[Update, Dec. 19:
I am not blown away by the US attribution of the hack to North Korea.
On technical grounds, there’s problems like this, pointed out by Jeffrey Carr (h/t to “@SaiGonSeamus), who wrote a book on cyberwarfare:
The White House appears to be convinced through “Signals intelligence” that the North Korean government planned and perpetrated this attack against Sony:
In one new detail, investigators have uncovered an instance where the malicious software on Sony’s system tried to contact an Internet address within North Korea
There is a common misconception that North Korea’s ITC is a closed system therefore anything in or out must be evidence of a government run campaign. In fact, the DPRK has contracts with foreign companies to supply and sustain its networks. Those companies are:
- Lancelot Holdings
- Loxley Pacific
- Shin Satellite Corp
- Orascom Telecomms Holding
Each offers a different service, but Loxley Pacific, a Thailand joint venture involving Loxley (Thailand), Teltech (Finland), and Jarangthai (Taiwan).
Loxley Pacific is a subsidiary of Loxley, a Thai public company that provides a variety of products and services throughout the Asia Pacific region. According to its 2013 annual report, Loxley has 809 permanent staff and 110 contract staff.
Loxley Pacific provides fixed-telephone lines, public payphone, mobile phones, internet, paging, satellite communications, long-distance/international services, wire or wireless in the Rajin-Sonbong Free Economic and Trade Zone. Star JV is North Korea’s internet service run as a joint venture between the North Korean government and Loxley Pacific.
One of the easiest ways to compromise the Internet backbone of a country is to work for or be a vendor to the company which supplies the backbone. For the DPRK, that’s Loxley, based in Bangkok. The geolocation of the first leak of the Sony data on December 2 at 12:25am was traced to the St. Regis hotel in Bangkok, an approximately 13 minute drive from Loxley offices.
This morning, Trend Micro announced that the hackers probably spent months collecting passwords and mapping Sony’s network. That in addition to the fact that the attackers never mentioned the movie until after the media did pretty much rules out “The Interview” as Pyongyang’s alleged reason for retaliation. If one or more of the hackers involved in this attack gained trusted access to Loxley Pacific’s network as an employee, a vendor, or simply compromised it as an attacker, they would have unfettered access to launch attacks from the DPRK’s network against any target that they wish. Every attack would, of course, point back to the hated Pyongyang government.
Under international law, “the fact that a cyber operation has been routed via the cyber infrastructure located in a State is not sufficient evidence for attributing the operation to that State” (Rule 8, The Tallinn Manual). The White House must responsibly evaluate other options, such as this one, before taking action against another nation state. If it takes such action, and is proved wrong later, which it almost certainly will be, the reputation of the U.S. government and the intelligence agencies which serve it will be harmed.
On evidentiary grounds, there’s stuff like this:
China may have helped North Korea carry out the hacking attack on Sony Pictures, a US official has told Reuters.
The official, who spoke on condition of anonymity, said the conclusion of the US investigation was to be announced later by federal authorities.
There were also reports on Friday that Iran and Russia may have also helped the North Korean hackers.
The software used in the hacking was at a level of sophistication not previously seen in past North Korean attacks, a US intelligence source told Fox News, adding that China, Iran and Russia had all used the technology previously.
Bear in mind, this is from the anonymous official who’s making the case for North Korea.
Also, unfortunately, there is the whole political angle.
When America, even in the form of a Japan-owned movie studio, is attacked, the US government wants to strike when the iron is hot, i.e. when fear and anger are at a fever pitch, and the sense of outrage is unencumbered by second thoughts like “Do I really care what happens to Sony?” “How far am I willing to go to defend Seth Rogen’s freedom of expression?” or even “Did the hackers actually do us all, including Rogen & Franco, a favor by removing The Interview–by all accounts a real stinker–from the market place?”
Unfortunately, cyberattacks don’t lend themselves to quick attribution or, for that matter, even ultimate attribution. And for a government that does not want to make a spectacle of its impotence, waiting on due process and evidentiary niceties to produce the conclusion, “Well, the circumstances argue this, but we could never prove it in a court of law” doesn’t really cut it.
