Troubling as it was to see the President of the United States lob questionable charges at a rogue regime and threaten proportional response – whatever that means – then jet off to Hawaii for a two-week holiday, it’s more troubling that in the face of evidence to the contrary, the FBI is stands by its speedy assessment that the North Koreans are to blame for the Sony attack.
Attribution is the most difficult task in analyzing cybercrime. Truly adept cybercrimals write purposeful miscues in their code to implicate others, and anyone can buy code that’s been used by someone else. There’s a virtual Wal-Mart for cybercriminals out there on the dark web. Right next door, there’s another storehouse of used malware code for free. And another, and another.
This week, a security research firm that’s studied the Sony breach since its announcement tossed cold water on the FBI’s North Korea theory. Some of the most respected names in the information security realm agree that the feds are barking up the wrong tree. Many of these experts doubted the state-actor theory even as President Obama made his pre-Christmas announcement blaming North Korea.
Three notable concerns arise from the President’s premature saber-rattling, and from federal insistence on pursuing the course based on deficient intelligence.
The first is obvious. Threatening North Korea for hostilities that can’t be reliably attributed to it could become another embarrassing moment in United States international relations. Moreover, if Kim Jong Un’s regime has the skill and resources to pull off the Sony attack, such saber-rattling could be dangerous. If the leader of the free world believes an adversary to be capable, unpredictable, and on the warpath, why poke it in the eye and then head for the beach?
Second, why the rush to judgment? It’s been documented by Stuxnet chronicler Kim Zetter that the initial messages to Sony from its attackers were demands for money, and had nothing to do with Sony’s movie featuring the assassination of Kim Jong Un. Not until December 8, when the media had repeatedly linked the attack to some North Korean grumbling about the film dating back to last summer did the attackers make their first public reference to it. In other words, the North Korea narrative may be a media invention, and may have clouded the motive of the real culprits, who appear to have wanted ransom, not censorship.
Note also that it wasn’t until someone threatened to blow up movie theaters, likely some capitalism-hating jackass of the variety that boast penetrating the networks of big companies for laughs, that the White House ventured an opinion. A cynic might suggest that a threat to movie theaters on Christmas Day is an opportunity to promote federal police power unlike any since the days after September 11.
Americans are gaining a rapid understanding of cybercrime, but it’s still murky to many. Some of these Americans, consumed by their own daily obligations, followed the story just closely enough to cite the insulting email remarks about Angelina Jolie, but did not grasp the dire effects of the attack on Sony. Some of them offered the theory on a recent radio talk show that Sony hacked itself, to generate publicity for its movie. What a fertile field in which to sow fear.
Finally, and in some ways most disturbing, the President conflated a straightforward business decision involving risk management with a sin against the First Amendment. Obama had plenty of company in this regard, with Hollywood heavies like George Clooney leading the charge, and commentators shepherding the general public to join in such a Sony-shaming harangue that the troubled company felt compelled to reverse itself after pulling the film from its scheduled debut.
Of course, foreign dictators have no standing to commit a First Amendment violation against U.S. citizens, but this became the mantra. Sony should not buckle to offshore censorship. (Like Facebook does?) Nobody defended Sony’s right to withhold speech, which is surely as embedded in the concept of free expression as is the right to disseminate ideas.
Sony, already smarting, and perhaps struggling for its very existence, was castigated for performing a fundamental risk assessment that measured the slight possibility of exploding movie theaters against the devastating consequences of such an occurrence, however unlikely. It was grossly unfair to paint Sony’s risk aversion as a slap in the face of the U.S. Constitution rather than a simple failure to devise a creative solution. Which it later did, under significant duress.
I wish (the Sony executives) had called me, the President said. No wonder they didn’t.