Update, 12/18: More Peter Singer on the fallout from the Sony hack—"This will be a case study I can guarantee will be both used and misused in everything from legislation to cybersecurity sales pitches."
It's been a big day for news surrounding the massive, ongoing Sony hack saga.
First, major movie chains announced that they would not be screening The Interview after a nonspecific threat of violence from the Guardians of Peace, the hacking collective that attacked Sony. Then, the company announced it was canceling the release of the movie altogether. Now, the government is suggesting that it really is North Korea behind the attack.
So, yeah, big day.
To help make sense of it all, I called up Peter W. Singer, one of the nation's foremost experts on cybersecurity and cyber war, to get his take. Singer is the author of Cybersecurity and Cyberwar: What Everyone Needs to Know and Wired for War and is a strategist at the New America Foundation.
Motherboard: Let's just cut to the chase—Are these hackers terrorists? Are they cyberterrorists?
Peter W. Singer: There's two layers to it now. There's the definition of terrorism and the reaction to it, which has been a combination of being both insipid and encouraging to future acts.
The first is what has already happened. Sony has labeled what happened to it as cyberterrorism and various media have also described it as cyber terrorism. The reality is having your scripts posted online does not constitute a terrorist act. The FBI describes it as an 'act that results in violence.' Losing your next James Bond movie script that talks about violence is not the same thing as an act of violence.
I can't believe I'm saying this. I can't believe I have to say this.
What has happened to Sony already does not meet the definition. They're saying 'This is an act of war.' We're not going to war with North Korea over this act just because Angelina Jolie is now mad at a Sony executive. Acts of war have a different standard.
Literally, we are in the realm of beyond stupid with this.
And then we have the actual threats of violence.
This same group threatened yesterday 9/11-style incidents at any movie theatre that chose to show the movie. Here, we need to distinguish between threat and capability—the ability to steal gossipy emails from a not-so-great protected computer network is not the same thing as being able to carry out physical, 9/11-style attacks in 18,000 locations simultaneously. I can't believe I'm saying this. I can't believe I have to say this.
This group has not shown the capability to do that. Sony is rueing any association it has with the movie right now. We are not in the realm of 9/11. Did movie chains look at the reality of the threat? Or did the movie theater chains utterly cave in? This is beyond the wildest dreams of these attackers.
I talked with Bruce Schneier yesterday, and he said Sony is playing the victim card. Has Sony taken an unfortunate event with this and turned it into an international incident?
Now we get to the part that moves from jokes and silliness to serious, which is: This is not just now a case study in how not to react to cyber threats and a case study in how to not defend your networks, it's now also a case study in how not to respond to terrorism threats.
We have just communicated to any would-be attacker that we will do whatever they want.
It is mind-boggling to me, particularly when you compare it to real things that have actually happened. Someone killed 12 people and shot another 70 people at the opening night of Batman: The Dark Knight [Rises]. They kept that movie in the theaters. You issue an anonymous cyber threat that you do not have the capability to carry out? We pulled a movie from 18,000 theaters.
Right—from the beginning, Sony and the media have taken what has been described as a run-of-the-mill albeit expansive and thorough hack and have scared everyone beyond belief. What happened here?
The attackers wonderfully understand the American psyche. This was a hack, but call it 'cyber' and 'terrorism,' and we lose our shit. There's no other way to put it.
Schneier suggested that Sony has been calling this cyber terrorism because it makes it seem worse—it makes it seem like the company was defenseless. Are execs doing this to save their jobs?
Yeah, you don't want to be in the category of blame the victim, but Sony has had hacks before. It's been hacked dating back to 2005, and the executives inside of it are still emailing to each other like it's 1997 and it's the first time they've ever been on email.
Set all of that aside, even the best companies with some of the best cybersecurity in the world get cracked. The banks with JP Morgan, the US military, the White House. The reality is we can either choose a 'lose our shit' mentality, or we can choose a mentality that is far more successful, which is focusing on resilience.
It's not an act of war, it's frickin' annoying for Sony
It's about accepting the fact bad things might get in and you can power through them. It's about getting up quickly when you knocked down, which takes the incentive away from the attacker.
Your reaction can either be, 'I give up' or 'No, we're going to show the movie.'
What do you think of the idea some have raised about just releasing the movie online, right now. Or, like, yesterday. Would that be a copout?
No, I don't think so. But what we're learning about Sony and its approaches to piracy with the MPAA, it would have put Sony in a fantastically interesting position to say, 'This is what we've been fighting against all these years, but oh, here's the movie.'
they're setting an absolutely horrible precedent that makes every other company less safe moving forward
But the movie should come out.
This is bringing such publicity to this movie that, for all we know, isn't all that good. It definitely wouldn't have gotten this much free or paid publicity. The problem is, if you don't release the movie, you can't make lemonade out of lemons. That's where they're at right now. By caving in, they may think they're cutting their losses, but they're setting an absolutely horrible precedent that makes every other company less safe moving forward.
There's a parallel here to the Boston marathon bombing. I am going to be careful on this. The Boston attacks were real, and people died. This is not in the same category. But, a lot of terrorism analysts have talked about how they shut down the entire city of Boston, which was the wrong message. It sends the message to terrorists elsewhere that if two not-so-well trained guys with a jury-rigged rice cooker bomb can shut down an entire American city, what can we do if we're good at this?
So we don't know for sure if it was North Korea or not. But, do you think it was? Does it even matter?
It's an issue of attribution. The victims always want to know who did it. In cyber, it's particularly difficult to find out who did it because of technical reasons, but you also have the issue of what burden of proof do we have to meet? Is it a legal burden of proof? Is it a burden of proof for public opinion or a White House situation room burden of proof?
So far, the information that's come out has pointed the finger at North Korean proxy groups, but it's been context based. It wouldn't meet the level needed in a court of law. The context combines the fact that they're pissed about this movie, and certain techniques in it are similar to what has been used in other attacks linked not definitively to North Korea. It's enough for most people to talk about [it being from North Korea], at least.
But, does it matter?
It is, in many ways, besides the point. Even if North Korea steps forward and proudly said, 'We did it,' what is Sony's recourse? Not much. It can sue North Korea, I guess.
The government should help defend this company and prevent hacks, but in terms of exacting punishment on North Korea, what's it going to do? It's not an act of war, it's frickin' annoying for Sony. But it's not an act of war.
We didn't go to war with North Korea when they murdered American soldiers in the 1970s with axes. We didn't go to war with North Korea when they fired missiles over our allies. We didn't go to war with North Korea when one of their ships torpedoed an alliance partner and killed some of their sailors. You're going to tell me we're now going to go to war because a Sony exec described Angelina Jolie as a diva? It's not happening.