Sony Pictures Entertainment on Wednesday canceled the Christmas Day release of “The Interview,” bowing to threats of a wide-scale attack from hackers who U.S. intelligence officials have concluded were working for North Korea.
U.S. officials, though, were not prepared to publicly accuse the reclusive government, in large part because the Obama administration has not determined what, if any, action it could take.
At a briefing Thursday, White House press secretary Josh Earnest said the hack was being treated as “a serious national security matter.” He declined to comment on whether North Korea was behind the cyberattack, saying that the matter is “still under investigation.”
Earnest added that the White House national security team is “considering a number of options,” although he did not describe the options being weighed.
Intelligence officials believe with “99 percent certainty” that hackers working for the North Korean government carried out the attack, said one individual who was briefed on the investigation and spoke on the condition of anonymity. But the administration hasn’t figured out what to do, U.S. officials said.
Officials agree that there are no good options. Unlike China, which the United States has publicly accused of stealing vast amounts of intellectual property from U.S. companies, North Korea is far removed from the global economy and already under economic sanctions, imposed by the United Nations, targeting its nuclear program.
“There are no sanctions left,” said a U.S. official. “Nor do we have any trade with them to sanction. So there certainly is a very limited number of tools in the toolbox.”
National Security Council spokeswoman Bernadette Meehan said late Wednesday that the United States “is investigating attribution and will provide an update at the appropriate time. The U.S. government is working tirelessly to bring the perpetrators of this attack to justice, and we are considering a range of options in weighing a potential response.”
Sony said in a statement Wednesday that it was “deeply saddened at [the hackers’] brazen effort” to suppress the movie and was opting “not to move forward” with the Dec. 25 release. A Sony spokesperson later said that the studio “has no further release plans for the film.”
Earlier in the day, the nation’s five largest theater circuits — Regal Entertainment, AMC Entertainment, Cinemark, Carmike Cinemas and Cineplex Entertainment — said they would delay the $44 million film’s opening.
Regal, the biggest of the five, said it would delay the screening because of “the wavering support of the film” by Sony “as well as the ambiguous nature” of the threats. Cineplex said it “takes seriously its commitment to the freedom of artistic expression” but added that safety was paramount because of the “unprecedented and complex situation.”
That an anonymous hacking squad could derail the plans of one of the world’s biggest entertainment firms, experts said, marks a worrying new precedent for cyberterrorism that could encourage more attacks. With one inexpensive hack, a team can generate the kind of international fear once achievable only through bomb or terror threats.
“This is the real danger to corporate America in the cyber domain,” said Alec Ross, a senior fellow at Columbia University’s School of International and Public Affairs.
“The cost to build powerful malignant weapons is shockingly low. There are very well-developed communities of hackers for hire all over the world that can develop very powerful cyberweapons for exceedingly low costs.”
Guardians of Peace, the group claiming responsibility for the hack, issued a sharp warning this week promising a “bitter fate” for those going to the movie and warning others “to keep yourself distant from the places at that time.”
“The world will be full of fear,” they said in an anonymous online posting. “Remember the 11th of September 2001.”
The North Korean government has denied involvement in the hack but called it “a righteous deed” and threatened to undertake “a merciless countermeasure” due to the film’s premiere. It added that the Seth Rogen and James Franco comedy, which ends with the killing of North Korean leader Kim Jong Un, is a “most blatant act of terrorism and war.”
Analysts say any military action in retaliation for a cyberattack on a studio would be out of proportion and would risk escalation. Indictments would be pointless, as North Korea would never let its citizens stand trial in the United States. At most, some analysts say, the administration could deliver a public shaming, as one former U.S. official said, to “let North Korea know ‘We know you did it.’ ”
James A. Lewis, a cyberpolicy expert at the Center for Strategic and International Studies, said the administration is in a bind when it comes to naming a state like North Korea.
“There are a couple of worries here,” he said. “The first is that they want evidence that would stand up in court. If that’s your standard, that’s pretty high.”
