around as bits rather than celluloid, theaters are
potentially as vulnerable as Sony to cyberattacks as well.
Now that the gangster regime of
North Korea has shown it can attack U. S. assets with impunity, it is time to
admit that the U. S. military, or something like it, needs to have a
cyber-corps to defend U. S. citizens and corporations against cyberattack. At present the situation is rather like
the following.
Suppose the U. S. military did a
good job of protecting the country against attacks by land and sea up to, say,
1910. But then, private firms
began flying airplanes, and, wonder of wonders, someone figured out how to drop
bombs from an airplane. Suppose
the U. S. government had said in response to this innovation, "Look, we'll
fight foreign attackers if they cross our borders on land or by sea, but as for
attacks from airplanes, you're on your own. Everybody has to have their own private AD (air defense)
department, and if you're attacked by air successfully, well, we may be able to
tell you where the planes came from, but you just weren't paying enough
attention to your air defense and we're sorry. And the President will badmouth you in a news conference if
you cave to the attacker's demands."
Fortunately, this fictional
history of private air defense didn't happen. The Wright Brothers flew their first flights on U. S. soil,
and America arguably led the world in air defense and attack, which was a major
reason why we won World War II and defeated the international thug and
blackmailer Hitler.
But something like the above
wacko private-AD scenario is going on right now with regard to cyberattacks on
U. S. firms by foreign countries.
The U. S. government is into a lot of things that it probably has no
business being involved in, but if there is one thing almost everyone except
the deepest-dyed libertarians can agree on, it's the fact that defending the
nation against attacks by foreign powers is one of the federal government's
main responsibilities.
We have just seen a
demonstration that at least one foreign power can attack and blackmail a major
U. S. firm with impunity. Perhaps
Sony was low-hanging fruit in terms of cyber security. At least one report mentioned the
possibility that the attackers had some inside information, but spies have been
around ever since warfare has been around, and there are ways of dealing with
them too. The fact remains that
North Korea has revealed a serious vulnerability in our national defense, one
that needs to be addressed with a serious rethinking of what cybersecurity of a
nation really means, and what we are willing to give up in order to have
it.
Unless we want to get used to
the idea that cyber-blackmail by foreign powers is going to become a way of
life in America, we need to wake up to the reality that cyber assets are just
as valuable as brick-and-mortar assets.
And a government that protects one and not the other is simply not doing
its job.
Sources: I relied on two recent reports of the
Sony hack and its consequences, one from CNN on Dec. 19 at http://money.cnn.com/2014/12/19/media/insde-sony-hack-interview/index.html
and another from the BBC at http://www.bbc.com/news/entertainment-arts-30512032. The Wikipedia article "History of
Japan-Korea relations" has some information on the complex backstory of
Japan's dealings with Korea and Koreans.
No comments:
Post a Comment