We all survived, the great hacking scare of 2014 is almost over. On November 22, North Korea or its operatives attacked Sony’s networks over the movie The Interview. In what is normally a quite holiday period of writing and copy editing, I got caught up in the events surrounding the Sony hack and tried to engage the media.
The issue is that engaging the media and the ongoing public debate is borderline insane. Events move so quickly, it is hard to keep up Other commentators are more than wiling to go on the news and say borderline dangerous things like we are at a state of war with North Korea.
I really wish the whole time I had been on a plane and avoided this whole mess, problem is its important, both as our responsibility as academics to engage the debate with some analytic rigor, but also to the institutions that pay us to promote the work we do. At least the movie was good and had my favorite line about rivalry relations in a movie so far, Franco to Jong-un “A friend does not blow up another friend’s country.”
What follows is a series of posts, op-eds and pieces I have written in the last few days. We start with an op-ed the Glasgow media office asked for on Thursday (December 18th) and placed in Scotland’s Herald on December 20th, 2014. The media outlet that ran this in print but not online (something I did not know still happens…)
———————————————
Capitulating to Cyber Coercion: Sony and North Korea
The fallout from the hack on Sony over two weeks ago continues. North Korea’s cyber team dubbing themselves the “Guardians of the Peace” vowed to make Sony “Remember the 11th of September 2001”. This threat appears to have motivated Sony to remove The Interview from circulation on Christmas Day, capitulating to demands.
This might be the first example of effective use of cyber coercion, ever. This is a big statement; I am basically arguing that until now, there has never been a cyber action that has led to a change in perspective by the target given coercion by the aggressor. For various reasons, cyber actions are almost never effective in changing behaviour. They either are too muted (Russia towards Estonia), the target is too hardened (almost any attack against US or Israeli Government sites), or the actions are just not effective enough to push opponent to give in (Stuxnet and Iran).
If we accept that this is the first effective use of cyber technology in order to get a target to change behaviour, there is a deeper question of why this action was effective. The real reason seems to be a combination of the motivation and skill of the attacker but also the weakness in the target. Sony was a soft target; they have been hacked before and warned recently that their networks were vulnerable. No network is ever safe, but a network with a directory listed as “passwords” is likely a ripe target for attackers. This event did not happen because the United States was weak, but because Sony itself was weak. Even more problematic for the coercion narrative is that Sony did not change because of what North Korea did in cyberspace, but because the distributors and chains that would put the movie out gave in and capitulated. Sony’s own internal errors were important in the chain of events that led us here, but more importantly distributors like Regal, AMC, and Carmike feared retaliation by North Korea.
Why shouldn’t a chain distributing the movie be fearful? If Sony cannot protect itself, who can? For one, this was a quick cave in by the retailers. They could have waited and prepared. More importantly there is strength in numbers. If multiple chains and theatres released the movie to the tune of over 2,000 screens, North Korea would have a lot of targets to go after. The companies who gave in are admitting their own weakness and insecurity in their networks. They didn’t just wave the white flag; everyone just admitted the gates are down.
The effectiveness of the attack has more to do about the nature of the target rather than the nature of coercion. We really need to understand the dynamics of possible effective uses of cyber tactics. Right now my conclusion would be that this attack was successful in changing behaviour because the target was not a government organization, not prepared, and completely decentralized. While combined they might be powerful, these distributors felt isolated and vulnerable.
There are two clear tasks for governments including the United Kingdom, the need to develop more effective means of collaboration among private industry. Private companies have been hesitant to share information and resources. Hopefully this attack will push private companies to realize that it is in their interest to work together. The other task is the response; the action cannot go forward without a response. Allowing this action only reinforces the idea that there is a spot just below massive attacks that is condoned by governments.
Will The Interview go down as one of the biggest failures in Hollywood history all because the movie was never released? Outraged Americans will buy the movie OnDemand on principle alone. Sony still might come out as the winner by cutting out the middle man and distributing the movie itself, if it dares…Brandon Valeriano is a Senior Lecturer at the University of Glasgow. His forthcoming Oxford University Press book on cyber conflict is entitled Cyber War versus Cyber Realities
———————————————-
The above was written before the FBI’s attribution and Obama’s threat. The following unpublished op-ed was written Saturday (12/20) after a few media appearances and revised Monday (12/22). I then sent out to major new organizations under Oxford direction.
