Not even a week has gone by and my blog on the Monkey Cage/Washington Post about the hack of Sony by North Korea is already likely outdated. North Korea’s cyber team dubbing themselves the Guardians of the Peace vowed to make Sony “Remember the 11th of September 2001”. This threat appears to have motivated Sony to remove The Interview from circulation, capitulating to demands. This might be the first actual effective use of cyber coercion, ever.
This is a big statement, I am basically arguing that until now, there has never been a cyber action that has led to a change in perspective by the target given coercion by the aggressor. For various reasons, cyber actions are almost never effective in changing behavior. They either are too muted (Russia towards Estonia), the target is too hardened (almost any attack against US or Israeli Government sites), or the actions are just not effective enough to push opponent to give in (Stuxnet and Iran).
If we accept that this is the first effective use of cyber technology in order to get a target to change behavior (there might be other instances, an issue I will cover), there is a deeper question of why this action was effective. The real reason seems to be a combination of the effectiveness of the attacker but also the weakness in the target. Sony was a soft target, they have been hacked before and warned recently that their networks were vulnerable. No network is ever safe, but a network with a directory listed as “passwords” is likely a ripe target for attackers. This event did not happen because the United States was weak, but because Sony itself was weak.
Even more problematic for the coercion narrative is that Sony would likely have wished to release the movie anyway. Their behavior did not change because of what North Korea did in cyberspace, but because the distributors and chains that would put the movie out gave in and capitulated. Sony’s own internal errors were important in the chain of events that led us here, but more importantly distributors like Regal, AMC, and Carmike feared retaliation by North Korea.
Why shouldn’t a chain distributing the movie be fearful? If Sony cannot protect itself, who can? For one, this was a quick cave in by the retailers. They could have waited and prepared, if you know an attack is coming it is much more likely that it can be avoided given a sufficient amount of preparations. More importantly there is strength in numbers. If multiple chains and theaters released the movie to the tune of over 2,000 screens, North Korea would have a lot of targets to go after. While the companies who gave in might be indicating that they are giving in to North Korea’s demands, more importantly they are also admitting their own weakness and insecurity in their networks. They didn’t just wave the white flag, everyone just basically admitted the gates are open.
The effectiveness of the attack has more to do about the nature of the target rather than the nature of coercion. I intend to undertake a comprehensive study examining the goals of every cyber action we have coded and judge the goals and if they were achieved. We really need to understand the nature of possible effective uses of cyber tactics. Right now my conclusion would be that this attack was successful in changing behavior because the target was not Government, not prepared, and completely decentralized. While combined they might be powerful, these distributors felt isolated and vulnerable.
There are two clear tasks, one the United States needs to develop more effective means of collaboration among private industry in the cyber world. Until now, companies have been hesitant to share information and resources. Hopefully this attack will push private companies to realize that it is in their interest to work together. The other task is the response by the United States. This action cannot go forward without a response. While punishment likely will not deter a determined actor in the future, it can have important consequences on states who choose to support cyber terror. Allowing this action to go forward only reinforces the idea that there is a spot just below massive attacks that is allowed by governments. Don’t do too much damage and we will leave you alone, that is the message so far.
So the question remains, was I wrong? Have the bad guys really won as a commentator noted on BBC radio? Will The Interview go down as one of the biggest failures in Hollywood history all because the movie was never released? Unlikely, the audience will move to Video on Demand. Outraged Americans will buy the movie on principle alone, adding to the already interested and engaged teenage and young adult audience. It is likely that Sony hoped to make 60-80$ million on this comedy farce. They may not make that much at the box office but the VOD results will be interesting and likely unprecedented. Sony still might come out as the winner by cutting out the middle man and distributing the movie itself, if it dares.
As always, for more info consult my forthcoming book on these topics, Cyber War versus Cyber Realities