In light of the substantial media coverage of the Sony hack, Sony’s decision to cancel its release of The Interview, and the recent statement by US officials that North Korea was “centrally involved,” I thought I’d devote some time to discussing the implications of a nation-state perpetrating a cyber-attack on a private company. Most of the discussion I’ve seen thus far has focused on Sony’s response, with many expressing criticism of the company for acquiescing to a terrorist threat. And while there are some interesting proposals for how Sony should respond, (such as releasing the film online for free; or airlifting copies of the film into North Korea), I would like to focus on how we should view this under international law.
For those who haven’t been following, here’s a quick background: on November 25, a group later identifying as the “Guardians of Peace” released a large amount of data obtained by hacking Sony Pictures Entertainment. The content of the hack appears to be mostly internal emails, some employee data, and five unreleased full length movies, all of which were posted anonymously online. The hackers also initiated communications with both Sony and assorted media outlets covering many topics, most notably being their stern criticism of the upcoming Sony film The Interview, a comedy about a fictional assassination attempt on North Korean leader Kim Jong-un. This past week, the hackers escalated their communications by threatening to bomb movie theaters that were showing The Interview, resulting in most major theater chains to drop the movie, and ultimately for Sony to cancel the December 25 release.
The targeting of Sony and the emphasis on The Interview led many to speculate that North Korea was involved in the attack, which was (somewhat) confirmed by US officials just yesterday. North Korea’s discontent with The Interview goes back at least to June, where North Korean media agency KCNA decried the film as advocating terrorism, and led to North Korea speaking before the UN and KCNA specifically asking President Obama to intervene against the film’s release. Needless to say, no action was taken on either account. Despite a large amount of publicly available circumstantial evidence suggesting North Korean involvement, they have officially denied any involvement, and any additional evidence obtained by US officials is as of yet unknown.
Cyberattacks present many challenges when determining how to craft a response on the international stage, chief among which is the attribution problem. The attribution problem refers to the difficulty in determining who is behind any given cyber-attack for a certainty. Cyber-attacks are often highly distributed (launched from multiple sources), they can be launched from other hacked computers, they are often routed through numerous countries before reaching their target, and they readily employ IP masking and jump servers, all of which allow a savvy hacker to easily make an attack appear to originate from almost anywhere they wish. And while cyber-forensics is equally skilled at parsing these obfuscation techniques, it can be extremely difficult to say with certainty that a particular attack originated in a certain place. This is compounded by the widespread use of state-sponsored hacking (widely speculated to be at play here), wherein a country may enlist an outside hacker organization to perpetrate the act, making definitive attribution to a particular nation-state all the more difficult.
Although I will naturally defer to the US officials who invariably have more information, my initial thought was that the evidence linking the attack to North Korea was a bit too obvious, which might suggest an unrelated group wanted to masquerade as North Korea for other purposes. This could be simply a cyber-criminal group that wanted to throw forensics off their trail, or possibly even anti-North Korea activists who hoped to frame North Korea to induce international repercussions. The reuse of code linked to North Korea, the clear focus on The Interview, and the generally public nature of the attacks all seem a bit on the nose. But then again, North Korea is not known for its subtlety. Despite my initial skepticism, I will proceed assuming that North Korea is at least partly involved in the hack, which seems likely.
The primary difficulty in responding to cyber-attacks internationally is that there is no definitive international law on the issue. Cyber-attacks are relatively new, and countries are hesitant to enter into binding treaties, especially those with the greatest cyber capabilities. And while many have attempted to apply the traditional Law of Armed Conflict to cyber-aggressions, the lack of established norms of behavior and the distinctiveness of cyber-attacks make the application of these rules unclear. Given this absence of clear rules, cyber-warfare is somewhat akin to the Wild West, where Chinese and Chinese state-sponsored hackers are a constant low level threat for private businesses, and where American cyber activity, although less reported on, assuredly takes place. For instance, the 2010 cyber-attack on Iranian nuclear centrifuges dubbed Stuxnet was largely attributed to the US, suggesting that US cyber operations do occur, and are often extremely sophisticated. Although we typically focus on Chinese cyber operations in our country, in China such claims are equally levied against the US, and there is little doubt that the US is the most sophisticated cyber-actor on the world stage.
I highlight the lack of international law in this area because it suggests that mere hacking is probably insufficient to warrant an international response. It may provoke public denunciations or even trigger cyber negotiations, (domestic cyber-security legislation has already been proposed by members of Congress), but it is unlikely to result in direct action against the perpetrating nation: there are simply too many countries that engage in similar behavior.
But the Sony hack was not limited to merely hacking, and the more interesting aspect was the subsequent development where the hackers threatened to bomb movie theaters that were showing The Interview. This threat of the use of physical force has the potential to re-classify the cyber-attack to an act of cyber-terrorism, a little explored area. (I should note: many believe that the term “terrorism” cannot be applied to state-actors, and that actions of nation-states that resemble terrorism should instead be tried under the traditional laws on the use of force. While this may be the case, it is ultimately a semantic distinction, as an act of cyber-terrorism would still most likely be illegal for a nation-state, although it may not be classified as such.)
