By James A. Lewis
07 January 2015
One of the joys of the internet is that anyone with a keyboard and a connection can be an expert. Opinion substitutes for research. The uninformed debate over the Sony cyber incident is the most recent example of the internet’s limitations. An earlier essay discussed why the evidence pointed to North Korea as the most likely suspect. Since then, the US government has assigned the blame to the North, with the President imposing new sanctions. These are not steps to be taken lightly and suggest a high degree of confidence within the Obama administration as to the North’s culpability.
That, however, was not enough for many “experts.” Some of the skepticism comes from past missteps by the Intelligence Community—from Iraqi WMD to denials of domestic spying—which make suspicion understandable. But those intelligence missteps were driven by political motives: intelligence information released to win public support for a questionable course of action.
There is no similar motive in the Sony case. In fact, the domestic audience is largely irrelevant. A reasonable skepticism, reinforced by the internet community’s penchant for conspiracy theories, a general lack of knowledge about intelligence processes and a surprising absence of even basic knowledge about the North, has led to a loud but vacuous debate over who else could be responsible. Let’s look at some of the alternatives offered:
- Progressive activists, suddenly enamored of Kim, leapt to his defense without the usual press releases these groups issue to claim credit.
- Unknown Sony insiders, completely independent of North Korea, undertook the actions.
- The US itself, to distract attention from the CIA torture report. (A British expert proposed this on a BBC program—we should recognize how the internet is a giant amplifier for conspiracy theories that would have once been dismissed as insane.)
There is no evidence to support any of these alternatives. The real issue is lack of trust in the government. One of the oddities of this debate is that while the material on NSA spying leaked by Edward Snowden was received as gospel, and while a careful reading of this material would suggest North Korea was identified, many of those who most fervently embraced him are among the most reluctant to accept Pyongyang’s guilt.
North Korea’s responsibility for its nuclear weapons program is clear, based on data from international monitoring and National Technical Means (NTM) of monitoring, in other words, our own intelligence gathering apparatus. There is no international monitoring body for cyberattacks, but NTM technologies, augmented by other intelligence techniques, are the source of the unambiguous White House identification of North Korea as responsible. What NTM looks like in the cyber domain is classified. The technologies use new kinds of sensors to collect data, including opponent malware (the malicious software use in an attack) and attacker identities. Many commercial entities also use internet sensors; the chief difference is the ability of government agencies to blend other forms of intelligence with internet data and, of course, and a willingness to undertake covert activities.
The US probably used these intelligence technologies to identify the authors of the Sony incident and their tools. This kind of technical collection is not flawless; judgment is still required to interpret the collected data and error is possible—think of the Cold War “missile gap” of the late 1950s, when the US overestimated the number of Soviet missiles. In an earlier time, people were willing to accept government assertions based on classified intelligence sources with few questions. This is no longer the case, but to reveal how information was obtained (“sources and methods”) usually means losing the source of data as opponents take countermeasures in response. This has happened routinely in the past.
While North Korea is a “hard target” for intelligence, particularly its nuclear program, in contrast, the internet is an easier collection target because Pyongyang cannot deny access to its cyber capabilities in the same way it can deny access to its nuclear activities. To hack, it must connect and that connection provides an avenue for espionage. We can only speculate as to what techniques were used in this instance. The US is not alone in spying on the North. All of North Korea’s neighbors conduct espionage against it. The Chinese are best placed to collect against the North, but despite a degree of exasperation with their client, they show no willingness to share what they know about Sony.
We do know that the US has worked for a decade to improve its ability to attribute cyber-attacks. As a result, some experts believe that the US can now succeed in identifying an attacker in more than two out of three cases. One motive for the effort was a hope that better attribution would strengthen cyber deterrence. If the source of an attack is unknown or unclear, the attacker can escape retaliation. Weak attribution makes credible deterrent threats difficult. By improving its ability to attribute, the US hopes to improve cyber deterrence.
North Korea likely miscalculated the risk of the action against Sony because it underestimated the US ability to attribute (Pyongyang may not have recognized that the case made for indicting five PLA officers of economic espionage was based on overwhelming evidence from intelligence sources). US sanctions sent a useful signal to the North and to other potential attackers that the cloak of invisibility they hoped to hide behind is now threadbare. While there is more that the US could do to reinforce this deterrent message, the objective is to make opponents recalculate the risk of cyber attack against American targets.
Unfortunately, this does not mean that future cyber attacks against US targets can be ruled out. The attack against Sony highlights the continuing problems of cyber deterrence (CSIS and the Nuclear Threat Initiative have a project reviewing cyber deterrence). We face new opponents who are more willing to accept the risk of retaliation—North Korea, Iran, Russia, and while they lack advanced cyber capabilities as of yet, Syria and perhaps Hezbollah. The US has committed itself to proportional responses (those that do no more damage than the original attack). North Korea may assume that it can survive proportional retaliation—shutting down North Korea’s film industry would produce shrill denunciations but little real damage. Neither the North nor Iran, to the extent they believe the US commitment to proportionality, probably fear a proportional response to a Sony-style cyber incident.
These opponents may also believe that the US and its allies are unwilling to risk war in response to a range of actions that do not inflict real damage to American interests but that provide them with a political benefit at home. America’s opponents will test how far they can go using new technologies and techniques, including cyber tools, in what some call hybrid warfare. This new style of warfare, where rules and redlines are still unclear, will remain tempting to those who wish to confront the US. Moreover, North Korea has unique “advantages”—a nuclear arsenal to deter the US or ROK as well as its political and economic insularity—that reduced the risk of retaliation for attacking Sony.
We do not know how to deter North Korea from engaging in provocative actions. Kim Jong Un may believe that as long as his provocations remain small and sporadic, he can call the West’s deterrent bluff. Influencing North Korean calculations of risk is hard, given limited insight into Kim’s strategic thinking and our limited ability to inflict punishment on the North. Traditional tools—sanctions, military threats and diplomatic action—seem to have limited effect. Moreover, North Korean military forces and nuclear weapons, while insufficient to win any war on the peninsula, could inflict immense damage and this is sufficient to deter the US and the ROK from undertaking a range of stronger punitive responses.
The risk is that Kim (or other authoritarian opponents) will miscalculate, go too far and start a crisis that could escalate into an armed clash. The challenge of the Sony attacks is not persuading skeptical amateurs but signaling to North Korea and others the limits of covertness in cyberspace and what lines they should not cross. The goal is to get these nations to recalculate the risks of hybrid warfare and cyber attacks. Even with an assertive American response, this could take years to accomplish, and it would be optimistic to say that North Korea and others will not be tempted again to use cyber techniques for political purposes.