Second, he said, “If we do something to North Korea, what do they do back? They know how bad our [cyber] defenses are.”
Said a U.S. official, who spoke on the condition of anonymity to discuss a sensitive topic: “We are not willing to escalate.”
President Obama did not mention North Korea when he commented on the Sony hack in an interview with ABC News on Wednesday. “The cyberattack is very serious,” the president said. “We’re investigating, and we’re taking it seriously. We’ll be vigilant. If we see something that we think is serious and credible, then we’ll alert the public. But for now, my recommendation would be that people go to the movies.”
Investigators reached their conclusion in part by comparing malware used in the hack to malware North Korea used in hacks against South Korean banks in recent years, said individuals familiar with the probe. They also found that the hackers routed their attacks through computers in seven countries — including the United States, Thailand and Bolivia — to try to hide the attack’s origin and that some of the malware was written using the Korean language.
The Department of Homeland Security said Tuesday that there is no credible evidence suggesting an active plot against U.S. movie theaters in connection with the hack, and a State Department official said Wednesday that the agency has no specific information lending credence to the threat.
Still, Bow Tie Cinemas, a smaller chain of 55 theaters in six states, said in a statement Wednesday that it was “saddened and angered by recent threats of terrorism” and, “given that the source and credibility of these threats is unknown,” the chain would cancel the movie’s Dec. 25 premiere.
That decision created its own backlash, as people took to Facebook to call the chain “cowards” for “kowtowing” to the threats. In response, Bow Tie spokesman Joe Masher said: “The safety of our patrons and staff are our number one priority. Period. It was a difficult decision for us to make.”
The theaters acted days after Sony said it would not object to any deciding not to show the movie. Some legal experts said that statement transferred legal liability for any attack from Sony to the theaters, should they decide to proceed with a showing in the face of a known threat.
The National Association of Theatre Owners said in a statement that its member theaters “may decide to delay exhibition” until “the responsible criminals are apprehended.”
With the premiere scuttled, Sony could choose to unveil the film later in theaters or skip the big screen altogether and release it through video-on-demand. That would upend a longtime agreement between theaters and film studios of months-long delays between big-screen premieres and at-home viewing.
Rogen declined to comment, and messages left with Franco were not returned. They have canceled talk-show appearances and other media interviews.
The hacker group has released several years of sensitive internal Sony documents, including employee salary data, health information and Social Security numbers. It also promised a “Christmas gift,” likely another dump of stolen internal secrets.
Sony executives have held meetings to apologize to workers whose data was leaked, and the company has hired crisis specialists to deal with insensitive e-mails that have embarrassed the firm’s top brass.
But the firm has also gone on the offensive, partnering with such companies as Entura, a London privacy firm, to attempt to block sharing of the files and cap further leaks. It has also hired lawyer David Boies, who has threatened legal action against media outlets that report details pulled from the Sony leaks.
The delay could prove financially devastating to Sony during the holidays, one of Hollywood’s most lucrative box-office seasons.
Some theater executives worried that a cancellation could accelerate the trend of viewers turning away from the big screen in favor of watching movies at home.
The hacker group gave no details of the extent of its threat.
The movie’s derailed premiere stunned Hollywood. A movie set in North Korea and starring Steve Carell was canceled by its production company, New Regency, said a person close to the studio who spoke on the condition of anonymity because the decision hadn’t been announced publicly.
Actor Rob Lowe said in a tweet that he had seen Rogen at the airport and that “both of us have never seen or heard of anything like this.” He added, “Hollywood has done Neville Chamberlain proud today,” a reference to the British prime minister linked with the appeasement of Nazi Germany.
Some experts said the disastrous hack should push Fortune 500 companies, such as Sony, even further toward investing in and mounting their own corporate measures of cyberdefense.
“Historically, companies have viewed cybersecurity as a subset of the IT function,” said Ross, the senior fellow at Columbia. “But it’s time to take cyberdefense out of the org-chart ghetto and elevate it.”
Juliet Eilperin contributed to this report.