- Share this article on Facebook
- Share this article on Twitter
- Share this article on Email
- Show additional share options
- Share this article on Print
- Share this article on Comment
- Share this article on Whatsapp
- Share this article on Linkedin
- Share this article on Reddit
- Share this article on Pinit
- Share this article on Tumblr
This story first appeared in the Dec. 19 issue of The Hollywood Reporter magazine.
I’ve spent much of my career studying computer intrusions, and I don’t have much doubt that the attack on Sony Pictures was North Korea’s doing.
Every day produces more evidence. First we learned that many of the tools, and even the fonts, used in the attack resemble those used in a destructive cyberattack against South Korean banks and television stations last year. That attack has been persuasively tied to North Korea. What’s more, there aren’t a lot of hackers in Anonymous or similar groups that compile their programs in Korean, as seems to be true of those who wrote the malware used against Sony.
Then North Korea issued a remarkably self-incriminatory denial of responsibility on Dec. 7, claiming that the attack might have been “a righteous deed of [North Korea’s] supporters and sympathizers.” On Dec. 8, hackers parroted North Korea’s main complaint about the film The Interview, demanding that Sony “stop immediately showing the movie of terrorism.” (For those who see the leaks as the work of a Sony insider, it’s worth noting that the two scenarios aren’t mutually exclusive. Japan is home to hundreds of thousands of North Korean sympathizers — descendants of Koreans brought to Japan before 1945 — whose loyalties the government has long cultivated.)
North Korea is one of two countries that have pioneered the use of hacking not for spying but for punishment. The North’s attack on South Korean banks was aimed at destroying data, not just stealing it. In addition, Iran is suspected of using malware to destroy Saudi oil industry computers and of using botnets to bring down the websites of American banks. To be blunt, these two countries are testing how far they can go in harming U.S. companies without provoking American retaliation. If the attack on Sony is connected to them and goes unanswered, companies and groups whose speech offends these countries — and, soon, Russia and China — will face the same treatment.
It’s a serious dilemma for the Obama administration, which is still largely paralyzed by lawyers and diplomats arguing that the U.S. cannot act against these regimes’ cyberattacks, either because we don’t have proof beyond a reasonable doubt or because a counterattack would be “asymmetric” — a fancy way of saying North Korea can get along without computers a lot better than we can.
Even so, we can’t shrug off the Sony attack. Once the evidence is collected and clearly connected to North Korea, we need an innovative way to hurt Kim Jong-un without triggering a full-on hacking war. We need, in short, the kind of creativity that Hollywood has in spades. If this attack was meant to suppress The Interview, perhaps the best way to deter future attacks is to make sure the attack backfires.
Maybe Sony should give the Defense Department 1 million DVDs of The Interview to drop on Pyongyang from balloons. Or perhaps it should sponsor a contest for the best original short that uses outtakes from The Interview and has a small enough digital footprint to be smuggled into North Korea on a cellphone.
Stewart Baker is a Washington-based cyberlaw attorney with Steptoe & Johnson and a former assistant secretary for policy in the Department of Homeland Security.
Sign up for THR news straight to your inbox every day