Commentary: The past 24 hours have seen the Sony hack attack take us even further into new, uncharted territory.
With Sony announcing it is withdrawing the movie “The Interview” and the United States government confirming its belief that the attackers were state-sponsored actors from North Korea (who had loudly protested the movie “The Interview”), this situation has transformed from one of cybervandalism (albeit with unprecedented consequences) into a potential cyberwarfare situation. With the United States openly calling out a nation-state for attacking a business on its soil, the U.S. government has changed the discussion and placed itself squarely in the middle. This is no longer a situation between Sony and a shadowy hacking group, it’s now a situation between the United States and North Korean governments.
Today, we’re reading that U.S. officials are weighing what an appropriate response is to the situation in light of the events of the past 24 hours.
As someone who’s been in security and privacy, as well as spent some time around politics, I have a thought on what constitutes an appropriate response here.
Yes, you read that right: nothing more. I believe that the U.S. should do nothing more in response to this situation than they already have: naming North Korea clearly as being behind this.
Lest those readers who don’t know me think I’m a pacifist, let me assure you I’m quite the opposite. I believe in strong, decisive, overwhelming force in response when it makes sense. But in this case, I believe a response simply makes no sense.
No threat to national security
First, the attack itself is a nuisance, but in no way represents a threat to our national security or strategic interests. In terms of hurt, Sony is the one and only. Even there, Sony isn’t a US company, so the argument that we’d be protecting US economic interests is stretched very thin. The U.S. Government going to (cyber)war over this attack has more in common with the South Park Movie (where President Clinton went to war against Canada for attacking the Baldwins) than real security matters: it feels equally absurd.
Second, any response from the U.S. against North Korea is certainly going to lead to a counter-response from them and an escalation in the situation. We’re dealing with a state that doesn’t engage in proportionate response and whose true offensive cyberwarfare capabilities aren’t known. Honestly, our defensive cyberwarfare capabilities aren’t really known. The truth of the matter is we haven’t seen a true open skirmish in a shooting war in this arena, let alone full blown battles. The fact is this is an unknown realm we’re talking about and so escalating the situation is opening up unknown risk.
Third, in many ways it’s viewed as not right to “blame the victim” but I’m going to. Sony clearly understood there were risks in provoking North Korea but failed to intelligently accept and mitigate those risks. By all indications this wasn’t an especially sophisticated attack. Not only did Sony not adopt an enhanced security posture in light of the increased risks they were assuming with “The Interview” but it’s debatable if they even met accepted industry standard best practices.
Finally, related to the last point, there’s the question of precedent. If the U.S. Government intervenes on behalf of a business that’s made very poor risk assessment and mitigation decisions, that amounts to a bailout. And we all know from 2008 there are risks around bailouts: they convince others that there are no consequences for bad decisions since they expect someone will rescue them. The risk around precedent here is huge: if it goes the wrong way, the U.S. government could be on the road to signing itself up to be the de facto provider for cybersecurity for all businesses in the U.S.
Sony is not worth a cyberwar
The U.S. should do nothing else in response because Sony was stupid and played a game they didn’t understand properly. Now that they’ve gotten hurt, it’s important for the U.S. to look at this as a teachable moment and not come riding to Sony’s rescue.
Yes, the U.S. should make absolutely clear what the true lines are that will incur an overwhelming response. And as part of that, they should use this opportunity to make clear what will NOT incur that.
I’m not saying the problem is in deciding to do something controversial that incurs risks but in doing that and not truly accepting and mitigating that risk. “The Satanic Verses” by Salman Rushdie (which sits on my bookshelf) is an excellent counter example. Rushdie and Viking accepted a high degree of risk (people did die for this after all). But never in that situation was there the possibility that the U.S. or other governments would go to war with Iran over this situation. Rushdie and Viking knew and accepted the risk understanding there would be limited help from the U.S. government. The same should apply here.
Since 2001, we have been living in a world of constant emergency where we try to fix everything, keep everything and everyone safe all the time, and keep bad things from happening. If we’re going to maintain our sanity and our liberty, we have to start standing down and accepting some of the reality of risks in this world. And part of that means that we focus again on responsibility and accountability. In this case, it means recognizing that Sony is not worth a cyberwar with North Korea.