Attributing the Sony Attack

No one has admitted taking down North Korea's Internet. It could have been an act of retaliation by the US government, but it could just as well have been an ordinary DDoS attack. The follow-on attack against Sony PlayStation definitely seems to be the work of hackers unaffiliated with a government.

Not knowing who did what isn't new. It's called the "attribution problem," and it plagues Internet security. But as governments increasingly get involved in cyberspace attacks, it has policy implications as well. Last year, I wrote:

Ordinarily, you could determine who the attacker was by the weaponry. When you saw a tank driving down your street, you knew the military was involved because only the military could afford tanks. Cyberspace is different. In cyberspace, technology is broadly spreading its capability, and everyone is using the same weaponry: hackers, criminals, politically motivated hacktivists, national spies, militaries, even the potential cyberterrorist. They are all exploiting the same vulnerabilities, using the same sort of hacking tools, engaging in the same attack tactics, and leaving the same traces behind. They all eavesdrop or steal data. They all engage in denial-of-service attacks. They all probe cyberdefences and do their best to cover their tracks.

Despite this, knowing the attacker is vitally important. As members of society, we have several different types of organizations that can defend us from an attack. We can call the police or the military. We can call on our national anti-terrorist agency and our corporate lawyers. Or we can defend ourselves with a variety of commercial products and services. Depending on the situation, all of these are reasonable choices.

The legal regime in which any defense operates depends on two things: who is attacking you and why. Unfortunately, when you are being attacked in cyberspace, the two things you often do not know are who is attacking you and why. It is not that everything can be defined as cyberwar; it is that we are increasingly seeing warlike tactics used in broader cyberconflicts. This makes defence and national cyberdefence policy difficult.

In 2007, the Israeli Air Force bombed and destroyed the al-Kibar nuclear facility in Syria. The Syrian government immediately knew who did it, because airplanes are hard to disguise. In 2010, the US and Israel jointly damaged Iran's Natanz nuclear facility. But this time they used a cyberweapon, Stuxnet, and no one knew who did it until details were leaked years later. China routinely denies its cyberespionage activities. And a 2009 cyberattack against the United States and South Korea was blamed on North Korea even though it may have originated from either London or Miami.

When it's possible to identify the origins of cyberattacks­ -- like forensic experts were able to do with many of the Chinese attacks against US networks­ -- it's as a result of months of detailed analysis and investigation. That kind of time frame doesn't help at the moment of attack, when you have to decide within milliseconds how your network is going to react and within days how your country is going to react. This, in part, explains the relative disarray within the Obama administration over what to do about North Korea. Officials in the US government and international institutions simply don't have the legal or even the conceptual framework to deal with these types of scenarios.

The blurring of lines between individual actors and national governments has been happening more and more in cyberspace. What has been called the first cyberwar, Russia vs. Estonia in 2007, was partly the work of a 20-year-old ethnic Russian living in Tallinn, and partly the work of a pro-Kremlin youth group associated with the Russian government. Many of the Chinese hackers targeting Western networks seem to be unaffiliated with the Chinese government. And in 2011, the hacker group Anonymous threatened NATO.

It's a strange future we live in when we can't tell the difference between random hackers and major governments, or when those same random hackers can credibly threaten international military organizations.

This is why people around the world should care about the Sony hack. In this future, we're going to see an even greater blurring of traditional lines between police, military, and private actions as technology broadly distributes attack capabilities across a variety of actors. This attribution difficulty is here to stay, at least for the foreseeable future.

If North Korea is responsible for the cyberattack, how is the situation different than a North Korean agent breaking into Sony's office, photocopying a lot of papers, and making them available to the public? Is Chinese corporate espionage a problem for governments to solve, or should we let corporations defend themselves? Should the National Security Agency defend US corporate networks, or only US military networks? How much should we allow organizations like the NSA to insist that we trust them without proof when they claim to have classified evidence that they don't want to disclose? How should we react to one government imposing sanctions on another based on this secret evidence? More importantly, when we don't know who is launching an attack or why, who is in charge of the response and under what legal system should those in charge operate?

We need to figure all of this out. We need national guidelines to determine when the military should get involved and when it's a police matter, as well as what sorts of proportional responses are available in each instance. We need international agreements defining what counts as cyberwar and what does not. And, most of all right now, we need to tone down all the cyberwar rhetoric. Breaking into the offices of a company and photocopying their paperwork is not an act of war, no matter who did it. Neither is doing the same thing over the Internet. Let's save the big words for when it matters.

