Cyber conflict is a 21st century hall of mirrors
Dr. Jarno Limnéll is Professor of Cyber Security at Aalto University in Finland. He holds a Doctor of Military Science degree from Finland's National Defense University.
The speed and certitude with which the United States fingered North Korea in the Sony Pictures hack has unnerved dubious cyber experts worldwide. The attack was ostensibly motivated by Pyongyang's fury over "The Interview." But cyber conflict is a 21st century hall of mirrors, and as doubts mount investigators might find another flick more instructive: "You Only Live Twice."
In the 1967 James Bond blockbuster, the U.S. and Soviet Union are each made to think the other is capturing their space probes. Tension escalates. Nukes are readied. The actual perpetrator, though, is SPECTRE -- the Special Executive for Counterintelligence, Terrorism, Revenge, and Extortion -- playing the superpowers against each other. A shadowy SPECTRE client wants to spark World War III.
It is up to 007 to unmask SPECTRE, avert Armageddon, and of course blow up Ernst Stavro Blofeld's secret base.
In today's sadly 007-free world we have American officials explicitly blaming North Korea for history's biggest corporate cyber attack ("There is no credible information to indicate that any other individual is responsible for this cyber incident," said the FBI). North Korea's slim Internet connections went mysteriously dark, with Washington coy about its possible role. Kim's regime has returned racist invective, saying President Obama "always goes reckless in words and deeds like a monkey in a tropical forest."
If North Korea is really innocent, SPECTRE would be pleased.
Fixing blame for cyber attacks is frustratingly difficult, partly because originators often employ proxies, partly because attack analysis turns up diversionary red herrings that implicate innocents. And that's just the start of the problem.
It goes without saying by now that cyber weapons enlarge and blur understood definitions of war. Cyber aggressors include nation states, their private contractors, non-state evildoers, and corporate interests. There are no norms or conventions framing acceptable behavior in cyberspace -- the cyber version of arms treaties. There's no playbook for proportional retaliation, nor protocols for cooperative defensive action that join public and private interests. (As evidence of our own cultural confusion, some called news coverage of looted Sony data "near treason" -- as if the embarrassing email rants of studio execs are akin to nuclear launch codes.)
Any rapid, unequivocal, on-the-record conclusion about who perpetrated what should raise eyebrows. This is especially true with Europeans, who harbor broad hesitation about such U.S. pronouncements after all those keenly recalled 2003 assurances about Iraqi weapons of mass destruction.
Here the burden of proof is also high, and the skeptics are rightfully speaking up in greater numbers.
The FBI says a chunk of malware used in the Sony attack showed up in the 2013 North Korean "Dark Seoul" assault on South Korean assets, but that malware was already in circulation; it had been leaked. And it's been pointed out that lifting up to 100 terabytes of data from Sony's servers, as the Guardians of Peace claim to have done, would likely tax Pyongyang's modest IT resources. (The country is said to have just 1,024 IP addresses. Only a handful of North Korea's 25 million citizens have ever seen an Internet-connected device.)
Beyond the technology-based reasons to doubt North Korea did it are some cultural ones. When the hack first made news in November, it looked more like a straight-up shakedown than state-sponsored cyber terror. The Guardians of Peace simply demanded ransom money for not exposing sensitive data; outrage over "The Interview" was appended later.
It is an article of faith that North Korea doesn't get Western pop culture. But these hackers anticipated the bombshell power of publicizing Sony execs' catty emails about Angelina Jolie and Leo DiCaprio. And though Pyongyang's elite study English from youth, the hacker's fractured diatribes verge on comedy. "Soon all the world will see what an awful movie Sony Pictures Entertainment has made... (If your house is nearby, you'd better leave)... All the world will denounce the SONY." More Dr. Evil than Blofeld.
What third party, then, stand to profit from the Sony hack, and from setting the U.S. and North Korea at each other's throats? Kim Jong-un could not hope to win a real showdown. Is another player motivated to divert global attention to a Washington-Pyongyang fracas, and perhaps away from something else?
Perhaps more plausible is the theory of a disgruntled employee with inside knowledge of Sony systems and a lot of savvy friends. The resulting international crisis may be what passes for funny in some nihilistic corner of hacker culture.
Yet as late as Monday, as private experts threw new cold water on the North Korea theory, the White House and FBI doubled down, conceding only that Kim's team might have had an expertise boost from outside.
The real lesson of the Sony hack is not how vulnerable Sony, and we, are. That point was made repeatedly in 2014 via the Home Depot, Heartbleed, JP Morgan Chase, and other cases. The real lesson is how little we understand this new sphere of conflict and how cautious we must be. With attribution and reprisal so difficult, fast conclusions are nearly as alarming as cyber attacks themselves. We can yearn all we want for James Bond to dispel the fog of cyber war, dynamite the villains' lair, and put a stylish, satisfying stop to this. But in reality there are too many villains and lairs, no 007, and too much risk of cyber conflict caroming out of control.
The Sony attack is the most destructive one so far against a U.S. corporation. There will be more, and worse, yet we do not have a mature response model. Building one in private, not placing blame in public, should be our priority. Bond author Ian Fleming did not predict the murky landscape of keyboard spycraft, manifold faceless enemies, touchy public-private alliances, technocratic shoe leather, and unwritten playbooks that sums up cyber conflict today. But when he imagined excitable, underinformed leaders flirting with mayhem, perhaps he had a point.