First Cyber War: Was the Sony Hack a Warm-Up for Bigger Things to Come?

REUTERS/Kacper Pempel/Files
REUTERS/Kacper Pempel/Files

The Sony Pictures hacking drama ended, at least for the moment, with the besieged studio deciding to authorize a limited release of “The Interview” after all. This came after a storm of criticism of Sony, and the U.S. government that failed to protect them, for caving in to the demands of a hacker group with, shall we say, very strong feelings about the impropriety of mocking North Korean dictator Kim Jong Un.

The Obama Administration tried to soft-pedal the event, with the President flatly refusing to characterize it as terrorism or an act of war by North Korea, creating an entirely new category of mischief called “cybervandalism” to explain why he was going to let foreign powers use a combination of electronic espionage and threats of 9/11-style violence to intimidate Americans into giving up their First Amendment rights.

That didn’t fly with anyone who retains the critical-thinking skills necessary to doubt anything Barack Obama says. Something nasty subsequently happened to North Korea’s Internet infrastructure, and suddenly, Sony was talking about dribbling “The Interview” into a few theaters on Christmas Day, despite continued promises from the hackers that they would be punished for doing so.

Sony lost a lot of money due to this attack, including damaged business relationships and enough negative publicity to make even the sheltered liberal aristocracy of Tinseltown executives wonder if heads might roll after various doubleplusungood thoughts were expressed in leaked email correspondence. The extent to which the attack was either abetted or organized by disgruntled Sony insiders remains a subject of debate and investigation, as does the strength of the link between the hackers and Kim Jong Un’s regime, which officially applauded the hack without taking responsibility for it. It does not seem likely that the whole affair was an elaborate publicity stunt to goose interest in “The Interview,” as some speculated after the Christmas Day limited release was announced. At this point, Sony will be lucky to recoup a fraction of the financial damage it recovered, or restore its reputation by styling itself a wounded champion of free speech. Its efforts along those lines might seem a bit tacky—this is a movie studio we’re talking about, after all—but you really can’t blame them for getting the marketing team together and trying to figure out a way they can spin a little gold from this pile of North Korean straw.

Another lingering question from the Sony hack is whether it was really just a skirmish in the First Cyber War—a field test for weapons and techniques hostile powers have much bigger plans for. Assessments of the techniques used against Sony vary widely—it was either too sophisticated to be the work of freelance hackers or too crude to be the work of well-funded, well-trained North Korean or Chinese government saboteurs, depending on who you ask. The FBI has become convinced the North Korean government was behind it; intelligence officials note that the final stage of the assault was launched from servers in China, not North Korea, a degree of cooperation between the Chinese and their client regime that is hardly unprecedented. The Chinese, for their part, are so indignant about the suggestion that their unruly pets in Pyongyang attacked an American (and Japanese!) country that they forbid their own regime-managed media from even reporting on the Sony hack. Gosh, it’s hard to imagine where the North Koreans get their peculiar ideas about free expression from.

What if North Korea and China were behind the Sony hack? That’s a lot of oppressive firepower to level at a stoner comedy, but it makes sense if the saboteurs were using Sony for target practice, polishing up the frying pans they plan to use for much bigger fish in the New Year. Patrick Tucker at Quartz has an idea for where this all might be going, warning that 2015 might be “the year of Aurora”—so-called because in July, the Department of Homeland Security inadvertently released a study called the “Aurora Project” about the vulnerability of American power and water systems to hacker attacks, and potential hackers probably read it with great interest:

The vast majority of the 800 or so pages are of no consequence, says [infrastructure expert Joe] Weiss, but a small number contain information that could be extremely useful to someone looking to perpetrate an attack. “Three of their slides constitute a hit list of critical infrastructure. They tell you by name which [Pacific Gas and Electric] substations you could use to destroy parts of grid. They give the name of all the large pumping stations in California.”

The publicly available documents that DHS released do indeed contain the names and physical locations of specific Pacific Gas and Electric Substations that may be vulnerable to attack.

Defense One shared the documents with Jeffrey Carr, CEO of the cyber-security firm Taia Global and the author of Inside Cyber Warfare: Mapping the Cyber Underworld. “I’d agree…This release certainly didn’t help make our critical infrastructure any safer and for certain types of attackers, this information could save them some time in their pre-attack planning,” he said.

