Sony Hack Reveals U.S. Can’t Protect Business From AttackJonathan Allen and John Walcott
Back-channel talks between Sony Pictures Entertainment and the White House to coordinate a response to a debilitating cyber-attack didn’t prevent a public disagreement over the studio’s decision to pull its film, “The Interview.”
President Barack Obama’s rare rebuke Dec. 19 of a company’s actions came after the White House took care to avoid telling the Sony Corp. unit how to respond to hackers linked by the U.S. to North Korea, according to two administration officials familiar with the discussions. The North Korean government says it had nothing to do with the attack.
Sony canceled the Dec. 25 release of the comedy about a fictional plot to assassinate North Korean leader Kim Jong Un, saying that theater chains had received threats of violence. The move prompted Obama to say the company “made a mistake” and that he wished “they’d have spoken to me first.” The head of Sony’s studio and White House officials did talk, both sides agree -- just not about whether the movie should be released.
The spat showed that the U.S. government and businesses still can’t collaborate effectively to deter cyber-attacks, defend against them or respond to them. It added urgency to a debate over whether and when the government should take responsibility for protecting private companies from attacks and whether and when those companies can strike back against foreign nations or groups.
Obama promised to retaliate against North Korea for the Sony hack, answering a largely unresolved legal and political question surrounding cyber-warfare: The U.S. government will act on behalf of a private company after an attack.
“They caused a lot of damage, and we will respond. We will respond proportionally, and we’ll respond in a place and time and manner that we choose,” Obama said at his year-end White House news conference on Dec. 19. The hack was a costly act of “cyber-vandalism” rather than “an act of war,” Obama told CNN in an interview broadcast today.
The U.S. now is seeking assistance from several nations -- including China, North Korea’s largest trade partner -- in investigating the attack on Sony, according to the administration officials, who requested anonymity to talk about the discussions. Traditional U.S. allies enlisted in the effort also include Japan and Australia.
Now, Obama has to figure out how and when to strike, a decision complicated by the ambiguities of electronic warfare.
“I’m not able to lay out in any specificity for you what would be or wouldn’t be an act of war in the cyber domain. It’s not like there’s a demarcation line that exists in some sort of fixed space on what is or isn’t,” Navy Rear Admiral John Kirby, the Pentagon’s chief spokesman, said at a briefing on Friday for reporters.
How Sony should respond is a separate issue, according to the two administration officials. Both said the administration told Sony that it was up to the studio to decide what to do with the movie, although its decision would have geopolitical as well as corporate implications. That left Obama free to criticize the move without being tangled in advising a private company on what it should do.
The administration gave a very limited answer because of the classified nature of information about the attack. The White House also didn’t want to set a precedent of answering requests on a company-by-company basis -- and possibly appearing to favor one firm over another -- said one of the officials.
Instead, the official said, the government chose to respond to Sony’s request publicly.
Sony Pictures Chief Executive Officer Michael Lynton told CNN in an interview that he did “reach out and speak to senior folks at the White House” and “informed them that we needed help.”
Conducting such back-channel discussions with U.S. officials before the release of a film isn’t uncommon, with “Zero Dark Thirty,” about the hunt for Osama bin Laden, being one example, according to one entertainment industry veteran familiar with such discussions, who also requested anonymity.
Sony’s inquiry to the White House about the Seth Rogen comedy, “The Interview,” was different than most pre-release discussions with the government. Instead, it centered on how seriously to take the online threats of violence from hackers calling themselves the Guardians of Peace against anyone who went to see the film in theaters, according to administration officials. Hackers had previously published private e-mails from the company.
Last month’s attack on Sony has been a topic of discussion for the U.S. government’s interagency Cyber Response Group, according to an administration official who wasn’t authorized to discuss the program publicly and requested anonymity.
Lisa Monaco, the assistant to the president for homeland security and counterterrorism, set up the group earlier this year among various national-security agencies to improve the government’s response to attacks on both public- and private-sector institutions.
Members of the group “literally get around the table in the Situation Room, pool our knowledge, understand what that threat looks like,” and then figure out how to share information with the private sector so companies can be protected, Monaco said at a Bloomberg cybersecurity conference earlier this month.
The White House declined to make her available for an interview on Saturday.
The Federal Bureau of Investigation said Dec. 19 that it had concluded that North Korea was behind the attack. Malicious software in the Sony incident bore links to malware previously used by North Koreans, according to the FBI. The hacking tools employed also were similar to those used in a March 2013 cyber-attack on South Korean banks and media organizations.
North Korea’s government said yesterday it had nothing to do with the hacking of Sony’s computer systems and called on the U.S. to hold a joint investigation into the incident.
North Korea can prove its innocence and warned of “grave consequences” if the U.S. fails to take up its offer, the country’s foreign ministry said in an e-mailed statement cited by the state-run Korea Central News Agency. “As the U.S. is spreading groundless allegations and slandering us, we propose a joint investigation,” the ministry said.
The White House National Security Council, responding to North Korea’s statement, said it stood by the FBI conclusion.
“The government of North Korea has a long history of denying responsibility for destructive and provocative actions,” Mark Stroh, an NSC spokesman, said in an e-mailed statement. “If the North Korean government wants to help, they can admit their culpability and compensate Sony for the damages this attack caused.”
Obama said today that the U.S. is reviewing whether to put North Korea back on its list of state sponsors of terrorism. He told CNN that the U.S. will examine the facts to determine whether North Korea qualifies for the terrorism sponsors list from which it was removed in 2008.
For both practical and political reasons, it would be best for any move to be international and asymmetric, in both time and nature, according to two Obama administration officials involved in discussions on how to respond. That would limit the appearance that the U.S. was responding to the effort to suppress the movie, rather than acting over the cyber-attack on Sony, they said. It would also signal to the Chinese and other cyber-powers that destructive hacks cross a line and that there’s international support for drawing such a line.
U.S. officials say it’s important to conduct retaliatory strikes in a measured way that prevents America from being portrayed as violating the norms it’s trying to create.
For example, it’s unlikely that the U.S. Cyber Command at Fort Meade, Maryland, would destroy data stored on servers used by North Korea, said one administration official involved in discussions about how to respond. That would legitimize what hackers did to Sony and risk an escalation of destructive cyber-warfare that could seriously harm financial institutions or energy infrastructures in the U.S., the official said.
“The cyber domain remains challenging, it remains very fluid,” Kirby told reporters at the Pentagon. “Part of the reason why it’s such a challenging domain for us is because there aren’t internationally accepted norms and protocols. And that’s something that we here in the Defense Department have been arguing for.”
Congress will probably take a close look at the rules governing how companies can respond to cyber-attacks, House Homeland Security Committee Chairman Michael McCaul, a Texas Republican, said in an interview with Bloomberg reporters and editors this month.
“I’m going to study the legal implications of allowing companies to do it, to do more to retaliate,” he said.