Monday, December 22, 2014

Reservations on Blaming North Korea for the Sony Hack

Late last week, and into the weekend, the international press went absolutely and immediately frenetic at the suggestion that North Korea organized a massive hack against Sony in order to prevent the release of the James Franco/Seth Rogen film The Interview. You can read a bit more about the hack at Wikipedia, plus there's no shortage of news articles.

Here's the thing: I'm skeptical that it was actually North Korea that orchestrated the attack. I was skeptical even before the story took off as a result of Sony's decision to cancel the film's release. And I'm not alone.

  • Wired.com Threat Level: The Evidence That North Korea Hacked Sony Is Flimsy
  • CBS: Ex-Anonymous hacker questions North Korea's role in Sony hack
  • Marc Rogers: Why the Sony hack is unlikely to be the work of North Korea
  • War is Boring: Everyone Lost Their Minds Over North Korea’s Bullying
  • North Korea Tech: Did North Korea hack Sony? Probably Not
  • Christian Science Monitor: Did North Korea really hack Sony? Cybersecurity pros at odds

    I especially recommend the write-up from Marc Rogers, which provides overviews and links for various aspects of the actual evidence. The Wired article provides similarly elucidating commentary. Less convincing is the analysis by Hector Monsegur/"Sabu", though it's possible that that's a result of the reporting, not of his actual body of work on the issue. Monsegur presents two arguments that, upon further consideration, lose some of their force. The first is the following observation:
    "For something like this to happen, it had to happen over a long period of time. You cannot just exfiltrate one terabyte or 100 terabytes of data in a matter of weeks," Monsegur said. "It's not possible. It would have taken months, maybe even years, to exfiltrate something like 100 terabytes of data without anyone noticing."
    My concern with this observation is that it seems to ignore just how lax Sony's security measures appear to have been. One commenter over at Doctrine Man's Facebook page noted:
    From what used to be Sony Internal Documents, about their IT security situation:

    "'We are definitely not taking advantage of the latest technologies in the way we work. We shouldn't be using an OS that has been released on 2001 anymore... There are new tools out there people, and we don't take the necessary time to exploit them, master them and improve them and that's not how leadership can be achieved... '

    'There is no overall Strategy in the departments of IT. IT is fragmented in the US due to everyone being in different offices/locations. Trust is not seen within the departments either and this needs to be addressed.'"
    Assuming that was the case, it could be entirely possible for someone to have exfiltrated a substantial amount of data, either relatively quickly or relatively slowly, without anyone in the IT department being any the wiser. The U.S. federal government makes a pretty concerted effort to keep up with developments in technical risk, with the actual IT industry consistently ahead of the pack. Most IT users, however - individuals and companies - do an awful job of safeguarding the confidentiality, integrity, and availability of their systems. That tends to be for one or both of two reasons: they see good IT security (even something as simple as anti-virus software) as cost-prohibitive, or they simply don't understand the risks in the first place. In fact, this is common for practitioners in all realms of security and risk management: potential customers tend to mistake successful deterrence for the absence of a threat.* Sony appears to have grossly underestimated the threat to their own proprietary information; in this case, regardless of the attacker, it appears to have cost them in excess of $44 million (the production budget for The Interview). The bottom line is that Sony may not have adequately resourced its IT security department to ensure that they could, in fact, recognize when data was being exfiltrated, let alone to do something about it had they been able to recognize what was happening. So, I'm not sure that Monsegur's point actually absolves (or implicates) North Korea.

    Monsegur's second observation is as follows:
    "Look at the bandwidth going into North Korea. I mean, the pipelines, the pipes going in, handling data, they only have one major ISP across their entire nation. That kind of information flowing at one time would have shut down North Korean Internet completely."

    Monsegur is confident they don't have the infrastructure to carry out this kind of attack.

    "They don't have the technical capabilities," he said. "They do have state-sponsored hackers very similar to China, very similar to Russia and very similar to our good old USA."
    Again, Monsegur is right on the surface, but neglects to mention that many attacks are distributed - for example, Distributed Denials of Service (DDoS) and botnets (the latter typically being used to facilitate the former). So, North Korea's limited data infrastructure is certainly a limiting factor, but one that could be mitigated through fairly straightforward methods- e.g., setting up malware and tools so that they executed from more robust networks than those available in North Korea itself.

    All of that having been said, I prefer to leave analysis of the actual code to those whose work I've linked above - I really don't have anything productive to add to that. What I want to discuss is the reasons why I don't think that the Sony hack actually coincides with North Korea's strategic interests.

