(Update midnight December 24 by SH)
In a previous post, we outlined what we think we know about the private sector side of the North Korean cyberattack. In this post we take up the question of what should be done by Sony and the government going forward.
First, it is worth noting that while many have criticized Sony and the industry for being soft, there are some that have argued that the whole project was inappropriate to begin with and should be boycotted; David Austin makes this case at USA Today. But Austin does not complete the thought. Whether or not the project showed good judgment ex ante, subsequent events have turned it into a fundamental First Amendment case. Can physical threats be used to stop constitutionally-protected free expression? Similar international cases have included the fatwa against Salmon Rushdie for The Satanic Verses or controversy over the Jyllens-Posten cartoons of the Prophet Muhammad. But the argument could apply equally to the Ku Klux Klan threatening theaters planning to screen “The Butler” or a neo-Nazi group menacing a documentary on the Holocaust.
With respect to Sony’s course of action, we argued that the test of the company’s sincerity is whether the firm really wants to see the film released, as CEO Michael Lynton claimed in his interview with Fareed Zakaria. There have been numerous suggestions for free or paid digital distribution but the economics are a bit more complicated than suggested in our previous post. Film production companies normally take out completion and release insurance; the first would insure against eventualities such as a lead actor dying in mid-production; the latter would insure against your lead axe-murdering someone immediately prior to release. We don’t know the details of what insurance Sony took out on “The Interview” but it is inconceivable that they did not purchase any. As a consequence, they might file a claim arguing that the North Korean/GOP threat prevented the release of the film, and as long as the film is not released—and this includes digital release—they probably could recoup at least part of their reported $44 million costs.
However, if such a claim is paid, ownership of the film typically reverts to the completion bond agency that wrote the contract, which is then free to do what they like with the movie. In this case, the insurers could well engineer some kind of paid digital release to recoup some of their losses. In this scenario, Sony would have to pray that when it came to retaliation, the North Koreans/GOP would distinguish between Sony and their insurers.
So Sony thus had four options: release the film through some commercial mechanism (DVD or video-on-demand) in an attempt to salvage both revenues and reputation; release it for free; hold the film back, eat the $44 million loss, but retain control over the film; or hold the film back and file an insurance claim, clawing back some revenue but losing control over the film. Sony has since managed to secure cooperation from at least some theater-owners for a December 25 elite--playing successfully on the hackers' efforts to shut the film down, and has contracted for several forms of online release as well..
Regardless of how wide Sony is able to release the film, it is a completely separate question of whether the United States should respond to a highly destructive attack on a foreign firm operating on American soil. Before answering that question, what do we know about North Korean involvement? Given the circumstantial nature of US evidence, and in the wake of the Iraq nuclear intelligence fiasco, US claims are likely to meet a fair amount of skepticism both at home and around the world. North Korea is already scrambling for plausible deniability and has claimed it can prove it was not the culprit; in fact, Pyongyang is demanding a joint investigation, as it did in the case of the Cheonan sinking. But there are a long list of skeptics at home, as well: Wired weighed in with its doubts last week, The L.A. Times interviews some doubters and Margaret Hartmann at New York Magazine outlines the competing theories, from the Chinese to uncoordinated friends of Pyongyang, to Sony insiders as well as complex mixtures of all of the above.
In its press release from Friday, the Bureau offers the following as evidence of North Korean involvement:
- Technical analysis of the data deletion malware shows similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks to malware previously identified as North Korean in origin.
- There is significant overlap between the infrastructure used in this attack and other malicious cyber activity the U.S. government has previously linked directly to North Korea, including communication between known North Korean infrastructure and IP addresses that were hardcoded into the data deletion malware used in this attack.
- Similarities in the tools used in a cyber attack in March 2013 on South Korean banks and media outlets, which South Korean intelligence traced to North Korea.
And this is quite apart from the clear focus of the GOP on the particular affront to the Young General and the open support the attack received from Pyongyang. Some analysts have expressed strong doubts, but it is important to remember that North Korea has long acted through proxies in conducting its criminal activities such as distribution of narcotics; such arrangements are certainly plausible ways of gaining deniability in this instance as well.
In our view, a response is imperative. The hack is not a routine denial-of-service barrage, commercial or government espionage. It is a rare case of an attack aimed to do maximum damage to real Sony assets. President Obama has argued for a proportionate response. But if the attack can be confidently ascribed to the North Korean government, there is a case of an overwhelmingly disproportionate response, both to punish the perpetrator as well as deter potential imitators such as China, Russia, or Iran.
Such retaliation could take a number of forms. First and most obviously, would be retaliatory “hackbacks” on North Korea. The problem with this approach is that North Korea’s very backwardness makes it relatively invulnerable, although there commercial and military targets that one could identify, including the hacking units themselves.
Second, and less emotionally satisfying but arguably more effective would be to ramp up sanctions in the financial sphere. Multilaterally, the US could go back to the UN Security Council and attempt to get UN sanctions tightened. But given the partly circumstantial nature of the case, the Iraq experience, and current diplomatic tensions with Russia, the likelihood of getting satisfaction through the UN is highly doubtful; two of the P5 have outstanding cyberissues with the US of their own. Cooperating with a group of like-minded countries a la the Proliferation Security Initiative (PSI) would be a second option, and particularly closing the loophole with respect to SWIFT's provision of clearing services. Bilaterally, the North Korean Sanctions Enforcement Act, which passed the House last session provides a blueprint for other such measures; our summary can be found here..
Third, as has been floated in the press, the US could put North Korea back on the list of state sponsors of terrorism. Purists might argue that the Sony case does not constitute terrorism as normally understood, but frankly speaking this law has been applied quite elastically in the past—including with respect to North Korea’s earlier removal from the list. Apart from symbolism, it is not clear what the impact of this move would be. Under the law, the US imposes an arms embargo, terminates aid, and instructs its Executive Directors at the international financial institutions such the International Monetary Fund, the World Bank, and the Asian Development Bank to oppose membership (or in the case of countries that are already members, vote against loans). But the US already has an arms embargo against North Korea, provides little aid, and at present North Korea shows no interest in joining the IFIs. To us, this seems like a weak signal with little teeth beyond creating another issue to resolve down the road.
Fourth, North Korea's four networks are routed through China and some of North Korea’s cyber activities are carried out in China, or at least via servers located in China. The US could make clear to other countries (presumably China now, but possibly others such as Russia in the future) that the US will adopt a policy of cyber hot pursuit and retaliate against the North Koreans wherever they operate, even if outside North Korea. The US has quietly been seeking Chinese cooperation on this issue, and it would be an easy place for the Chinese to give the US something.
As has now been widely reported, North Korea experienced two bouts of unstable connectivity and then was completely severed from the internet over the last several days (update as of midnight December 24); Ars Technica, Dyn Research and North Korea Tech are the sites that have provided good coverage of the outages. As with the Sony hack, debate will continue over who was responsible. Some analysts think that denial-of-service attack looked like the work of activities rather than the US government which has maintained its “no comment’ stance. China has also vigorously denied any responsibility. But such actions would be legitimate and also send the signal: after all, the very limited number of North Korean IP addresses—just over 1000 and held by a limited number of institutions—make the internet available only to members of the elite.
Finally, we close with our favorite idea: to ramp up our own propaganda efforts, which in a case such as North Korea is as simple as getting outside news, other media, and—yes—entertainment into the country. Who is more vulnerable on that score?