“Malware…it’s basically the terrorism of the Internet.” Although this kind of hype belongs to the TV show NCIS Los Angeles, it also nicely sums up the discourse surrounding the hack of Sony Pictures Entertainment. What began as a corporate issue has quickly spiraled into what the White House has called a “serious national security matter.” With claims that North Korea was indeed responsible, the Obama administration may have stuck its nose out a bit too far. The escalation of events has resulted in a freewheeling use of #cyberwar and #cyberterrorism, blowing public discourse further out of proportion. Decision makers and the media need to clearly delineate between criminal acts, corporate decision making, and threats to national security.
First and foremost the Sony hack is, and remains, primarily a corporate matter. The breach will continue to have a serious impact on Sony’s bottom line and share prices, and there’s certainly scope for employees to challenge Sony’s efforts to properly secure sensitive data. While unprecedented in breadth and sophistication, the hack is a criminal act. Even if connections to the North Korean government can be unequivocally substantiated, much like the May indictment of PLA officers, this matter should fall squarely under the judicial system. There’s scope for the Department of Homeland Security (DHS) and FBI to reach out to Sony under its existing public–private partnership structures to investigate the breach and help boost Sony’s resilience. But stealing intellectual property, emails, sensitive employee data, and other corporate documents falls well short of terrorism.
News of celebrities irked by the hack and leaked blockbusters quickly gave way to reports of serious threats against the film The Interview. The culprits, the self-proclaimed Guardians of Peace (GOP), threatened a 9/11 type “bitter fate” to those attending the movie’s premiere. Yet the credibility of that threat remains highly suspect, a point supported by a DHS statement that reads “at this time there is no credible intelligence to indicate an active plot against movie theaters within the United States.” It would appear that Sony’s decision to cancel the premiere of The Interview was more likely due to coercion in the form of insurance liability and major theater chains pulling the film than any real threat from the GOP. It is an unfortunate decision for sure, and for those who don’t believe in negotiating with terrorists, it sets a dangerous precedent.
When U.S. President Barack Obama addressed the issue at his year-end news conference last week, he was for the most part measured and reasonable. However, he stated that the U.S. would “respond proportionally,” which has put the White House between a rock and a hard place. The president’s statement elevated the issue beyond the remit of Department of Justice (DOJ) and FBI and opened the door for the comedy of errors that followed. The spat between Sony and the White House, not to mention North Korea’s threat of retaliation if the U.S. does not cooperate in a joint investigation, has made a bad situation worse, at least politically.
The reality is the White House does not have many levers to pull when it comes to North Korea. North Korea is the most heavily sanctioned country on Earth, leaving little room for increased economic pressure, and its leadership is not likely to flinch at being classified a “state sponsor of terrorism.” Having publicly put the White House stamp on the issue, the president may be tempted to wield the Pentagon’s cyber assets, however any “hack-back” operation would not only irk China, which hosts North Korea’s telecom connections, but – more significantly – set a dangerous precedent for companies and state actions in the future.
The president has already begun to roll back expectations, this week relabeling the incident “cyber vandalism.” While that may be costly for the administration in political terms, it allows a more reasonable set of responses. The U.S. should re-emphasize the cybercrime dimensions of this incident, giving the lead back to DOJ and the FBI. Under that framework, the U.S. should continue to reach out to international partners, including China, Japan, South Korea, and Russia to not only reign in North Korea but to conduct a joint investigation into the incident. That would allow the U.S. to make further progress on international cooperation to combat cybercrime and to emphasize the rule of law in cyberspace rather than a tit-for-tat dystopia. Moreover, the U.S. can take this incident as an opportunity to further boost its public–private coordination on cyber issues, which were clearly lacking in this incident.
While the White House may have initially have overstepped, in reining its rhetoric back the U.S. still has the opportunity to make kimchi out of cabbage.
Klée Aiken is an analyst in ASPI’s International Cyber Policy Centre. This article was first published in The Strategist, the Australian Strategic Policy Institute blog, and is reprinted with kind permission.