    First, the Sony hack is far more conspicuous and/or damaging than prior North Korean saber-rattling. Although North Korea has been known to carry out fairly ambitious hacks, these have typically been targeted at South Korea, and their character has been much different than the Sony hack. Its most aggressive (and fairly recent) saber-rattling (aside from attacks directly against South Korea, such as the sinking of the Cheonan and the shelling of Yeonpyeong Island) was probably the 1998 missile/satellite test over Japan; while the North Koreans continue to test missiles and nuclear devices on occasion, nuclear tests always take place in North Korean territory, and the missile tests have most recently been launched into international air space. Save for the attacks on South Korea, which seem to be efforts at espionage rather than sabotage, North Korean attacks (to include hacking) have been specifically careful to threaten, rather than causing actual damage. Stated differently, North Korea rattles its saber to communicate threats, rather than to invite and/or justify retribution. The Sony hack doesn't fit that model.

    Second, the Sony hack is inconsistent with North Korean internal propaganda. The international community tends to dismiss Kim Jong Un as a heavyset novice who doesn't really know what he's doing, and they dismissed his father, Kim Jong Il, as an eccentric lunatic who was only interested in drinking cognac and making movies. Those characterizations may be somewhat fair, but for their domestic audience, the Kim Dynasty has been intent on maintaining two narratives. First, they set South Korea, Japan, and the United States up as fearsome enemies, dead set on imminently wiping out the North Korean people, which only the Kim Dynasty are powerful enough to keep at bay. To actually carry out an attack this significant undermines that narrative by implying that the Kim Regime can inflict significant damage against these enemies at will, which undermines their opponents' perceived ferocity, the Kim Regime's ensuing centrality to North Korea's defense, and the need for the North Korean people to live in such crippling poverty. (As a corollary, read Michael Totten's May 2009 post Davos in the Desert, which quotes Jay Nordlinger.) Beyond that, the whole thing makes Kim Jong Un seem very petty, rather than wise and benevolent. None of this plays into the longstanding narrative that South Korea, Japan, and America are a ferocious opponent, from which the North Korean people are protected only by the Kim Dynasty and their robust adherence to Marxist-Leninist ideals.

    Third, the North Korean regime tends to use its occasional saber-rattling episodes in conjunction with specific goals: securing additional food or fuel aid from its neighbors, pushing for the easing of sanctions, and such. They use their strategic capabilities in the pursuit of specific strategic goals in a sort of quid-pro-quo involving promises of compliance and aggressive threats. Aside from preventing the release of some silly movie that the North Korean people are unlikely to ever see, there seems to be no actual objective to coincide with this alleged hack. (This concept of marrying strategic ways, means, and ends has evaporated from the Western psyche, but totalitarian regimes tend to remember it far better than their Western democratic counterparts.)

    Fourth, a hack this conspicuous runs contrary to North Korea's recent efforts to improve relations with their southern neighbor. Some may remember that in October, North Korea sent an unannounced delegation of senior leaders to meet with South Korean leaders. While not mutually exclusive, it would be pretty inconsistent of the North to time such an audacious attack to coincide with such an unprecedented conciliatory move.

    At any rate, it's good to see that a handful of credible news outlets are adopting a "Hey, let's take a step back and actually look at the evidence" posture, but most news outlets are merely repeating the "allegations", noting what various organizations are "investigating the possibility of", or just plain parroting the U.S. federal government's talking points as if the talking points themselves are the news.

    In summary, I'm not saying that North Korea didn't attack Sony; but, as the sources cited above suggest, there seems to be more evidence pointing to disgruntled insiders or "hacktivists" than to North Korea. Regardless, I suspect this will be yet another case of a lie making it halfway 'round the world before the truth has a chance to put its boots on.

    Postscript: Between when I wrote this and when I'm posting it, North Korea's portion of the Internet appears to have been knocked offline. As I mention above, it's entirely possible that North Korea was behind the Sony hack, and that its Internet outage results from a semi-justified counterhack. However, my intuition that this incident had little or nothing to do with North Korea, and that any potential counterhack represents an impulsive escalation, the long-term ramifications of which may be more significant than the powers that be may realize.

    * One of my colleagues was dismissed from his job as an overseas facility security manager because the incoming facility manager deemed his position, and the security improvements he had been hired to implement, too costly relative to the perceived threat. This took place less than a year into the Arab Spring. In September of 2012, after the attack on the American consulate in Benghazi, Libya, the facility manager's successor called a meeting to discuss security improvements. Rumor has it that my colleague's supervisor informed the new manager, "Well, sir, we used to have a guy on staff who did that kind of work and could make those recommendations, but your predecessor said we didn't need that capability anymore and he was laid off." The obvious difference between the Sony hack and the Benghazi attack highlight the legitimacy of Thomas Rid's argument, but the principle is the same: both the State Department and Sony decided to assume a great deal of risk, and were unprepared for the potential results.
  • No comments:

    Post a Comment