By James A. Lewis
12 December 2014
Courts and juries in Scotland can find a person guilty or innocent, but they have a third verdict, “Not Proven” that falls in between. “Not proven” means, colloquially, we believe they did it but there isn’t enough evidence to conclusively find the suspect guilty or to find them to be innocent. Not proven is a good description of the role of North Korea in the Sony hack. Let’s review a sequence of events:
- Sony produces a comedy about the assassination of North Korea’s leader. The North Koreans are displeased with this and in July, threaten a “resolute and merciless” response unless the film is banned.
- North Korea complains to the United Nations about the film, calling it “terrorism,” (a term also used by the hackers). The DPRK letter to the Secretary General said: “To allow the production and distribution of such a film on the assassination of an incumbent head of a sovereign state should be regarded as the most undisguised sponsoring of terrorism as well as an act of war.”
- Sony is hacked, with data erased, embarrassing emails and personal information of Sony employees posted online, and several unreleased Sony films made available on the internet for illegal downloads. The posting of personal data is suggestive. The norm is for personal data obtained through breaches to be sold by the hackers, but in this case, it was made public, suggesting that profit was not the primary objective of the hackers.
- Some of the malicious code is written in Korean, suggesting that the programmers were Korean or, possibly, non-Korean programmers who learned Korean and wrote it into the code to confuse efforts at attribution.
- The Sony incident is very similar to several earlier actions taken against South Korean banks and television stations, the latest being in April of 2013. While there is again no “conclusive” evidence, the attacks followed public threats by North Korea, erased data, released private information, and disrupted services.
- Several days after an attack, an unnamed North Korean source denied that it was responsible for the Sony action. It is routine for nations to deny covert activities.
- An unknown group makes unspecified financial demands on Sony, which could be a third party trying to exploit the situation, an effort to confuse matters, or a real extortion request.
- A few days later, a spokesperson for North Korea’s National Defense Commission said he did not know the reason for the attack, but called it “a righteous deed” carried out by North Korean “supporters and sympathizers.”
This sequence of events is by no means conclusive, but it is suggestive. Looking at it, there are three possible explanations:
- This was an act of retribution by the North Korean government similar to previous acts of retribution against South Korean media outlets. The action against Sony is consistent with previous North Korean cyber “attacks.”
- Activist South Korean programmers enamored of Kim Jong Un were responsible.
- Activists outside Korea were responsible, learning enough Korean to confuse matters.
We know that North Korea, beginning under the previous leader Kim Jong Il, has invested in developing cyber capabilities and official South Korean sources say these capabilities, while not yet very advanced, have been used perhaps six times by the North against South Korean targets for political purposes.
In 2009, less sophisticated denial of service attacks were used against US and South Korean government agencies. The perpetrators have never been identified and no one has claimed responsibility, although both North Korea and South Korean activists were suspects. The attacks against Sony were more sophisticated, had a clear political motive, and are consistent with past North Korean activity. They are also similar to the attack against Saudi Aramco by Iran, and North Korea has some relationship or consultative nexus with Iran. Hacking Sony, if North Korea is responsible, shows consistent progress in cyber capabilities and a new willingness to use hacking against targets outside of North Korea.
Global norms on responsible state behavior in cyberspace are emerging, but as with nuclear weapons, there will be a few countries that ignore them. Iran has similarly used hacking to make a political point against US companies, as has the Syrian Electronic Army. Russia has also used cyber activities for political purposes. The list of countries—North Korea, Iran, Syria, and Russia—is telling. These countries largely lie outside the reach of jurisprudence and have demonstrated their disregard for international norms of behavior.
Sony is punished, North Korea is pleased, the film’s ending will likely change. Not proven is not the same as innocent, but everyone should draw their own conclusions.