This essay previously appeared on TheAtlantic.com.

Jack Goldsmith responded to this essay.

Posted on January 7, 2015 at 11:16 AM • 29 Comments

Comments

DanielJanuary 7, 2015 12:28 PM

"Goldsmith writes, "The game is iterative, and the proper balance of secrecy and disclosure at any particular time is tricky."

It is tricky. One of the most tricky things about the balance is that the game is not just iterative but also cumulative.

Goldsmith writes, "The U.S. Government might think that the credibility hit it takes for not revealing more in the face of this relatively mild attack on Sony is outweighed by the longer-term advantages."

Credibility is cumulative. We call cumulative credibility reputation. We can't ignore the fact that America's reputation in this area of attribution is not good and continues to decline.

Goldsmith is correct that there is a tricky balance to be struck. Rather, what is obvious is that the criteria that he uses as inputs to determining the proper balance are defined in a self-serving way to reach a predetermined conclusion.

Gary BJanuary 7, 2015 12:39 PM

My bet is on of two things, either the NSA owns a few popular proxies and has proof from logs, or the NSA has taps on all fiber going to China or of course, both!.

Jason RothJanuary 7, 2015 12:53 PM

But, Bruce, regarding your comment:

"If North Korea is responsible for the cyberattack, how is the situation different than a North Korean agent breaking into Sony's office, photocopying a lot of papers, and making them available to the public?"

What about that the hackers physically threatened people's lives?

Also, by comparing these damaging leaks to "a lot of papers", you're not addressing the content of those papers. I could also steal some books from a bookstore and distribute photocopies of those. But if I steal the unpublished manuscript for your next book for the purpose of harming your life and/or intimidating you into keeping your mouth shut about my miscellaneous nefarious activities, the *motive* (and objective consequence) differentiates two acts of mere "information distribution".

AlanSJanuary 7, 2015 1:39 PM

See Wheeler's North Korea and Sony: James Clapper Describes His Trip.

Wheeler argues that 1. Goldmith's arguments about attribution don't extend to discussions of motive, 2. the events and the supposed motive don't add up, 3. if it was the North Koreans (she's not convinced) a rationale motive is more likely to found in James Clapper's  "highly unusual trip to North Korea just weeks before the hack" and 4. the public is owed a more detailed account of what happened during the trip. Clapper claims that during a 12-course meal he got into a heated exchange with the North Korean official he claims ordered the hack. 

Skeptical ConsumerJanuary 7, 2015 2:16 PM

Bruce,

I've got an question that's orthogonal to this topic, but hopefully you can shed some light : How would one (preferably at the general user level without any special systems access) confirm that a site claiming to be DDoS'd actually was? How can you tell the difference between a badly configured, over-capacity system going down and a bona fide attack? (Link to specific case if you're interested)

Coyne TibbetsJanuary 7, 2015 3:23 PM

(I'm not sure that I agree that it was easy to attribute a tank attack because only "the government could afford tanks". This ignores false-flag attacks, and attackers who stole the tanks.)

Attribution is especially difficult where there is motive to mis-attribute. In this case, there is political advantage to attributing the attack to North Korea, such that the government may willfully ignore evidence to the contrary. They want it to be North Korea, and therefore it will be.

ThomasJanuary 7, 2015 3:25 PM

"This is why people around the world should care about the Sony hack."

I care about the Sony attack because one country is sanctioning another country based on what it may or may not have done to a company from a third country.

Surely we have reached the "diplomacy" stage of (cyber-)warfare:

http://www.induceddyslexia.com/douglasadamsquotes.htm

In Creeps We TrustJanuary 7, 2015 3:27 PM

Jason Roth has a point. When there is violent intent, it's no longer just an extremely funny prank on Hollywood celebrities, sad-sack US presidential figureheads, and third-rate FBI gumshoes - it's a state-sponsored Act of War.

