US Korea Institute

Wednesday March 29th 2017
Subscribe to Our RSS feed@38NorthNK on Twitter
38 North offers informed analysis of events in and around the DPRK.

Subscribe for latest



North Korea and Sony: Why So Much Doubt and What about Deterrence?

07 January 2015

What deterrent measures can be used against cyber attacks? One of the joys of the internet is that anyone with a keyboard and a connection can be an expert. Opinion substitutes for research. The uninformed debate over the Sony cyber incident is the most recent example of the internet’s limitations. An earlier essay discussed why the evidence pointed to North Korea as the most likely suspect. Since then, the US government has assigned the blame to the North, with the President imposing new sanctions. These are not steps to be taken lightly and suggest a high degree of confidence within the Obama administration as to the North’s culpability.

That, however, was not enough for many “experts.” Some of the skepticism comes from past missteps by the Intelligence Community—from Iraqi WMD to denials of domestic spying—which make suspicion understandable. But those intelligence missteps were driven by political motives: intelligence information released to win public support for a questionable course of action.

There is no similar motive in the Sony case. In fact, the domestic audience is largely irrelevant. A reasonable skepticism, reinforced by the internet community’s penchant for conspiracy theories, a general lack of knowledge about intelligence processes and a surprising absence of even basic knowledge about the North, has led to a loud but vacuous debate over who else could be responsible. Let’s look at some of the alternatives offered:

  • Progressive activists, suddenly enamored of Kim, leapt to his defense without the usual press releases these groups issue to claim credit.
  • Unknown Sony insiders, completely independent of North Korea, undertook the actions.
  • The US itself, to distract attention from the CIA torture report. (A British expert proposed this on a BBC program—we should recognize how the internet is a giant amplifier for conspiracy theories that would have once been dismissed as insane.)

There is no evidence to support any of these alternatives. The real issue is lack of trust in the government. One of the oddities of this debate is that while the material on NSA spying leaked by Edward Snowden was received as gospel, and while a careful reading of this material would suggest North Korea was identified, many of those who most fervently embraced him are among the most reluctant to accept Pyongyang’s guilt.

North Korea’s responsibility for its nuclear weapons program is clear, based on data from international monitoring and National Technical Means (NTM) of monitoring, in other words, our own intelligence gathering apparatus. There is no international monitoring body for cyberattacks, but NTM technologies, augmented by other intelligence techniques, are the source of the unambiguous White House identification of North Korea as responsible. What NTM looks like in the cyber domain is classified. The technologies use new kinds of sensors to collect data, including opponent malware (the malicious software use in an attack) and attacker identities. Many commercial entities also use internet sensors; the chief difference is the ability of government agencies to blend other forms of intelligence with internet data and, of course, and a willingness to undertake covert activities.

The US probably used these intelligence technologies to identify the authors of the Sony incident and their tools. This kind of technical collection is not flawless; judgment is still required to interpret the collected data and error is possible—think of the Cold War “missile gap” of the late 1950s, when the US overestimated the number of Soviet missiles. In an earlier time, people were willing to accept government assertions based on classified intelligence sources with few questions. This is no longer the case, but to reveal how information was obtained (“sources and methods”) usually means losing the source of data as opponents take countermeasures in response. This has happened routinely in the past.

While North Korea is a “hard target” for intelligence, particularly its nuclear program, in contrast, the internet is an easier collection target because Pyongyang cannot deny access to its cyber capabilities in the same way it can deny access to its nuclear activities. To hack, it must connect and that connection provides an avenue for espionage. We can only speculate as to what techniques were used in this instance. The US is not alone in spying on the North. All of North Korea’s neighbors conduct espionage against it. The Chinese are best placed to collect against the North, but despite a degree of exasperation with their client, they show no willingness to share what they know about Sony.

We do know that the US has worked for a decade to improve its ability to attribute cyber-attacks. As a result, some experts believe that the US can now succeed in identifying an attacker in more than two out of three cases. One motive for the effort was a hope that better attribution would strengthen cyber deterrence. If the source of an attack is unknown or unclear, the attacker can escape retaliation. Weak attribution makes credible deterrent threats difficult. By improving its ability to attribute, the US hopes to improve cyber deterrence.

North Korea likely miscalculated the risk of the action against Sony because it underestimated the US ability to attribute (Pyongyang may not have recognized that the case made for indicting five PLA officers of economic espionage was based on overwhelming evidence from intelligence sources). US sanctions sent a useful signal to the North and to other potential attackers that the cloak of invisibility they hoped to hide behind is now threadbare. While there is more that the US could do to reinforce this deterrent message, the objective is to make opponents recalculate the risk of cyber attack against American targets.

