North Korean leader Kim Jong-un guides a takeoff and landing drill on a highway airfield in this undated photo released by North Korea's Korean Central News Agency in Pyongyang, October 19, 2014



December 11, 2014

Did North Korea Hack Sony?

North Korean leader Kim Jong-un guides a takeoff and landing drill on a highway airfield in this undated photo released by NK's Korean Central News Agency, Oct. 19, 2014

Photo by KCNA/Reuters

by Bruce W. Bennett

There is strong suspicion that North Korean state-sponsored hackers were behind the cyber attack on Sony Pictures Entertainment just before Thanksgiving.

Since June of this year, North Korea has made serious efforts to stop the release of Sony Pictures's movie The Interview, which depicts the leader of North Korea, Kim Jong-un, in terms Kim would not want the world and especially his elites to see. The scenario also includes a plot to kill the young North Korean leader, who presumably wouldn't want unhappy elites to think more seriously about such action.

The North Korean regime strives to make members of the Kim family appear godlike with shrines in many public buildings. To the North Korean leaders, The Interview is the kind of blasphemy that could have brought a sentence of death in historic Judeo-Christian culture.

North Korea hides or falsifies so much information about its activities that it is difficult to gather even basic facts like its population. But did North Korea have the means, motives, and opportunity to perpetrate such an attack, and did it fit the North Korean style? The answer to these questions is probably yes.

North Korean Means, Motives, and Opportunity

In June, the North Korean state KCNA news agency said, “making and releasing a movie on a plot to hurt our top-level leadership is the most blatant act of terrorism and war and will absolutely not be tolerated.” North Korea has tried pressuring Sony Pictures, the White House, and the United Nations to halt release of this film.

After failing to stop the release of The Interview diplomatically, North Korea may have been motivated to escalate its efforts in the hopes of forcing Sony Pictures to yield. What other country or organization is demanding that Sony Pictures halt the release of a film? And consider: While the hackers provided open Internet access to five recent or about-to-be-released Sony films, The Interview was not among them. North Korea has known about the movie for at least five months, giving it ample opportunity to plot and carry out a cyber attack.

Assessing North Korean means for such a hack is a more difficult proposition. North Korean hackers apparently took down the internal networks of both South Korean TV broadcasters and several banks in 2013, having previously threatened the broadcasters for “defaming” North Korea. North Korea is reported to have a cadre of 6,000 or so hackers, over 1,000 of whom are reportedly very skilled.

And even if the North Korean hackers were unable to crack the Sony Pictures cyber security, North Korea may well have recruited Chinese or Russian or even Eastern European hackers to help them. Penetrating a computer network is less about the number of hackers and more about their individual skill and luck in finding or inducing a gap in a computer network.

The Style of the Sony Pictures Cyber Attack

Some experts quoted in the media believe Sony insiders were to blame, because of the personal information that was released and because the attack didn't match the pattern of previous North Korean cyber attacks. That is possible, though the number of current or former Sony personnel with such sophisticated cyber capabilities must be very small. The apparent ongoing disclosures of information would make it difficult for a current disgruntled employee to avoid discovery. Moreover, North Korea is not the typical adversary state, and does adapt to achieve its objectives.

Some commentators note that previous North Korean cyber attacks have been intended to punish parties, not to coerce them, and coercion is clearly at the center of this attack. But this argument takes a short-term view of the North Korean cyber strategy. The North Korean attacks on the TV broadcasters in 2013 were certainly intended to be a punishment, but also to deter them from continuing to “defame” North Korea in the future.

Others have argued that if North Korea was behind the attacks, it should have identified itself and exactly what it wanted so that the nature of the coercion was clear. But North Korea has learned through a long series of provocations (especially its warship attack and island shelling in 2010) that maintaining plausible deniability is the preferred approach for provocations, as this approach generally prevents the West from rallying a significant response.

Some have questioned the personal nature of some of the attacks, a difference from previous suspected North Korean cyber offensives. But North Korea has been highly personal with its character attacks on government leaders such as South Korean President Park Geun-hye and U.S. President Obama. And at this stage, only weeks from the release of The Interview, North Korea may have concluded that it must take every action possible to halt the release.

The character of North Korean cyber attacks has evolved over the years in many other ways, and this type of attack could represent another step in that evolution.

How Should the United States Respond?

The evidence may be inconclusive, but what if North Korea is proven to be responsible for the attack? North Korea is likely testing the United States and its cyber community to see where vulnerabilities may exist. So this is not just an issue of how Sony Pictures responds—this is an issue of how the United States responds.

The United States must act to deter future cyber attacks against its people and corporations, but how? Culturally, North Korea is unlikely to be deterred by a weak U.S. response—quite the opposite. A weak response will only embolden North Korea and lead to more serious attacks, even if it is not proven to be the culprit.

So what might a strong U.S. response look like? Deterrence is achieved by convincing adversarial leaders that they have more to lose than gain by carrying out such attacks. There are many ways that the United States and even Sony Pictures could affect North Korean internal politics.

Slipping DVDs of at least parts of The Interview into the North, including a narration describing what their “god” Kim is really like, is one way. Leaking damaging information into the North is another. Such leaks might ask why the Kim family has absconded with perhaps $4 billion in state funds while many of its people are starving.

South Korea and the United States also could encourage defectors from the North Korean elite, offering them better lives in the South—even one or two such defections would be a loss of face for Kim.

But deterrence is not just about punishment; it is also about denying the effectiveness of future attacks. While the details of North Korean cyber threats are uncertain, the United States and its allies should seek to monitor, attack, and disable North Korean hacking capabilities. There is evidence that North Korean hackers work from China and use Chinese IP addresses. If this is true, then China's role should be publicly revealed and it should be pressured to terminate this assistance.

The United States must enhance its cyber defenses, both for its government and its commercial world. The United States currently strives to do so but likely needs to increase the resources devoted to this vital task. These defenses will never be perfect, but they almost certainly can be better.

Bruce W. Bennett is a senior defense analyst at the nonprofit, nonpartisan RAND Corporation.

This commentary appeared on Newsweek on December 15, 2014. It was originally published on The RAND Blog on December 11, 2014.