National Security Expert: Why North Korea Should Be Held Responsible for Sony Hack (Guest Column)

Kim Hacking Illo - P 2014
Illustration by: John Ueland

Kim Hacking Illo - P 2014

Writing for The Hollywood Reporter, cyberlaw attorney and former Homeland Security policy official Stewart Baker argues that North Korea — despite its denials — is the likely culprit and calls for action: "If we do nothing, the next attack will be worse"

This story first appeared in the Dec. 19 issue of The Hollywood Reporter magazine.

I've spent much of my career studying computer intrusions, and I don't have much doubt that the attack on Sony Pictures was North Korea's doing.

Every day produces more evidence. First we learned that many of the tools, and even the fonts, used in the attack resemble those used in a destructive cyberattack against South Korean banks and television stations last year. That attack has been persuasively tied to North Korea. What's more, there aren't a lot of hackers in Anonymous or similar groups that compile their programs in Korean, as seems to be true of those who wrote the malware used against Sony.

Read more Sony Hack: North Korean Diplomat Reportedly Denies Country's Involvement

Then North Korea issued a remarkably self-incriminatory denial of responsibility on Dec. 7, claiming that the attack might have been "a righteous deed of [North Korea's] supporters and sympathizers." On Dec. 8, hackers parroted North Korea's main complaint about the film The Interview, demanding that Sony "stop immediately showing the movie of terrorism." (For those who see the leaks as the work of a Sony insider, it's worth noting that the two scenarios aren't mutually exclusive. Japan is home to hundreds of thousands of North Korean sympathizers — descendants of Koreans brought to Japan before 1945 — whose loyalties the government has long cultivated.)

North Korea is one of two countries that have pioneered the use of hacking not for spying but for punishment. The North's attack on South Korean banks was aimed at destroying data, not just stealing it. In addition, Iran is suspected of using malware to destroy Saudi oil industry computers and of using botnets to bring down the websites of American banks. To be blunt, these two countries are testing how far they can go in harming U.S. companies without provoking American retaliation. If the attack on Sony is connected to them and goes unanswered, companies and groups whose speech offends these countries — and, soon, Russia and China — will face the same treatment.

Read more Sony Execs Reportedly Debated Risk of 'The Interview' Before Hack

It's a serious dilemma for the Obama administration, which is still largely paralyzed by lawyers and diplomats arguing that the U.S. cannot act against these regimes' cyberattacks, either because we don't have proof beyond a reasonable doubt or because a counterattack would be "asymmetric" — a fancy way of saying North Korea can get along without computers a lot better than we can.

Even so, we can't shrug off the Sony attack. Once the evidence is collected and clearly connected to North Korea, we need an innovative way to hurt Kim Jong-un without triggering a full-on hacking war. We need, in short, the kind of creativity that Hollywood has in spades. If this attack was meant to suppress The Interview, perhaps the best way to deter future attacks is to make sure the attack backfires.

Maybe Sony should give the Defense Department 1 million DVDs of The Interview to drop on Pyongyang from balloons. Or perhaps it should sponsor a contest for the best original short that uses outtakes from The Interview and has a small enough digital footprint to be smuggled into North Korea on a cellphone.

Well, OK, maybe there are better ways to show national resolve than to send in Seth Rogen. But one thing is clear: If we do nothing, the next attack will be worse.

Read more Sony Leaders Give Rousing Anti-Hacking Pep Talk at Studio Holiday Party

Stewart Baker is a Washington-based cyberlaw attorney with Steptoe & Johnson and a former assistant secretary for policy in the Department of Homeland Security.