The Top Five Cyber Policy Developments of 2014: Sony Pictures Entertainment and North Korea

Over the past few days, Net Politics has been examining the top five developments in cyber policy of 2014. Each cyber policy event has its own post, explaining what happened, what it all means, and its impact on cyber policy for 2015. In the final post of this series, the Sony hack. 

In the cyber world, 2014 ended with a bang. What was initially thought to be some mischievous hackers breaking into Sony Pictures Entertainment’s networks for the "lulz" evolved to a fully fledged diplomatic incident, in which the the White House publicly attributed the intrusion to North Korea, characterized the incident as a "serious national security matter," and promised a proportional response.

First, a timeline and the facts. It all began on November 24 when a Reddit user asserted that Sony’s networks had been breached by a group calling itself Guardians of Peace (GOP). A few days later, NBC News reports that the FBI is investigating the intrusion and raised the possibility that North Korea was involved given that it had previously expressed outrage over Sony’s movie "The Interview," which depicts the assassination of Kim Jong-Un.

On December 8, the GOP, in a message accompanying the release of internal Sony documents on Pastebin, demands that Sony not release The Interview. Later, the group threatens "9/11 type attacks" if the movie is shown. The threat prompts major U.S. movie outlets to refuse show the movie and Sony shortly halts its release.

On December 17, the New York Times reports that senior administration officials have concluded that North Korea was "centrally involved" in the Sony incident. Two days later, the FBI issues a press release that concludes that the "North Korean government is responsible" for the intrusion into Sony’s networks, as well as the destruction of some of its data and hardware. President Obama, in his end-of-year news conference, promises a proportional response to the hack and criticizes Sony for pulling the film, which reverses its decision and releases it in select theaters and online. In an interview with CNN a few days later, President Obama says he doesn’t consider the hacking of Sony "an act of war" but rather "an act of cybervandalism." Senator John McCain rejects the characterization; “It’s more than vandalism. It’s a new form of warfare.” 

Perhaps coincidentally, North Korea disappears from the Internet days after Obama’s press conference. The State Department refuses to comment on the disappearance, but Marie Harf, a State Department spokeswoman, tells reporters, "Some [responses] will be seen. Some may not be seen." The United States also reportedly asks the Chinese government for help with North Korea, but public statements from Beijing are noncommittal. On January 2, 2015, the United States levies sanctions on North Korea and cites the action as one element of its proportional response.

Many cybersecurity experts have expressed doubt that North Korea was indeed behind the hack. Marc Rogers, the head of security at DefCon, the annual computer security conference, claims that a Sony insider such as a disgruntled employee is more likely to have caused the damage given the hackers’ extensive knowledge of Sony’s networks. The cyber intelligence company Norse briefed the FBI on evidence they say points to collusion between an unhappy insider and a hacker group. What is clear is that the United States intelligence community has access to information that they’re not disclosing, allowing them to draw conclusions based on classified information. The FBI’s statement, for example, refers to "sensitive sources and methods." This has led to some criticism of the intelligence community’s "just trust us" approach, which has failed them in the past.

The Sony hack highlights how, even after years of discussion, most of the fundamental policy and operational issues for cybersecurity policy remain unanswered. When does a cyberattack rise to the level of an armed attack? Must it cause death and destruction, or is it enough to destroy data, degrade systems, and intimidate? When should the government be involved in defending the private sector? Only when the attacks are directed at critical infrastructure? When they steal advanced technology and threaten economic security? Should the United States government respond because the Sony hackers damaged approximately two thirds of the studio’s computers and servers or because the attack limited free speech? Can you deter a cyberattack? What is a proportional response to a cyberattack? Fines and sanctions? Knocking North Korea offline? The list of uncertainties and ambiguities goes on.

The hack will be a catalyst for congressional hearings, but they are unlikely to generate enough momentum and political will to break the logjam over information sharing and industry regulatory standards that have bedeviled the debate over cybersecurity policy (and it is not clear better information sharing would not have made much of a difference in the Sony hack). The Obama administration will double down on its efforts to develop international norms of cyberspace, talking with friends and others about what constitutes an attack and how states can respond. The United States has recently been pushing for three norms:

1. states should not conduct cyber operations that damage critical infrastructure;
2. states should not conduct operations that prevent Computer Emergency Response Teams (CERTs) from operating; and
3. states should coordinate with others requesting help with attacks.

None of these describe what happened with Sony, but they are a start.