I have a suspicion that the United States has an app for that: blame somebody, preferably somebody unpopular, as quickly and categorically as possible.
So I see the quick attribution of the hack to North Korea part of the “Infowar” mindset, one that obsesses inside-the-Beltway types but I don’t think is really on anybody else’s radar: the idea that the government has to be able to manipulate and guide public opinion even in less than crystal clear situations, if it has hopes of being effective.
In other words, When in doubt, finger the bad guy. There’s no downside, only upside.
[On 9/11] Rumsfeld ordered the military to begin working on strike plans. And at 2:40 p.m., the notes quote Rumsfeld as saying he wanted “best info fast. Judge whether good enough hit S.H.” – meaning Saddam Hussein – “at same time. Not only UBL” – the initials used to identify Osama bin Laden.
“Go massive,” the notes quote him as saying. “Sweep it all up. Things related and not.”
Who’s going to stand up and defend Kim Jung Un and the idea of due process and legal rigor in dealing with North frickin’ Korea? Nobody. And we’ve now got a free turn to take another swing at North Korea if and when we want to.
My melancholy prediction: even as cybercrimes become harder to attribute, governments will become quicker, more vociferous, and less scrupulous in providing those attributions.
I came over this measured exercise in opinion journalism penned by “Alec Ross, Senior Fellow at Columbia University’s School of International & Public Affairs” over at Huffington Post:
North Korea is a miserable, backward, hellhole of a place. It has a per capita GDP of less than $2,000 — trailing Yemen, Tajikistan and Chad — and about one-sixteenth the size of the GDP of South Korea. The Hermit Kingdom derives its power through the twin pillars of state repression and an all-encompassing propaganda apparatus.
This poor, delusional country managed to wallop Sony after it objected to the content of some movie which I can’t remember the name of at the present moment but which looks boring and stupid. ..
Kinda funny, in a way, since the FBI has stated there isn’t sufficient evidence to attribute the attack to North Korea at the present time, and in fact some people are pointing fingers at the People’s Republic of China instead. More about China later.
Hmmm, I said to myself, and I surfed off to find out whether Mr. Ross was indeed a fellow at some hallowed Ivy, or perhaps the meth-crazed denizen of some non-accredited on-line institution in Columbia, South Carolina.
My concern evaporated as I perused Mr. Ross’s lovingly curated Wikipedia page, helpfully titled Alec Ross (innovator):
Alec Ross (born November 30, 1971) was Senior Advisor for Innovation to Secretary of State Hillary Clinton for the duration of her term as Secretary of State, a role created for him that blends technology with diplomacy.As Secretary Clinton’s “tech guru,”Ross led State Department’s efforts to find practical technology solutions for some of the globe’s most vexing problems on health care, poverty, human rights and ethnic conflicts, earning him numerous accolades including the Distinguished Honor Award. In 2010 Ross was named one of 40 leaders under 40 years old in International Development,and Huffington Post included him in their list of 2010 Game Changers as one of 10 “game changers” in politics.He is also one of Politico’s 50 Politicos to Watch as one of “Five people who are bringing transformative change to the government.”Foreign Policy magazine named Ross a Top Global Thinker in 2011.U.S. Ambassador to the United Nations Samantha Power, speaking at the White House referred to Alec Ross as “One of the most creative people probably that the U.S. government has ever known.”Profiled in 2011, Time Magazine describes how Ross is incorporating digital platforms into the daily lives of U.S. diplomats and his support of programs to train activists in the Middle East.Time Magazine also named Alec Ross one of the best Twitter feeds of 2012.In 2012, Newsweek named Alec to their Digital Power Index Top 100 influencers, listing him among other “public servants defining digital regulatory boundaries,”and the TriBeCa Film Festival awarded Ross a Disruptive Innovation Award.Alec Ross is recipient of the Oxford Internet Institute OII Award 2013.