Unfortunately, this does not mean that future cyber attacks against US targets can be ruled out. The attack against Sony highlights the continuing problems of cyber deterrence (CSIS and the Nuclear Threat Initiative have a project reviewing cyber deterrence). We face new opponents who are more willing to accept the risk of retaliation—North Korea, Iran, Russia, and while they lack advanced cyber capabilities as of yet, Syria and perhaps Hezbollah. The US has committed itself to proportional responses (those that do no more damage than the original attack). North Korea may assume that it can survive proportional retaliation—shutting down North Korea’s film industry would produce shrill denunciations but little real damage. Neither the North nor Iran, to the extent they believe the US commitment to proportionality, probably fear a proportional response to a Sony-style cyber incident.

These opponents may also believe that the US and its allies are unwilling to risk war in response to a range of actions that do not inflict real damage to American interests but that provide them with a political benefit at home. America’s opponents will test how far they can go using new technologies and techniques, including cyber tools, in what some call hybrid warfare. This new style of warfare, where rules and redlines are still unclear, will remain tempting to those who wish to confront the US. Moreover, North Korea has unique “advantages”—a nuclear arsenal to deter the US or ROK as well as its political and economic insularity—that reduced the risk of retaliation for attacking Sony.

We do not know how to deter North Korea from engaging in provocative actions. Kim Jong Un may believe that as long as his provocations remain small and sporadic, he can call the West’s deterrent bluff. Influencing North Korean calculations of risk is hard, given limited insight into Kim’s strategic thinking and our limited ability to inflict punishment on the North. Traditional tools—sanctions, military threats and diplomatic action—seem to have limited effect. Moreover, North Korean military forces and nuclear weapons, while insufficient to win any war on the peninsula, could inflict immense damage and this is sufficient to deter the US and the ROK from undertaking a range of stronger punitive responses.

The risk is that Kim (or other authoritarian opponents) will miscalculate, go too far and start a crisis that could escalate into an armed clash. The challenge of the Sony attacks is not persuading skeptical amateurs but signaling to North Korea and others the limits of covertness in cyberspace and what lines they should not cross. The goal is to get these nations to recalculate the risks of hybrid warfare and cyber attacks. Even with an assertive American response, this could take years to accomplish, and it would be optimistic to say that North Korea and others will not be tempted again to use cyber techniques for political purposes.

Reader Feedback

7 Responses to “North Korea and Sony: Why So Much Doubt and What about Deterrence?”

  1. Hack says:

    The more details I hear about this hacking, the more sceptical I become. The actions of the hackers following the media ‘pickup’ of the story suggest more individuals wanting maximum notoriety rather than propaganda aims of the DPRK.

    Just as the story was beginning to fade, the group starts making threats against theatres. 100% notoriety gain for hackers, 100% PR disaster for DPRK. As if that wasn’t enough, the group “Lizard Mafia” (who have already made bomb threats against Sony Execs) are also claiming involvement in the attack. [providing “a number of Sony employee logins”].

  2. Vova G says:

    This is a very dangerous line of thinking, if you have to believe the US government because they may have the evidence but cant provide it, then surely you also have to trust the NK government as they may be in the same situation? Otherwise you are merely choosing you side based on nationalism.

    I’m not sure how the sanctions are supposed to stop them from looking for and exploiting vulnerabilities, when every other state is doing the same, including the US as by far the most active player. A very flawed article overall.

  3. thomasg says:

    I’m really surprised you’re not ashamed for publishing this essay.

    Because this comment might never make it through your moderation system, I’m just going to dissect your most infuriating claims.

    Let’s start with the armchair experts – I’m paraphrasing here because your “experts” just seems to plump for a random comment on the internet.
    You specifically mention the analogy to WMDs. The “expert” (excuse me) who brought that up on is non other than Bruce Schneier, one of the worlds foremost security experts. When the discussion is about computer security and you dismiss Bruce Schneier as yet another random dude on the internet, you clearly haven’t done your homework.
    But I shouldn’t sink to your level and stick to ad-hominem arguments.
    Mr. Schneier brought the analogy up, because the proof that is presented to the world is just as poor as it was back in 2003, while it would be trivial to present better facts – which SHOULD be necessary for the drastic steps taken. He does so rightfully, and every honest citizen should demand the level of honesty he does.

    You also argue that it would be odd that those, who praised Snowden for his courage to publicize information about programs he considered highly unconstitutional, are reluctant to accept Pyongyang’s guilt. I would argue, that it is odd, that you expect people who read carefully through thousands and thousands of pages of highly detailed information about these programs, would accept what is basically a handful of international IP addresses as real evidence and conclusive proof.
    I guess your fellow countrymen can consider themselves lucky, that you aren’t a judge.

