Nearly a year after the 2014 hack that brought the entertainment industry to its knees, questions still linger as government  officials try to resolve the frightening implications for the US

 

On 05 December 2014, thousands of Hollywood’s elite awoke to a grim reality: hackers had obtained and released their social security numbers. This targeted assault was the second part of the now-infamous Sony hack. The attack was launched in response to Hollywood’s latest theater offering, The Interview. A controversial comedy starring James Franco and Seth Rogen, The Interview gives an inside look at the oppressive North Korean regime in a humorous yet poignant light. Unsurprisingly, the film drew the ire of North Korean officials, and many in the US government pinned the blame on North Korea for the subsequent hacking. However, further investigation reveals that the hack of Sony Pictures may not be as straightforward as officials originally thought. It also points to a fatal vulnerability in the US’s cyber security.

A Born Enemy

Since the close of the Korean War, North Korea has repeatedly threatened the United States with nuclear action. In 1994, the US and North Korea settled on a path called the “Agreed Framework” towards denuclearization, but North Korea has yet to uphold its end of the agreement. In 2005, the US began a hardline—but ultimately failing—attempt to reign in the rogue nation through United Nations Security Council Resolutions (1718, 1874, 2087, 2094). At this time, domestic Congressional law prohibits any economic or humanitarian aid to North Korea.

“They Hate Us ’Cause They Ain’t Us”

The hack of Sony Pictures led to months of chaos as production officials and US government officials alike scrambled to find the culprit and salvage something from the immense damage. Damages included the release of the personal and financial information of 47,423 Sony employees and contractors—information that is now permanently in the public domain. Hackers also leaked movie scripts, contracts, entire films, and embarrassing internal memos. The punitive damage is estimated at $100 million, which comes at a particularly difficult time for Sony after years of box-office flops. The company is undergoing layoffs and executive exits. However, the greatest blow to Sony has been the damage to its reputation, something public relations analysts say will be hard to recover.

The identity of the perpetrator is difficult to ascertain. An organization called Guardians of Peace quickly laid claim to the attack. However, Pyongyang’s hostile language toward the movie led US officials to believe that Guardians of Peace was merely an agent used by the North Korean government. The FBI, who was in charge of the investigation, hinted strongly that the attacker was North Korea, citing evidence such as similarities in execution, malware, and coding between this and previous North Korean hacks.

On January 2, 2015, the Department of the Treasury unveiled a new set of sanctions against North Korea—specifically three North Korean government agencies and businesses, and ten government officials. The sanctions forbid US individuals and companies from doing business with them and freeze all their assets held on US territory. While not all of those on the blacklist were actors in this specific hack, they have been known for anti-American activities. According to Secretary of the Treasury Jack Lew, these sanctions are necessary to “further isolate key North Korean entities and disrupt the activities of close to a dozen critical North Korean operatives.”

The severity of these sanctions shocked many when they were unveiled. As part of the “proportional response” that US officials promised, these sanctions represent an uncompromising attitude towards North Korea. North Korean officials maintain that the hack was simply an unrelated third-party incident. In its 1,772-word statement, the North Korean National Defense Commission denied any involvement with the hack while simultaneously expressing admiration for the Guardians of Peace. North Korean officials vowed “tough counteraction” against any US actions.

Despite the evidence presented by the FBI, North Korea’s true cyber warfare capabilities are still unclear. Due to North Korea’s notorious reclusiveness, it is difficult to obtain intelligence that does not come from South Korea or other American allies. The secondhand nature of this intelligence often compromises its reliability. Much of the difficulty of intelligence gathering is due to from North Korea’s private network. This network is extremely limited in its internet capabilities and does not connect to or interact with other global networks, rendering it nearly impenetrable. The nation also faces a lack of resources and outdated infrastructure.

However, North Korea is not completely cyber incapable. A new report issued by Hewlett-Packard, an American global information technology company, notes that North Korea has tremendous cyber potential in human resources. Their recent data showed a total of 5,900 “elite cyber warriors.” These cyber warriors, tech-savvy individuals specifically trained by the North Korean government to wage cyber warfare, may have been a driving force behind the Sony attack.