Classifying cyber-actions is a notoriously difficult task. The standard breakdown is cyber-crime, cyber-attack, cyber-espionage, and cyber-terrorism, each of which is mirrored by a physical force counterpart (crime, military attack, espionage, and terrorism, respectively). Although this taxonomy exists, these categories are largely overlapping, with any individual event possibly qualifying as several, depending on the perspective of the classifier. The primary difference between cyber-espionage and cyber-crime, for example, is whether a government is directly involved. So while it is useful to consider these as distinct actions with distinct rules, in practice they tend to blend, which makes adjudicating disputes difficult.
Cyber-terrorism is as of yet primarily an academic concept, as instances of activity that are purely cyber-terrorism are hypothetical. The Tallinn Manual, a major academic study on the application of international law to cyber-warfare, refers to them as “cyber-attacks, or the threat thereof, the primary purpose of which is to spread terror among the civilian population.” This definition incorporates the definition of “cyber-attack,” which requires acts of violence, as opposed to mere disclosure or destruction of data. In addition, the “primary purpose” language is to distinguish cyber-terrorism from cyber-attacks that are conducted against military targets, but which have the collateral effect of terrorizing the population. Almost all military attacks terrorize the civilian population to some degree, but cyber-terrorism encompasses only those which offer little military advantage and therefore are employed primarily for their terrorizing effect.
(I should note, although the Tallinn Manual is a valuable resource for classifying cyber-attacks, it is ultimately not binding, and its views on cyber-terrorism should not be viewed as definitive under international law.)
Furthermore, despite the Tallinn Manual’s seemingly clear definition, classifying cyber-terrorism as a practical matter is more challenging. Identifying a clear intent to terrorize is the primary issue, and absent a clear statement as such, most cyber-terrorism is markedly similar to cyber-espionage or cyber-crime. This a recurring problem in international law, where terrorism is left largely undefined, as setting too broad a definition would allow nations with poor human rights records to stifle dissident voices under the guise of anti-terrorism legislation (“one people’s terrorist is another’s freedom fighter”). After all, hacktivist groups like Anonymous have many of the traits associated with cyber-terrorism, but these are not typically what we mean when we say terrorism. This leaves substantial room for a nation-state to argue that particular activity was or was not terrorism based on its domestic agenda.
Notwithstanding the definitional ambiguity, North Korea’s involvement could potentially be classified as an act of cyber-terrorism. Although the initial attack is unlikely to qualify, (cyber-terrorism requires a cyber-attack and the hack did not involve an act of violence), the subsequent threat to bomb theaters showing The Interview is certainly a threat of violence, which is sufficient for cyber-terrorism. It is unclear if the threat implied the attack would be cyber in nature (making an explosion unlikely), but even if it were merely a threat to use physical force, that would be equally actionable under international law as an unjustified threat of the use of force. If this statement could be definitively tied to North Korea, the threat of a use of force against civilian targets would certainly warrant international action.
But as is often the case with international law, things are unlikely to be this straightforward. North Korea would undoubtedly counter that its actions were precipitated by an act of terrorism by the film studio, whose depiction of the assassination of their leader they have repeatedly denounced as “the most blatant act of terrorism and war” and which they say “will absolutely not be tolerated.” The US is arguably not in a position to criticize another nation for taking unilateral action against a perceived terrorist threat, and North Korea’s identification of the movie The Interview as an act of terrorism would plausibly classify movie theaters as legitimate military targets. While I don’t think these arguments carry much weight, and while actual attacks on US movie theaters would undoubtedly lead to a stern US response, the combination of the ambiguities in international law, the attribution problem, and the lack of an act of violence suggest that a strong international response is unlikely.
Regardless of whether this attack is characterized as illegal under international law, unilateral action by the United States is practically assured. This will most likely take the form of increased economic sanctions, primarily by targeting the few banks and businesses that currently still do business with North Korea, but a more substantial response is not unthinkable. A US cyber-response is probably already ongoing to gather evidence, with more aggressive cyber-actions possible in the near future. North Korean networks are notoriously difficult to access, (they are something of an island in the otherwise interconnected internet), but the US is believed to be able to monitor their networks to some degree, and a more substantial cyber-response is certainly within our capabilities. The full extent of the US response is hard to gauge: public outcry against Sony’s apparent submission to a terrorist threat is deemed by many to be “un-American,” and there is substantial pressure on the White House to respond strongly against North Korea (which will probably be announced soon after this blog is posted).
Personally, I am hoping for both a strong response from the US and for Sony to distribute the movie as widely as possible, (although I have no idea if a December 25 release is still feasible). North Korea’s persistence on the world stage in spite of its flagrant human rights violations and belligerent nuclear rhetoric has always struck me as a glaring weakness in US foreign policy, and while I can appreciate that direct intervention is complicated by its proximity and relationship with China, we absolutely should not acquiesce to its petty squalling on a matter as fundamental as freedom of speech. And while I’ve heard the movie isn’t particularly good, I will certainly make an effort to see it, if only because I won’t stand for someone telling me that I can’t.