    The next claim is, that North Korea is a “hard target” for intellegence. Which is true, because the society is hard to understand and even harder to infiltrate. For you however the really hard part seems to be the nuclear program, and the most trivial one their internet access.
    We have a large scientific toolkit to assess the production of nuclear material, ranging from satellite surveillence of the huge facilities needed, the solid tracking of the raw materials needed, and the technology required. As Stuxnet has shown, it is really easy to exactly know where all this happens, though I guess I can’t really expect you haven’t done your homework here either.
    Internet access in a country is actually much harder to assess. You can access the internet from any point on earth with tiny and cheap equippment. Even more though, you can easily make it seem you’re accessing it from somewhere else. North Korea might want to make it seem like they’re accessing it from italy for specific purposes, another country, organization or individual might want to make it seem like they’re accessing it from North Korea. Both are equally possible and equally likely, and make proof hard.
    As every scientifically literate person knows, things hard to proof require all the better proof.

    There are much more outlandish claims and poor arguments, but I leave it for the readers to detect them (and even though they might also be “”experts” with a keyboard”, they are smarter than you might think).

    In the future, I think it might be wise if you wrote essays on things you actually know about, and otherwise leave it to the experts. Bruce Schneier for example.

  4. Robert Lee says:

    I feel the tone referring to “experts” is a bit self-serving to attempt to validate your point. There’s no reason to try to undercut others if your argument is valid.

    The Intelligence Community deals with these scenarios a lot. I know because I was one of the analysts and led a team doing threat discovery and attribution for the Intelligence Community. Dealing with cases like this was a norm. What was not a norm was public attribution. I don’t think the critics are posing the best of theories and honestly I don’t think they have all the data to “know” anything. But the problem is the government has made a decision to have public attribution but not have public evidence. The evidence presented so far has been lackluster at best. What is worse is it sets a dangerous precedent: “we did tech analysis, don’t question it – it’s classified.”

    My problem with that is now it becomes an international precedent. If Iran wants to claim GE hacked into their control system centers they now can and claim “we did tech analysis, but it’s classified, and now we’re going to justifiably enforce countermeasures.”

    In the IC we did tech analysis with classified sources and methods on a daily basis for attribution. Sometimes we got it right. But sometimes we got it wrong because we were human and technical data while not magic is not easy to always interpret right. I believe that NK probably did do this. I do trust the government. I do not trust the standard it sets and I will never accept “it’s classified but we’re going to blame publicly anyway” as a legitimate answer.

  5. Richard Steven Hack says:

    So the FBI doubles down on the “they had IPaddresses in North Korea” which ALLEGEDLY are “the exclusive use of the North Korean government.”

    Sorry, this isn’t proof of anything – despite the egregious and unnecessary attack on Snowden in this article.

    North Korea is a sieve, just like China. Anyone could use IP addresses in their space, government or not. And remember, we still have only the FBI’s word that these IP addresses are “for the exclusive use of the North Korean government.”

    As for the “North Korean code”, this has already been addressed by REAL experts in infosec, including linguists.

    Sorry, but the FBI has not really bolstered there case that much. Fortunately, they appear to finally admit that there may well have been Sony insider help with the actual hackers, and that the actual hackers may have been other than North Koreans.

    That’s really all the infosec community needed to hear – that it was NOT clearly “North Korean hackers”. And evidence of direct North Korean involvement is STILL absent.

  6. Z says:

    This isn’t just about the IP address.

    The publicly available evidence they gave was that the code used in the attack was of North Korean origin.

    The NSA though might very well have classified information that is damning. Emails/phone calls from high placed NK officials. Information gleaned from compromised NK government computers.

    When you consider just how much money the NSA has and how important NK is as a target for intelligence its actually quite unlikely we dont have computers compromised or access to high level officials emails. Things like stuxnet etc indicate that when the US commits to cyber espionage/warfare were quite skilled at it.

    We also have the transatlantic cables tapped and probably lots of lines coming out of NK.

    Were probably well placed to know what NK does online.

  7. Dave K. says:

    Bringing out an opinion, based on reasonable suspicion, is far from a joy. Many cybersecurity companies(including Norse corp.) and CS professors – whom you may call ‘skeptical amateurs’ – point that ‘IP address is not evidence’, and that is the first point make rise to skepticism. But FBI keep telling ‘I am right because I am righteous’. What a recurrence.
    Try think of this case, when a bad guy did a cyber attack to a person at odds with you and left traceable IP address bound to your workplace PC. Can the IP address say you did that?

Leave a Reply

Credit for photo of young North Korean girl: T.M. All rights reserved, used with permission.