After weeks of speculation about who was responsible for the hacking of Sony, U.S officials are telling the press that North Korea was "centrally involved."
Why the government now feels confident in revealing this remains uncertain. David Sanger and Nicole Perloth speculate that the NSA may have penetrated North Korean networks. The Washington Post reported last year, based on documents leaked by Edward Snowden, that the United States had placed "covert implants" in tens of thousands of computers, routers, and firewalls. Three quarters of these cyber offense operations were conducted against potential adversaries such as China, Iran, Russia, and North Korea. For many security experts, however, the reliance in the reporting on unnamed sources will not close the book on attribution. Publicly known facts about the hack do not make attributing it to North Korea a slam dunk (Kim Zetter lays out the attribution mess here. Marc Rogers, a cybersecurity expert, lays out his doubts here).
If it was North Korea, the attribution may be the easy part. Actually coming up with a proportionate, effective policy response will be much harder. North Korea is already heavily sanctioned by the international community. Previous cyberattacks on South Korea, ascribed to the North, were met with no retaliation. The United States will have a difficult time coordinating with Japan. Tokyo is engaged in delicate negotiations over Japanese citizens abducted by North Korea and will not want any actions that may provoke a response from Pyongyang.
Any policy response will require a clear-eyed assessment of what the attacks were and what damage they caused. They have clearly damaged Sony’s business and reputation, but Newt Gingrich is wrong.
No one should kid themselves. With the Sony collapse America has lost its first cyberwar. This is a very very dangerous precedent.
— Newt Gingrich (@newtgingrich) December 17, 2014
This is an attack on the economic interests of one company. It is not cyber war—attacks that cause death or physical destruction that threaten national security interests. The combination of the cyberattacks and the threats of violence directed at theaters showing The Interview, the movie about the assassination of Kim Jong Un that has enraged North Korea, may be terrorism, but the cyberattacks alone are not "cyberterrorism." They destroyed data, but breaching Sony’s networks did not create political violence for political interests.
While pundits and government officials often describe cyberattacks as happening at "network speed," it is worth noting that this attack and its response are developing over weeks. The hackers were in Sony’s networks for a long time, and the White House’s public statement leaves a great deal of wiggle room for naming the culprit and for the type and timing of a response:
The U.S. government has offered Sony Pictures Entertainment support and assistance in response to the attack. The FBI has the lead for the investigation. The United States is investigating attribution and will provide an update at the appropriate time. The U.S. government is working tirelessly to bring the perpetrators of this attack to justice, and we are considering a range of options in weighing a potential response.
The decision to provide updates at the "appropriate time" and consider a "range of options" is an important reminder that attribution is as much a political question as it is a technical one. Cyberattacks happen out of sight for all except the attacker and the victim (and it may take the victim a while until they realize what it going on). Sony, the U.S. government, the hackers, and North Korea all make public comments that shape the narrative of the event and change the decision making calculus of the other actors. In the early days of the investigation, most of the actors would have had their reasons to leave attribution ambiguous. Sony’s decision to pull the movie from theaters greatly increases the pressure on the United States to react. U.S. officials will want to prevent others from thinking that they can achieve their goals through cyberattacks. But to do that, they will have to find a way to punish those behind the attacks. We will have to see if that is possible.