With the dual announcements that Sony is canceling ‘The Interview’ and the U.S. believes North Korea is behind the cyber attack on Sony that led to the movie’s cancellation, we all just got to witness a textbook case of successful cyber and psychological operations. Ironically, the success came from a country commonly viewed as a technology backwater – North Korea.
Since information on the movie first started to appear, the North has made it very clear that it objected to the movie, especially the purported assassination of its leader. As production finished and the release date neared, with no sign of the movie being cancelled, the North apparently decided to try options aside from public objections.
Military, diplomatic, and economic options likely offered limited ability to get the movie canceled, especially when compared to cyber options – a skillset the North has been honing for years. Step one would be to get inside Sony’s systems, step two would be to steal or destroy the movie. Failing that, psychological operations (what the U.S. military calls ‘information operations’) came into play. By releasing the most salacious information gained during the attack, the hackers were able to gain massive amounts of media coverage.
Without proving their capabilities, and thereby gaining the associated media attention, the next step – threatening moviegoers and theaters – was much less likely to succeed. An isolated phone call or email a few days prior to release is no comparison to the technically advanced, complex, unconventional campaign on display here. The first would have been largely ignored (without an actual attack), while the second resulted in the success currently on display – the worldwide cancellation of the movie, financial damage to Sony, and public embarrassment for Sony and others.
How much of this operation was part of a plan, versus how much was done in response to what was found after gaining entry into Sony’s systems, is unclear. For all we know, the goal was to steal the movie and destroy it, with no thought given to any type of media plan. If that was the case, the adaptability and quick adjustment of the group/system that conducted the attack to exploit the media coverage is also impressive. Could a similar force governed by a U.S. bureaucracy have been able to adapt so quickly?
Now that the U.S. is vowing a ‘proportional response’ (North Korea has a large, multinational film corporation to hack and embarrass?), what’s next? Given the poor track record of U.S. efforts to confront the successful ISIS media campaign and the desire to keep successes like Stuxnet quiet, it may be years before we know if a response was attempted, much less whether it achieved anything near the success of the North Korean effort.
Assuming the attribution to the North is correct, what we do know is that North Korea used cyber means to achieve a national policy goal – the movie was suppressed and will not (at least in the near term) see the light of day. With networks easy to penetrate, attribution difficult to determine, and (to date) limited responses when threat actors are uncovered, there exists almost no ability to prevent or deter future attacks.
As myself and plenty of others have written, the key vulnerability of North Korea is outside information. Challenging the near total control the regime maintains over its domestic information environment provides an avenue to punish and deter the North. Threatening the North with bombs or sanctions is nothing new and will likely produce nothing new. Threatening them with radios and smartphones would swiftly change the status quo (especially by including a few references to Commando Solo) and offers the best chance of swiftly affecting the North’s decision/deterrence calculus. Again, this is nothing new. Hopefully now, someone will finally pay attention.