At first the publisher’s PR office was going to shop the op-ed but the Christmas season led them to suggest I just do it myself. As I have experienced quite often in the past, that never works out well and blind submissions almost always fail (except for Foreign Affairs strangely enough).
———————————————-
Confronting Cyber Coercion? Engaging Our Cyber Conflict FuturePresident Obama has vowed that the United States will respond proportionally to the cyber hack launched by North Korea against Sony Pictures. While the action by North Korea (or its allies) is certainly unprecedented in effect, it is not dramatic in scale. The attack only combined a series of previously seen methods used before against South Korea and Saudi Arabia to loot Sony’s networks and steal volumes of information. So much information was taken it is bizarre that Sony did not even seem to notice until long after the theft. Which leads to the main issue, the focus should not be on cyber retribution and the offense, but defensive security first.
Corporations only now seem to be waking up to the enormous threat they face from cyber criminals, including attacks by nation-states. That Sony Playstation Network was attacked in 2011 should only have alerted the company to the problems they potentially could face. While it was not Sony’s choice to pull the movie The Interview, the distributors did that by buying into a vague threat, Sony’s own errors only gave distributors some idea of the scale of attack they could face if they went ahead and put the movie out. Sony became an unwitting example of the worst imaginable cyber attack on a private company.
The point should be not to respond, but to increase coordination between private industry and government. Many bills have been proposed (and failed) that might encourage reasonable and voluntary cooperation between vulnerable private industry and government operatives. Prioritizing the defense and coordinating efforts to manage ongoing attacks should be the first priority.
Even if there is going to be a response, which there should be in some form, the idea of a proportional cyber response is wholly unrealistic. First, The United States needs to resist the further militarization of cyberspace. The domain should remain focused on commerce, education, and research, not militarized attacks. Second, a proportional response is impossible in cyber actions. Computer networks are so entangled with civilian systems, it would be impossible to only target North Korean government and military sectors. What is more problematic is the vulnerabilities in Sony only highlight the biggest problem with cyber retaliation, our cyber weapons can be used right back against the attacker. By striking back we would only become more vulnerable.
There is not much the United States can do to pressure North Korea. Certainly efforts can be made to cut the flow of electronic materials into North Korea through border countries and to limit the ability of North Korean cyber teams to work within foreign borders such as China and Thailand, but beyond this there is not much more the United States can do to the already isolated country.
The real question is how the action was received in the U.S.; many take it as an attack on basic American freedoms. That the internet has become so important and ubiquitous so quickly is concerning. As a society we need to rethink the nature of our cyber dependency and wean ourselves away from the networks we hold so dear. It is only through this step that we can have the proper reaction to such basic forms of infiltrations and destruction as seen in the Sony hack. It was not an act of war, but an act of chaos and the target acted exactly as intended.
It may be that we have entered a new era where a digital attack can change the course of public events, but the real nature of the threat is more to the online connectivity we hold so dear. Defense first, with managed coordination between private industry and government are the needed steps in reaction to this issue rather than retaliation that only invites escalation and falls into the trap set.
Brandon Valeriano is a Senior Lecturer at the University of Glasgow. His forthcoming book, Cyber War versus Cyber Realities will be published by Oxford University Press.
———————————————-
Two hours after I sent the above, it was noted that North Korea’s networks went down. The suggestion was that this was the response that Obama alluded to. I did not think this too likely, but in any case, the entire op-ed was now out of date in a matter of minutes of submitting it so I adjusted the opening to deal with the new reality but still kept the main thrust of the argument. The following piece was written on Dec 23rd.
———————————————-
Confronting Cyber Coercion? Hacking Back Against North Korea
President Obama has vowed that the United States will respond proportionally to the cyber hack launched by North Korea against Sony Pictures and for many, the assumption is the U.S. achieved its goal by shutting down North Korea’s internet for over 9 hours Monday into Tuesday morning. The problem is that it unlikely the U.S. perpetuated this attack and the action masks the deeper problem with cyber retaliation, there is too much restraint in operations for retribution to really work.
