Hack on Sony Pictures highlights key challenges in cyber security and conflict

Comment

The international relations fallout from the hacking of Sony Pictures Entertainment in November 2014 steadily increased through December and into January.

The cyber attack that crippled Sony’s networks ahead of the release of their film The Interview has raised three key issues: characterisation, attribution and response.

The characterisation of the nature or relative seriousness of the Sony Pictures hack has ranged from cyber vandalism to cyber war. In much the same way as the US administration has sought to craft nuanced points of difference between state spying in the form of NSA activities and Chinese cyber espionage for commercial gain, President Barack Obama strategically labelled the Sony hack as cyber vandalism. The characterisation seeks to: highlight the fact that physical harm was not inflicted on humans or critical infrastructure, denigrate the attack as juvenile and unsophisticated and help shape expectations of a proportionate response. However, this underplayed characterisation is likely to pose challenges for managing and understanding cyber threats over the short term. Challenges can arise from treating damage to information systems and data as having less significance than physical asset damage.

Attributing the attack has also created significant challenges. The FBI has indicated that it possesses evidence that suggests the Guardians of Peace, supported by the North Korean government, were responsible for the attack. However, the issues has been clouded by claims North Korea may not have the capacity to sponsor a breach such as that of Sony’s network. A separate investigation by cyber security company Norse found evidence that an insider attack was more likely, and suggested that North Korean involvement was a red herring. Norse’s vice president indicated that the swiftness of the FBI’s announcement identifying North Korea as the perpetrator or source of the cyber intrusion raised red flags for the information security industry.

While government agencies undoubtedly face pressure in an international case such as the Sony Pictures hack to rapidly identify the source of the attack, there are key investigative challenges in positively identifying threat sources that can in some instances mean attribution takes weeks or months. Agencies such as the FBI may also be reluctant to publicly talk about the methods used to identify attackers, particularly when evidence may reveal cyber surveillance capabilities, which in this case may have been NSA capabilities. Furthermore, the identification of non-state actors will often then create the further challenge of showing a relationship between non-state hackers and the state apparatus. The key issue is that justifiable cyber responses, both from a legal and diplomatic standpoint, needs to be grounded in reliable and accurate attribution.

Considerable media opinion and commentary has focused on how the United States should respond to the Sony Pictures hack in the short term and the reforms necessary over the longer term. The US treasury department announced economic sanctions against key North Korean entities – primarily companies involved in weapons sales – in a bid to further restrict North Korean access to US financial markets. It is questionable whether these sanctions will directly impede North Korean cyber capabilities, and are more likely to inflict general economic punishment. When North Korea’s internet and 3G mobile networks were disabled or jammed on two occasion in late December, some analysts suggested that it was a US response to the Sony Pictures hack. Arbor Networks and Dyn Research indicated their analysis found that it was a significant denial of service attack targeting the approximately 1,000 North Korean internet addresses that caused the outage. US officials denied responsibility for the network outage, while Lizard Squad, a hacking collective responsible for recent attacks on Xbox Live, claimed responsibility for the concerted denial of service attack on North Korean addresses.

Outside of the question of proportionately of counter-cyber strikes, there is significant potential for interloping state and non-state bad actors to insert themselves into cyber battlefields and escalate conflicts. The potential for miscalculation in cyber conflict is significant due to the absence of international norms or consensus, lack of shared understanding of relative offensive capabilities and limitations in attribution. As such, the Sony Pictures hack has highlighted far-wider issues than initially apparent.

This assessment is taken from our remote-control warfare briefing for January 2015.