As a corollary we need to declare war on the Department of Health and Human Services.

http://www.blacklistednews.com/Former_Head_of_Cyber_Security_Gets_25_Years_for_Planning_to_%E2%80%9CViolently_Rape_and_Murder_Children%E2%80%9D/40644/0/38/38/Y/M.html

Clearly nowadays the child molester's dream job is not Scoutmaster or Priest but US government cyber-warrior!

rechercheJanuary 7, 2015 5:07 PM

I read elsewhere, about a week ago, another theory. Apologies in advance for not being able to give attribution to the author... they deserve credit for an interesting idea, which is:

If the US Government declares that the damage done to the relevant Sony enterprises(s) is due to "force majure" by another nation state, then many, many places where the Sony attack could leave Sony with liabilities to third parties are shut down, as standard contracts would often have clauses letting Sony off the hook in this case.

Any legal opinions out there about this type of clause, whether Sony would have the influence to get the US Government to effectively invoke this situation, and what is the international precedents and/or stnadards in this area?

-- recherche

Buck January 7, 2015 5:24 PM

So we are to believe Comey that the North Korean cyber warriors are so competent as to not allow any attackers into their internal government networks, but so sloppy that they simply forgot to use their proxies? As silly as this all sounds, if true, we would be wise to copy their amazing cyber defense capabilities...

Tom PotterJanuary 7, 2015 6:26 PM

"Jason Roth has a point. When there is violent intent, it's no longer just an extremely funny prank on Hollywood celebrities, sad-sack US presidential figureheads, and third-rate FBI gumshoes - it's a state-sponsored Act of War."

Jason Roth does NOT have a point. Or alternatively, you're misunderstanding him after he already misunderstood Bruce.

Jason writes:

"What about that the hackers physically threatened people's lives?

Also, by comparing these damaging leaks to "a lot of papers", you're not addressing the content of those papers. I could also steal some books from a bookstore and distribute photocopies of those. But if I steal the unpublished manuscript for your next book for the purpose of harming your life and/or intimidating you into keeping your mouth shut about my miscellaneous nefarious activities, the *motive* (and objective consequence) differentiates two acts of mere "information distribution"."

Bruce's point was not that the Sony hack was "mere information distribution", or that it wasn't serious. Bruce's point was that it was a crime rather than an act of war.

Don't make the mistake of thinking that crimes can't be serious, or that everything that is serious is an act of war rather than "just" a crime.

In Creeps We TrustJanuary 7, 2015 6:43 PM

@TP

Ha, ha, guess we blew up the sarcasmatron with that one! Jason Roth has a point but if he parts his hair right it won't show too much. This 'intimidation' nonsense is what happens when you pay people to look for threats for a living - everything's a threat.

NobodySpecialJanuary 7, 2015 6:43 PM

@Buck - of course that's what they want you to think !

So if North Korea are such excellent Cyber-ninjas that only they could have perpetrated this attack then the fact that they left such an obvious clue proves they didn't do it.

Since the only people with an interest in proving that North Korea DIDN'T do it are North Korea and the only evidence that North Korea didn't do it is the presence of such an obvious red herring, then that proves North Korea did it.

- obviously the poison goblet scene in the Princess Bride isn't part of FBI training .

Sancho_PJanuary 7, 2015 6:49 PM

@ Daniel (12:28 PM)

Jack Goldsmith is a lawyer, and I guess a good one. Cherry-picking a story is his job, and no one would expect the defense to bring up the “wrong” idea.
There is a set of rules and these guys will always strictly follow the book, like a robot that follows it’s code, may it be good or bad. It was never their duty to question the rules (the law) which are given “from above”.

I have two issues with his essay.
First, cherry-picking to make the case is OK in court but he isn’t the defense and the audience isn’t the court. He writes about proper balance but e.g. doesn’t question the attribution itself, the collective punishment or mention the principle “not guilty until sentenced”.

Second, his “tricky” balance of secrecy and disclosure may be useful to obscure details but is contra-productive to solve problems.
It’s not complex.
When someone encounters a rotten floorboard with termites it’s not wise to hide it by a carpet. The better solution is to call experts and have that mess repaired.

Improvement is iterative but requires knowledge what went wrong.
Keeping flaws secret isn’t a solution but the problem here.

.
Now we have IP addresses - that’s evidence because he told us.

GrauhutJanuary 7, 2015 7:10 PM

@Daniel: "...IP addresses used exclusively by the North Korea."

Does that mean the NK geeks and their super secret it stuff are unhackable and no stranger can abuse their ip space? Super-Kongs? Nope. [include usual_facepalm.gif]

Richard s.January 7, 2015 9:17 PM

AlanS Re: Wheeler

Very interesting link, though highly circumstantial.

Goldsmith is right for the most part.