… In April 2009, Ross was tapped to join the State Department. As Senior Advisor on Innovation, he successfully advocated for new digital diplomacy tools.In front of a group of activists, Hillary Clinton described his work by saying that “Alec Ross has been my right hand on all that we’re doing for internet freedom.”He is spearheading the “21st Century Statecraft” initiativeand led Civil Society 2.0, a program to educate and train grass-roots organizations around the world to create Web sites, blog, launch text messaging campaigns, and build online communities.Speaking to digital diplomacy’s promise, Ross told The American Prospect, “If Paul Revere had been a modern day citizen, he wouldn’t have ridden down Main Street. He would have tweeted.”
…During the Libyan uprising, Alec drove the State Department’s efforts to “restore communication networks in rebel-held territories such as Benghazi, working with the late Amb. Chris Stevens, to fight the Internet blackout imposed by Libyan leader Muammar al-Qaddafi.”Ross’ team also “provided communications technologies to opposition members in the Syrian border areas and trained NGOs on how to avoid the regime’s censorship and cyber snooping.”
… In the eastern Democratic Republic of Congo, Ross … also put together a mobile banking program for soldiers who haven’t been paid in years, empowering them with the ability to securely transfer money and save through accounts over cellphones.
Gadzooks, I thought. Benghazi! No, really, I realized this is Hillary Clinton’s go-to guy for evil-empire related digital policy, besties with Samantha Power, and also an indispensable, foundational figure in the compilation of end-year listicles.
Upon reviewing these credentials, my concerns were allayed, and I look forward to our 21st-century high speed, high efficiency digital justice system, which pitches cumbersome anachronisms such as evidence and due process off the steamship of modernity (to paraphrase my favorite Mayakovsky bit), and allows the simultaneous posting of crime, sentence, and punishment on the pages of our new court record, Huffpo.
The Sony hack apparently involves a major investment of time and resources, which are available both to governments and to criminal gangs. What makes the Sony hack kinda special is that, once access was obtained and the goodies extracted, the intruders torched the place and made a public spectacle of their crime.
Going the extra mile in vandalism and humiliation would seem to argue some political purpose beyond simple malice, mischief, and greed, and observers have naturally gravitated toward a narrative of North Korean revenge for The Interview.
But, you know, maybe something Chinese. Not an operation sanctioned by the PRC government, to be sure—the benefits are miniscule (unless Xi Jinping just absolutely had to see Anniepre-release) compared to the potentially immense diplomatic and economic costs—but maybe some kind of off the books operation by rogue, nationalistic minded hackers who decided to stick it to a vulnerable Japanese corporation as punishment for the Japanese government’s confrontational attitude toward the PRC over the Senkakus, the pivot, etc.
One of the more interesting cases bubbling along incybercrime is the early-December arrest of 77 (!) PRC nationals crammed into a house with their computer gear in an upscale Nairobi neighborhood, allegedly with criminal designs on the Kenyan banking system.
The PRC surfs and hacks the world looking for system vulnerabilities, and I’m beguiled by the possibility that a government cyber operation discovered a vulnerability in the Kenyan banking system, and a freelancing group of hackers decided to exploit that information for some private and profitable breaking and entering.
I suspect in the brave, new world of PRC hacking, there is a growing cadre of entrepreneurially minded or ideologically driven hackers who can bring impressive information, resources, and skills to bear on a chosen objective.
Given the difficulties of identifying a smoking gun as to an originating server—let alone a controlling individual or institution—Ross speculated a private sector riposte which sounds rather ridiculous:
It is only a matter of time before some hotshot group of engineers recognizes and stalls a cyber attack and instead of calling the authorities (who can’t do anything anyway), the VP of Engineering orders a counter attack against the aggressor. If Sony had a better engineering department — if it were a little more Northern California instead of Southern California — I wonder what would have happened if they had identified the source of the hack and shot back with a DDoS attack. Would the North Koreans have considered this an “invasion” by the United States or Japan (where Sony is actually headquartered). They are complete lunatics, so they probably would.