The Distributed Denial of Service (DDoS) attack against North Korean networks was unlikely to be done by either the United States or China. For one, the attack was too basic and simple for it to be the work of governments. It is like using a shotgun to kill a fly. The idea of flooding the internet connections of North Korea to shut it down for only a few hours is a method of little sophistication and minimal effect. If the goal was to punish North Korea for the attack on Sony and make them think twice about doing it again, shutting down the internet for less than half a day is almost literally the least that can be done. Speculation that is was China’s way of acceding to the demands of the U.S. government is even more dubious, why use the DDoS method when China could literally pull the plug on the internet.
The attack on North Korea’s networks really obscures the two main issues dictating the course of the cyber security debate. There is a need for defense first before the U.S. moves towards a response and the limitations of retribution in the cyber security domain.Corporations only now seem to be waking up to the enormous threat they face from cyber criminals, including attacks by nation-states. That Sony Playstation Network was attacked in 2011 should only have alerted the company to the problems they potentially could face. While it was not Sony’s choice to pull the movie The Interview, the distributors did that by buying into a vague threat, Sony’s own errors only gave distributors some idea of the scale of attack they could face if they went ahead and put the movie out. Sony became an unwitting example of the worst imaginable cyber attack on a private company.
The point should be not to respond, but to increase coordination between private industry and government. Many bills have been proposed (and failed) that might encourage reasonable and voluntary cooperation between vulnerable private industry and government operatives. Prioritizing the defense and coordinating efforts to manage ongoing attacks should be the first priority.
Even if there is going to be a response the idea of a proportional cyber response is wholly unrealistic. The United States needs to resist the further militarization of cyberspace. The domain should remain focused on commerce, education, and research, not militarized attacks. What is more problematic is the vulnerabilities in Sony only highlight the biggest problem with cyber retaliation, our cyber weapons can be used right back against the attacker. By striking back we would only become more vulnerable.
There is not much the United States can do to pressure North Korea that it is already doing. Certainly efforts can be made to cut the flow of electronic materials into North Korea through border countries and to limit the ability of North Korean cyber teams to work within foreign borders such as China and Thailand.
The real question is how the action was received in the U.S.; many take it as an attack on basic American freedoms. That the internet has become so important and ubiquitous so quickly is concerning. As a society we need to rethink the nature of our cyber dependency and wean ourselves away from the networks we hold so dear. It is only through this step that we can have the proper reaction to such basic forms of infiltrations and destruction as seen in the Sony hack. It was not an act of war, but an act of chaos.
It may be that we have entered a new era where a digital attack can change the course of public events, but the real nature of the threat is more to the online connectivity we hold so dear. Defense first, with managed coordination between private industry and government are the needed steps in reaction to this issue rather than retaliation that only invites escalation and falls into the trap set.
Brandon Valeriano is a Senior Lecturer at the University of Glasgow. His forthcoming book, Cyber War versus Cyber Realities will be published by Oxford University Press in April.
———————————————-
It seems more and more likely that the Untied States did not bring down North Korea’s networks. Good to be on record for stating this early, but in any case the above op-ed never made it to print.
In the meantime, Slate asked me for a piece about skepticism that North Korea did the attack in the first place. As a cyber “skeptic” this is probably exactly what I should have written in the first place. It appeared in its copy-edited and typeset form here appearing on Dec 23, the same day submitted.
While opinion seems to be growing that North Korea did not perpetrate the attack on Sony, no real evidence has been given for this idea beyond the basic statement that the attackers did not make a demand about movie at first. That there was a demand a few days later and assuming rationality in demands by a covert hacking group defies rationality itself seems to be unnoticed by skeptics.
In any case, the credibility of the government is not too high given the events of 2003. My confidence that North Korea did perpetrate the initial hack on Sony has not wavered one bit.
———————————————-
Did North Korea Do It? Confronting Cyber SkeptismIt is healthy to be a cynic sometimes. Taking information as it is handed out as fact is dangerous. The goal should be to investigate, to interrogate the nature of our beliefs as they meet the facts and context to settle on some wisdom as to what actually happened. The problem with the emerging narrative on the Sony hack is that in the convergence of evidence and cynicism, some still side with the idea that North Korea did not perpetuate an attack on Sony’s networks.
