Publication: Survival: Global Politics and Strategy
30 January 2015
Hollywood has not been slow to appreciate and exploit the cinematic potential of the threat from cyber attacks. Films such as Live Free or Die Hard contain graphic depictions of the chaos caused when hackers take control of US transportation networks, the stock market and natural-gas and power grids on the Eastern Seaboard. Hollywood did not, however, anticipate that it would become the target of the first-ever alleged state-sponsored destructive computer-network attack to take place on US soil – and that by virtue of this fact it would find itself, not for the first time, playing the role of a major national-security actor.
The film that brought about this state of affairs seems unlikely ever to have been considered Oscar-winning material. The Interview, a comedy produced by Sony Pictures Entertainment, stars Seth Rogen and James Franco as US journalists who, after securing an interview with North Korean leader Kim Jong-un, are enlisted by the CIA to assassinate him. In late June 2014 the North Korean government characterised the film as ‘an act of war’ and promised ‘stern and merciless countermeasures’ in the event that it was screened in the United States. On 27 June, North Korea’s permanent representative to the United Nations sent a letter to UN Secretary-General Ban Ki-moon demanding that the film be withdrawn. The letter stated that the US government’s willingness to allow the film to be screened constituted ‘explicit support for terrorism and an act of war’. News of the film came at a particularly difficult time for North Korea, as its human-rights record had become the subject of detailed international scrutiny, giving the leadership cause to fear that it might be indicted in the International Criminal Court for crimes against humanity.
Unsurprisingly, Sony paid no attention to these demands. But on 22 November the company discovered that its corporate network had been the subject of intrusive attacks. The attackers had stolen terabytes of data, wiping the original files from Sony’s computers, and had threatened to publish it unless Sony complied with the hackers’ demand not to screen The Interview. Some of the material was loaded onto alternative sites, and the passwords protecting it were made available to the media. Those accessing the sites discovered much embarrassing detail about Sony’s internal activities – including disparaging comments by Sony executives about some of their stars and other collaborators – along with four films Sony had not yet released. The immediate cost of these attacks has been assessed at $200 million, though the second-order costs, including possible law suits by those claiming Sony failed adequately to protect their data, could prove much higher. North Korea denied responsibility for the attacks, but described them as a ‘righteous deed’. On 16 December the hacker group Guardians of Peace threatened 9/11-style attacks on any US cinemas showing the film, as a result of which most major cinema groups declined to screen it.On 19 December the FBI stated formally that the North Korean government was responsible for the attack, citing similarities in ‘specific lines of code, encryption algorithms, data deletion methods and compromised networks’ to previous attacks attributed to North Korea. The FBI also referred to ‘significant overlap between the infrastructure used in this attack and other malicious cyber activity the U.S. government has previously linked directly to North Korea’, particularly Internet protocol (IP) addresses. In early January, US Director of National Intelligence James Clapper told a conference in New York that the North Korean Reconnaissance General Bureau was responsible for ‘overseeing’ the Sony attack.