The US entertainment industry has allowed itself to be blackmailed in cyberspace by an aggressive, backwater nation with a strong tendency to censor opponents. Welcome to a strange new chapter in the story of cyberwarfare.
E&T reported that Sony Pictures Entertainment (SPE) had been hacked by a mysterious attacker, with security experts dismissing North Korea as the culprit.
Although North Korea denies the charges, the FBI has finally linked the dictatorship to the attack on 19 December. Now the US will be gunning for the secretive country in cyberspace, said President Barack Obama.
It is hard to attribute attacks to a single source. The FBI considered the similarities between the malware used on Sony and malware that North Korea has used in the past. Another sign was the hard coding of several IP addresses into the malware that US authorities said were part of North Korean infrastructure.
Perhaps the most interesting part of the President’s speech on 19 December isn’t the technology or the battle between Sony and the hackers, but the spat inside US borders
President Obama said that SPE had made a mistake by caving to North Korea’s demands not to release ‘The Interview’, the film at the centre of the controversy. The hackers had demanded that the film, which depicts an assassination attempt on North Korean leader Kim Jong-un, not be screened. The company pulled the film.
“I wish they had spoken to me first,” President Obama said in his end-of-year press briefing. “I would have told them ‘don’t get into a pattern in which you’re intimidated by these kinds of criminal attacks’.”
Sony stands to lose tens of millions in box office revenues, but not capitulating could have cost far more. It is already facing multiple lawsuits from employees after their details were leaked online with thousands of Sony emails in mid-December.
Sony Entertainment CEO Michael Lynton argued that the company hadn’t backed down, and pointed out that theatres themselves, who refused to show the film, were outside of the company’s control. He said that Sony was considering an online release, but video-on-demand distributors hadn’t stepped forward to help. At the time of writing, SPE’s lawyers were saying that the movie would be released, but that they didn’t know how. Just days earlier, a spokesperson for SPE said that it had no further release plans – the firm has clearly had to adapt quickly to pressure from all sides.
The stakes are high for all concerned. Had the attack escalated to physical attacks on theatres that showed the movie, as the attackers had threatened, that could have posed an existential threat to movie-going culture.
This isn’t the first act of cyber terrorism, but it is one of the gravest.
Other than ignoring the threat, there are few alternatives for a private company. ‘Active defence’ is not a viable option. The idea of a private entity striking back against an enemy is illegal under the European Convention on Cybercrime.
The legality of government strikebacks is muddier, though, as they fall under international military law.
The US applies the same laws of warfare to cyberspace as to the kinetic battlefields of land, air, sea and space. The Law of Armed Conflict (LOAC) is well understood in military circles, and the Department of Defense acknowledges it both on and off the Internet.
“As with all of the activities that DoD pursues in the physical world, cyberspace operations are executed with a clear mission and under clear authorities, and they are governed by all applicable domestic and international legal frameworks, including the protection of civil liberties and the law of armed conflict,” said the Pentagon in a 2011 Cyberspace Policy report to Congress.
LOAC includes considerations such as military necessity, and proportionality and the White House would have been guided by this as it announced that it would undertake a proportional response to North Korea.
What would a proportionate response look like? President Obama wouldn’t outline it in his briefing, other than to say that it would happen “in a place and time and manner that we choose”.
The US will be eager to stabilise the situation, which is partly why the President is taking pains not to call the hack an act of war. However, when the US government promises a proportional response on behalf of a private company, it describes no less than a form of armed conflict. The weapons are electronic and economic, but the results could be politically explosive.
We have stumbled into a new era of cyberwarfare, in which a government has had a direct and coercive effect on a private entity in another country. State-level cyber-blackmail doesn’t stop at entertainment and, next time, it may not be an inconsequential comedy film that’s the focus.