The Sony hack was either perpetuated by the North Korean government itself or by its third party proxies. There is really no doubt about this. Is that not that we need to accept U.S. government sources on this or the FBI, but the context the attack leaves little doubt. This is often the flaw in the logic of the cyber security narrative. While the term security is embedded in the concept, the engagement of cyber security issues often is done completely devoid of knowledge of the wider international security processes of the time. Dissecting the case against North Korea with little reference to history, culture, or capabilities leaves much of the story out.
North Korea had the motive, the means, and the ability to carry out the attack on Sony. It has been repeated quite a bit that North Korea would be insane to attack Sony’s networks. The assumption is that this sort of hack is only done by someone who does not correctly calculate the costs and benefits of their actions. I would not suggest that North Korea is insane or irrational, only that we misunderstand their intentions and objectives surrounding the issue. Issues are critical in international relations; events do not happen with some sort of push surrounding a salient issue. For North Korea, questions of the status and prestige of its leader are paramount. When tasked to avenge the harm done to its leader, there is little question that North Korean operatives know exactly what their county wants and needs in terms of a response. The oft repeated trope to save face fits here, but it might be even more important to examine this issue under the avenging wrongs framework.
North Korea hacked Sony to avenge the wrongs they feel were done to them by the corporation, an entity they feel is directly connected to the U.S. government. No matter that within the trove of information released shows no direct connections between the U.S. government and the plot and writing of the movie The Interview. For the North Koreans, there is a direct line between the government and Sony. Since their hacking abilities do not extend beyond the capability of attacking private industry, they hit out at Sony, not the U.S. government.
This brings us to the means; the North Koreans have shown ability before, but not in attacking governments, in attacking private industry. Last year’s attack against South Korean banks and media corporations only reinforces these points. North Korean is not weak if were to be rank states by cyber power. This was not a complicated hack against Sony, but it was novel and exhibits the trends developing in the field as the technology is used by nation-states. The Sony hack delivered a combination methods used in past hacks against the South Korean corporations, the computer wipes initiated against Saudi Arabian oil industry in the Aramco attack likely by Iran, and the developing public relations information dumps of Wikileaks and the Snowden leaks.Adding all this together, the remaining question is if North Korea had the ability. Some say this attack had to be perpetuated by an insider since North Korea grabbed so much information. This conjecture assumes too much about a lone disgruntled operative. A lone disgruntled operative whose only demands seem to be take down the movie The Interview and some vague ask for compensation. If this was a disgruntled employee, they are really bad at setting demands and archiving ends. South Korean intelligence claims that North Korea has 5,900 cyber troops. It is not tough to assume that at least a small percentage of these people are capable and able to gather enough information about Sony and its employees online to be able to penetrate, map, and dissect Sony’s networks. This counters the most convincing claim about the nature of the attack, that there was too much knowledge and insider information about the corporation for North Korea to do it. Hire 100 capable hackers and you can pretty much map any corporation given enough time.
It is often said the biggest reason cyber attacks are so dangerous is the attribution problem. This misstates the issue a bit too much; we not have an attribution problem but a plausible deniability problem. The nature of cyber attacks lends them to small teams of operatives working off-site and off the books to launch dangerous attacks. There will never be a smoking gun with a cyber attack, but we know exactly who did this. Catching them red handed and in the act is impossible; the only thing possible would be to wait for hubris on the side of the state perpetuating the attack or finding financial links between the groups committing the action and governments. In the end, the only real clues we have is the wider geopolitical landscape and the nature of the issues dividing countries. To truly understand cyber security, we must understand the nature of the conflicts that are endemic to the international system.
Brandon Valeriano is a Senior Lecturer at the University of Glasgow. His forthcoming book, Cyber War versus Cyber Realities will be published by Oxford University Press.
———————————————-
So there you go, most last few days in a couple thousand words. I kinda miss writing about normal war, the ebbs and flows of the news cycle are insane.
It still remains that Sony and Microsoft’s networks were hacked and online gameplay was unavailable on Christmas Day and Boxing Day. Service is supposedly returned to normal, but still leaves attribution. Immediately blame was pointed at North Korea. As one of those that pointed the finger at North Korea for the Sony hack, it is a bit silly to jump to conclusions about this DDoS attack. The group perpetrating the attack both desired retweets and to make it know that they could achieve their goal.
The first attack purely for narcissism? Possibly, but as the BBC article linked above notes, maybe it was not such a bad thing that kids engaged with their families rather than play games online all holiday.