On the Wednesday a week before Christmas, Sony Pictures, following threats from hackers of a violent attack against theaters, canceled its plans to release a satirical movie that depicts the assassination of North Korea’s supreme leader, Kim Jong Un.
The next day, alarmed by the surrender, President Obama convened his top officials in the White House Situation Room and, based on their unanimous recommendation, decided to take an action the United States had never dared before in response to a cyberattack by another nation: name the government responsible and punish it.
The administration’s response to the November cyberattack against Sony — it publicly blamed North Korea two days after the Hollywood studio shelved the film — has thrown into relief how the government’s reaction was driven by the public fallout from the hack. It differed from the response to any of the numerous, significant cyber-intrusions that had occurred previously in the United States, many of them originating abroad and some of them believed to be directed by foreign powers.
The blocking of Sony’s freedom of expression, on top of a highly damaging hack, is what ultimately compelled officials to act, in the name of deterrence.
“The argument I made was the whole world is watching how we as a nation respond,” said Adm. Michael S. Rogers, the director of the National Security Agency, who, other officials said, was at the previously undisclosed meeting.
“And if we don’t acknowledge this, if we don’t name names here, it will only — I’m concerned — encourage others to decide: ‘Well, this must not be a red line for the United States. This must be something they’re comfortable [with] and willing to accept,’ ” Rogers said at an international cybersecurity conference at Fordham University last week.
There “was a significant debate within the administration about whether or not to take that step” of naming North Korea, a senior administration official said. “Attribution is hard, and there are all sorts of reasons we don’t normally want to do that,” including setting a precedent that would increase pressure to name other countries in future incidents and antagonizing the offending governments.
But the attack on Sony’s right to screen a movie struck a nerve. The entertainment company may not be “critical” to national security, but free speech is “a core value,” said the official, who spoke on the condition of anonymity to describe internal discussions. “Yes, it was a Seth Rogen comedy, but next time it might not be,” he said. What he described as the hack’s “destructive” nature combined with the element of coercion against Sony “crossed the threshold,” he said. “It took us into a new realm.”
The attack was a violation of U.S. sovereignty “coupled with an attempt to interfere with freedom of expression,” said Christopher Painter, State Department coordinator for cyber issues. “You had, in many ways, the perfect storm of all these things coming together that were really important.”
The hackers, who called themselves Guardians of Peace, penetrated Sony’s network and for at least three weeks exfiltrated e-mails, salary lists and other sensitive data, undetected, before launching a “wiper” attack on Nov. 24, deleting data and disabling computers. Soon after, the hackers began releasing embarrassing e-mails that portrayed studio executives as, among other things, racially insensitive.
The FBI concluded early on that North Korea was to blame, but the administration was not inclined to say so publicly, in part because it had not figured out an appropriate response. It was prompted to act when Sony and the theaters canceled the movie’s planned release. And while the government’s attribution to Pyongyang has prompted skeptics to clamor for more proof, officials said this case was clear. “I have rarely seen the degree of evidence that we have amassed both through our work with Sony and through other means,” said the senior administration official.
Rogers said the NSA aided the investigation by sharing computer “activity and patterns” by North Korea that had been observed in previous cyber incidents.
It was equally important to the administration that other governments speak out against the attack to build toward an international norm. After Obama last month condemned North Korea’s attack, a number of other world leaders followed — Britain’s foreign secretary, Canada’s foreign minister, Australia’s prime minister, New Zealand’s foreign minister, as well as officials in South Korea, Japan, Norway, the Netherlands, Israel and Estonia.
“What it shows is an understanding in the world community that this kind of conduct is unacceptable and we need to work together to prevent it and to respond to it,” Painter said.
The Pentagon has developed an extensive set of scenarios to game out how it might respond to different levels of cyberattacks, said a senior defense official who spoke on the condition of anonymity to describe internal discussions. Some exercises are conducted with other agencies. The idea, he said, is to answer questions such as: “If this happened, would we consider it an armed attack? What would the response be?”
But none of those scenarios, he conceded, involved a Hollywood movie studio. Had the attack not been so public, and had Sony not canceled plans to release the film, “it’s fair to say” the government’s response might have been more muted, the official said. The coercion, he said, “was a major part of the impact” and made the attack “more significant.”
Dmitri Alperovitch, co-founder of the security firm CrowdStrike, said: “We’ve had this debate for a long time about what’s the threshold for an act of war. The point here is that doesn’t matter. What matters is, what’s the impact?”
The violation of free expression, Alperovitch said, was a significant impact.
At his news conference last month, Obama vowed a “proportional” response, and two days into the new year, after Sony reversed course and released the movie, the administration announced new financial sanctions on the North Korean government.
The White House has said the sanctions were “the first aspect of our response,” implying that the shutdown of North Korea’s Internet last month was not caused by the United States. Officials have said further actions are possible.
Last year brought “a significant sea change in the government’s approach” to deterrence, Assistant Attorney General John Carlin said last week at Fordham. He cited the criminal indictment of five members of the Chinese People’s Liberation Army on charges of commercial cyberespionage — the first-ever such indictment.
“We will continue to investigate” the Sony case, he said on the conference sidelines, “and look to see if we can bring appropriate charges.”