Analysis and Conclusion

Yet despite all attempts to resolve the question, the answer concerning the true driving force behind the attack is becoming increasingly clouded. Although initial reports and the current official US stance point to a North Korean conspiracy, a growing number of cyber analysts are looking at other answers. Some have pointed to the possibility of an “inside job” by a disgruntled employee. Others see the hack as an isolated incident. These tech experts make a strong argument, asserting that the FBI was wrong when it saw consistencies between this and other North Korean hacks. After all, North Korean hackers in the past have always kept their activities private and would have never made public demands or even publically claimed responsibility for a hack.

Regardless of North Korea’s culpability, the Sony saga revealed a deeper issue: the insecurity of most US databases. Following the release of sensitive data, it was discovered that Sony’s infrastructure was poorly protected. Most personal information was stored on unencrypted Excel spreadsheets without password protection. As such, the information was easily leaked. It is also now irretrievable. Unfortunately, Sony’s negligence mirrors national negligence when it comes to cybersecurity. As demonstrated within the past year, there is little buffer between the US and a foreign cyber-attack. According to the 2015 US State of Cybercrime Survey, 2014 was a watershed year for cybercrime. Another report issued by ISACA, an international IT Governance association, points out that the US is frighteningly penetrable, whether by some rogue third-party group or by a foreign government. According to the report, much of this vulnerability can be traced back to the human element. The US government and businesses have largely failed to properly train employees to prevent, detect, and report cyberattacks. The US is also facing a shortage of skilled cybersecurity professionals, which means that businesses wait an average of three to six months before filling a cybersecurity position, leaving them vulnerable in the meantime.

As the field of battle increasingly shifts from the physical to the digital, America needs to ensure that its databases and infrastructure are properly secured. More importantly, American business and the US government must take greater care in training employees and students to detect and respond to cyberattacks and security breaches. Yes, this may mean allocating more money towards cyber defense and less towards internal improvements or FDA experiments. However, the US will need to be armed against the cyber warfare that will inevitably come its way. ■

  1. Seth Oppenheim, “The Sony Hack and the Law of War: Coming to a Theater near You,” Global Policy Journal, July 2015, http://www.globalpolicyjournal.com/blog/02/07/2015/sony-hack-and-law-war-coming-theater-near-you.
  1. James Andrew Lewis, “Sony and North Korea: Making the Case,” Center for Strategic and International Studies, December 2014, http://csis.org/publication/sony-and-north-korea-making-case.
  1. David Francis, “Was the Sony Hack an Inside Job?” Foreign Policy, December 2014, http://foreignpolicy.com/2014/12/05/was-the-sony-hack-an-inside-job/?wp_login_redirect=0.
  1. Eduard Kovacs, “North Korea’s Cyber Warfare Capabilities Detailed in New Report,” Security Week, September 2014, http://www.securityweek.com/north-koreas-cyber-warfare-capabilities-detailed-new-report.
  1. FBI National Press Office, “Update on Sony Investigation,” Federal Bureau of Investigation, December 2014, https://www.fbi.gov/news/pressrel/press-releases/update-on-sony-investigation.
  1. Bureau of East Asian and Pacific Affairs, “US Relations with North Korea,” State Department, February 2015, http://www.state.gov/r/pa/ei/bgn/2792.htm.
  1. “The Interview,” Global Security, http://www.globalsecurity.org/military/world/dprk/the-interview.htm.
  1. “North Korea: Pyongyang Denies Responsibility for Sony Hack,” Stratfor Global Intelligence, December 2014, https://www.stratfor.com/situation-report/north-korea-pyongyang-denies-responsibility-sony-hack.
  1. Bruce Bennett, “Did North Korea Hack Sony?” RAND Corporation, December 2014, http://www.rand.org/blog/2014/12/did-north-korea-hack-sony-pictures-entertainment.html.
  1. “US Slaps Sanctions on North Korea after Sony Hack,” Digital Journal, January 2015, http://www.digitaljournal.com/news/world/us-slaps-sanctions-on-north-korea-after-sony-hack/article/422453.
  1. James A. Lewis, “Speak Loudly and Carry a Small Stick: The North Korean Cyber Menace,” US Korea Institute at SAIS, September 2010, http://38north.org/2010/09/speak-loudly-and-carry-a-small-stick-the-north-korean-cyber-menace/.
  1. “State of Cybersecurity: Implications for 2015,” ISACA, http://www.isaca.org/cyber/Documents/State-of-Cybersecurity_Res_Eng_0415.pdf.