When folks say Sony was attacked, Sony this, Sony that, my question is how much autonomy does Sony Picture Entertainment have from Sony the Japanese conglomerate?

Does SPE have its own IT department? makes its own biz? How much direct control does Sony CEO have over SPE?

cod3fr3akJanuary 8, 2015 12:50 AM

@recherche Thats my take. I am nearly certain that this is a win-win situation for Gov and Sony Inc.
Gov gets to ramp up cyber spending, saber rattling, etc. while Sony avoids lability for failing to protect their shareholders investments (namely their data networks) I recall reading an article that has quotes from a former CIO stating that the cyber breach risk was minimal.. Thats why, even tho no evidence existed of a "9-11" style plot, or even capabilities to carry out such a plot, on various unspecific theaters was used as a reason for not screening the pic.

From a biz standpoint, and I've seen Bruce talk about this many times, but very rare events just are never on the C-level radar -- UNTIL AFTER they happen No one buys insurance for asteroid or meteor collisions, or insurance for cruise ship hitting a Sperm whale or whatever, even tho slight, the possibility is aways there. The likelihood is quite low. Same thing for attacks of this nature, so its a good biz move not to buy many servers, IDS, train people, etc. However no CIO or CEO could ever come out and say that.

someone that used to visitJanuary 8, 2015 6:16 AM

Bruce, Sorry If I dont share your indignation, wonderment or resolve to determine who attacked Sony. For me a far better analogy is one of a rich person that builds a Crystal Palace so that his undeniable wealth is on display for all the worlds poor to see. Yet let just one of the poor @#$tards throw so much as a pebble at his crystal palace and he'll leave no stone upturned identifying the ingrate....I mean who has a problem dealing with reality, the rich palace owner or the poor pebble owner?

GreenSquirrelJanuary 8, 2015 6:16 AM

@Tom Potter

"Don't make the mistake of thinking that crimes can't be serious, or that everything that is serious is an act of war rather than "just" a crime."

Very well put.

It seems that we now live in an age where everything has to escalate so that crime is no longer shocking enough to get a response unless we call it terrorism or war.

davidJanuary 8, 2015 10:10 AM

@Grauhut,
Does that mean the NK geeks and their super secret it stuff are unhackable and no stranger can abuse their ip space? Super-Kongs? Nope. [include usual_facepalm.gif]

what types of proof would you look for instead?

GrauhutJanuary 8, 2015 3:59 PM

@David "what types of proof would you look for instead?"

You need to look at in and output if you speculate about router ips. The only half hard evidence is keylogs, HID data. Half because any kind of computer log can easyly be faked. And its difficult to trust agencies these days, all proven liars.

Sancho_PJanuary 10, 2015 12:20 PM

@ david

I can’t speak for @Grauhut but in my opinion there is no hard evidence in the IT.

Is there trusted, certified hardware at work?
Is there trusted, certified software at work?
Are the systems (combination of hw + several sw packets) approved or at least approvable?
Are there approved (oath) gov investigators at work?
Is the liability for (not) compromised data clearly stated?
Is there a chance for the defense to check the “evidence” and facts?
Will the defense have access to all controversial “evidence”?
...

See @ Clive Robinsons excellent posting:
https://www.schneier.com/blog/archives/2014/12/more_data_on_at.html#c6685889

BuckJanuary 10, 2015 7:28 PM

@NobodySpecial

Let me first start off by attempting to describe how humorous I found your metaphor of "the poison goblet scene in the Princess Bride" ;-) Had a big audible chuckle upon my first reading! I'd probably still be laughing, but it's too much effort to disentangle the facts from fiction...

Secondly - and I've been racking brain over this - why the hell would have the FBI (or anyone in the executive for that matter) ever opened their big fat traps about the Sony hack to begin with? Much less, then attempt to 'answer skeptics' only weeks later.!?
International sanctions..? No.. One would have expected any somewhat competent status quo administration to act unilaterally and with impunity to impose any retaliatory measures deemed necessary (by themselves alone) - as they would against, say, Iran.? Well, North Korea already has the bomb, you say? Then just say that they're working on advanced ICBMs! Oh, South Korea has already just said that!? Uhhh... then just say they're trying to fit one into a briefcase! It doesn't really matter as long as everyone's sufficiently scared!!

I think @65535 & @gordo might be onto something with their posts in other recent threads... There's almost certainly something else going on in the secret circles!

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.