I can only hope that, if Hillary Clinton is elected president, they will give Alec Ross a phone that can only call 911 and a computer that is not plugged in to the Internet.
Functionally, the Sony hack resembles the “Shamoon” hack of the Aramco network in Saudi Arabia, itself perhaps retaliation for the US/Israeli Stuxnet attack on Iran’s centrifuge operation. In addition to a data drain, Shamoon featured the wiping of target hard drives and the presentation of a taunting message on computer screens.
I wrote about Shamoon for Asia Times Online in 2013, and pointed out the implications of larger and more sophisticated cyberintrustions.
[T]the PRC and Russia have lined up behind a proposed “International Code of Conduct for Internet Security”, an 11-point program that says eminently reasonable things like:
Not to use ICTs including networks to carry out hostile activities or acts of aggression and pose threats to international peace and security. Not to proliferate information weapons and related technologies.
It also says things like:
To cooperate in combating criminal and terrorist activities which use ICTs [information and computer technologies] including networks, and curbing dissemination of information which incites terrorism, secessionism, extremism or undermines other countries’ political, economic and social stability, as well as their spiritual and cultural environment.
The United States, of course, has an opposite interest in “freedom to connect” and “information freedom,” (which the Chinese government regards as little more than “freedom to subvert”) and has poured scorn on the proposal.
The theoretical gripe with the PRC/Russian proposal is that it endorses the creation of national internets under state supervision, thereby delaying the achievement of the interconnected nirvana that information technology evangelists assure us is waiting around the next corner – and also goring the ox of West-centric Internet governing organizations like ICANN.
So the Chinese proposal is going exactly nowhere.
The (genuine) irony here is that the Chinese and Russians are showing and driving the rest of the world in their response to the undeniable dangers of the Internet ecosystem, some of which they are themselves responsible for but others – like Stuxnet – can be laid at the door of the US.
In response to hacking, the Internet as a whole has evolved beyond its open architecture to a feudal structure of strongly-defended Internet fortresses, with cyber-surfs free to roam the undefended commons outside the gates, glean in the fields, and catch whatever deadly virus happens to be out there.
In recent months, the word “antivirus” has disappeared from the homepages of Symantec and MacAfee as they have recognized that their reference libraries of viruses can’t keep up with the proliferation of millions of new threats emerging every year, let alone a carefully weaponized packet of code like Stuxnet, and protect their privileged and demanding users. Now the emphasis – and gush of VC and government money – has shifted to compartmentalizing data and applications and detecting, reducing the damage, and cleaning up the mess after a virus has started rummaging through the innards of an enterprise.
In other words, the Internet fortresses, just like their medieval analogues, are increasingly partitioned into outer rampart, inner wall, and keep – complete with palace guard – in order to create additional lines of defense for the lords and their treasure.
In other words, they are starting to look like the Chinese and Russian national internets.
It is, unfortunately, a simple and incontrovertible fact that, if we want to effectively detect, block, and investigate cyberattacks, the solution is tightly monitored, internally accountable national internets along the lines implemented by the PRC, Iran, and, increasingly Russia and Brazil. Under this model, states have the capability, right, and responsibility to police their digital borders as they do their physical borders.
This approach is, of course, anathema to Mr. Ross, as it raises the specter of oppressive governments stifling dissent and inhibiting free expression at the same time they pursue cybersaboteurs.
It also flies in the face of the US strategic and economic interest in an open transnational network accessible to Google bots and NSA penetration, that places American government and corporate entities at the profitable, vulnerable heart of the Internet, and makes it dependent on US good offices, just as the international financial system still is today.
Unfortunately, the US, in its interest in sustaining an open, transnational, and easily compromised Internet, is at the same time demonstrably unable and unwilling to effectively secure it or police it fairly. That’s why the current Internet has the structural robustness and integrity of a bag of shit thrown from a third-story window.
And that’s why I’m afraid our response to outrages like the Sony hack will be to use the language of deterrence and intimidation–and private sector vigilantism–to shift focus away from the profound and probably irreconcilable contradictions that form the foundation of the current Internet.