The Sony Pictures hacking: lessons for policymakers and security specialists

Dr Tim Stevens is a Teaching Fellow in the Department of War Studies at King’s College London

The story of how the US government identified North Korea as the source of massive data theft from Sony Pictures at the end of 2014 continues to unfold. As it does so, it provides an opportunity to consider the interplay of government intelligence practices and open source intelligence (OSINT), neither of which emerge with great honour from this particular episode. Importantly, it highlights the need for policymakers facing similar situations to capitalise on the knowledge of individual experts and communities for the public good.

The FBI was quick to assert North Korea’s guilt but its statements were long on certainty and short on details. Attribution of cyber security breaches to specific sources is notoriously difficult and researchers were understandably sceptical of the FBI’s claims. Subsequent FBI statements attempted to provide more technical details did little to assuage researchers’ concerns, which were twofold. First, how was it possible to establish attribution so quickly? Second, if the FBI’s attribution was incorrect, this established a dangerous precedent: the first public identification of a state as the source of a major cyber-attack would eventually show the US to have been duped by a presently unknown third party.

Experienced open source intelligence (OSINT) researchers quickly pulled apart the FBI’s case. Linguistic analysis showed the hackers’ native language was probably Russian, not Korean. The allegedly North Korean internet addresses identified by the FBI could have been ‘spoofed’ and were not proof of the attackers’ geographical location. Internet security company Norse claimed the attacks were an inside job by disgruntled Sony employees rather than any shadowy North Korean military unit.

Security researchers subsequently demanded more evidence from policymakers, though they realised an intelligence agency would not reveal its ‘sources and methods’, for valid technical and political reasons. One OSINT researcher even started an online petition, which has attracted just 127 signatures, calling on the White House to release its evidence for independent review. None was forthcoming, and the FBI contained to press its case, as did the president, who imposed sanctions on Pyongyang.

One leading cyber security researcher, Thomas Rid of King’s College London, responded to the FBI’s claims in mid-December by tweeting that its attribution was ‘as good as it gets’. Whether this was damning with faint praise or a genuine belief in the FBI’s analysis was unclear but Rid looks to have been right. In January it became clear that the FBI case had a longer analytical pedigree than security specialists or the public had been led to believe.

The US government’s case against North Korea was strengthened further when The New York Times reported that the National Security Agency had been active in North Korean networks since at least 2010. The NSA built up a picture of North Korean capabilities and intentions enabling it to attribute the Sony hack to individuals and units it knew plenty about.

As this episode and the Snowden revelations have shown, US intelligence agencies are no strangers to infiltrating foreign computer networks, but there is an irony here. American accusations of foreign attacks on American assets have seemingly only been corroborated by information concerning American attacks on foreign assets. This is clearly a tricky question of policy for the US government, even if it does signal the reach of American capabilities in this field. More worryingly for the US, few people, especially cyber security experts, believed its initial claims, nor its subsequent explanations. The fiercest criticism of the FBI came from the OSINT community, which perhaps says a lot about its integrity and its desire not to create precedents deleterious to future cyber security.

As a case study, the Sony hacking demonstrates how difficult technical attribution of cyber-attacks can be and how incomplete evidence can lead to incorrect conclusions or, at least, multiple interpretations. There are no easy resolutions to this situation. OSINT researchers operate in the absence of classified information and in environments of incomplete knowledge. Government agencies face institutional straitjackets that limit their capacity to make the conceptual leaps necessary to entertain alternative explanations. It is the task of public policy to capitalise on the strengths of both communities for the public good. We can only hope that recent events will encourage governmental efforts to do just that.

Follow Dr Stevens on twitter: @tcstvns

Leave a Reply

Your email address will not be published. Required fields are marked *