Whoops!  Probably shouldn’t have just thrown that out there for aspiring cyber terrorists to review, then. Homeland Security’s bad, everyone.

There follows a detailed discussion of how difficult an Aurora attack on infrastructure would be to pull off, even with the helpful pointers accidentally revealed by DHS, with the verdict an inconclusive tough, but doable.  The same lament voiced by cybersecurity experts after every high-profile hack is repeated here: attackers have the initiative, defenders are struggling to catch up, and hackers are perfecting their tools faster than security firms can update defenses. In this case, utility companies don’t seem to have implemented many new security profiles since the Aurora study was performed in 2007—not even measures that would be inexpensive, or even provided gratis by the Department of Defense.

North Korea is cited as one of the hostile powers capable of attacking U.S. power and water systems (judging by what their gremlins have been up to lately, the Iranians are even more interested in exploring the possibility.) The lingering question in the minds of malefactors would be the price they might pay for doing something nasty to America’s power grid. Not only could the Sony hack have field-tested viral software that might be turned against infrastructure, but it could be a dry run for estimating U.S. retaliation against something more serious, pulled off with a comparable degree of ambiguity about the exact identity of the perpetrators:

Would such an attack constitute an act of cyber war? The answer is maybe. Speaking to reporters at the Pentagon on Friday, Pentagon Press Secretary Rear Adm. John Kirby said “I’m also not able to lay out in any specificity for you what would be or wouldn’t be an act of war in the cyber domain. It’s not like there’s a demarcation line that exists in some sort of fixed space on what is or isn’t. The cyber domain remains challenging, it remains very fluid. Part of the reason why it’s such a challenging domain for us is because there aren’t internationally accepted norms and protocols. And that’s something that we here in the Defense Department have been arguing for.”

Peter Singer, in conversation with Jason Koebler at Motherboard, says that the bar for actual military engagement against North Korea is a lot higher than hacking a major Hollywood movie studio.

“We didn’t go to war with North Korea when they murdered American soldiers in the 1970s with axes. We didn’t go to war with North Korea when they fired missiles over our allies. We didn’t go to war with North Korea when one of their ships torpedoed an alliance partner and killed some of their sailors. You’re going to tell me we’re now going to go to war because a Sony exec described Angelina Jolie as a diva? It’s not happening.”

If anything, an Aurora attack would be even harder to attribute than Sony’s troubles were. A couple of American cities go dark, and the FBI finds no fingerprints except a couple of IP addresses in North Korea, China, or Iran. What next? It’s the high-tech, fast-forward incarnation of the very same state-sponsored terrorism President George Bush sought to combat in his “Axis of Evil” speech… with two of Bush’s Axis of Evil nemeses, Iran and North Korea, once again looming as plausibly deniable sponsors. (Iraq was the third choice, but whatever else the new malevolence squatting in northern Iraq might be up to, they don’t seem terribly interested in cyberwarfare, at least not yet.)

Aurora-style mischief isn’t purely theoretical. The Christian Science Monitor notes that viral forces have already been moved into digital position:

First came an alert in October from the Department of Homeland Security’s Industrial Control System Computer Emergency Response Team (ICS-CERT). It warned critical infrastructure operators about malicious software known as BlackEnergy used in attacks on industrial control systems.

Then, on Nov. 20,  the government’s most senior cyber warrior, the National Security Agency’s chief Adm. Michael Rogers, told Congress that the government was aware of wide-spread and concerted efforts by nation-state actors to use malicious software and online attacks to infiltrate, study, and – potentially – cripple US critical infrastructure, including the nation’s electric grid.

“There are those industrial control systems that can shut down and forestall our ability to operate … basic infrastructure, whether it’s generating power across this nation, whether it’s moving water and fuel,” Admiral Rogers told the House Select Intelligence Committee.

At the top of the list of targets for a crippling hack: North America’s vast and vulnerable electrical grid.

Rogers warned that it was a question of “when,” not “if,” a major cyberattack on U.S. infrastructure is launched, most likely within the next decade. He was particularly worried about criminal groups (Michigan Republican Rep. Mike Rogers of the House Intelligence Committee pithily described them as “cyber hit-men for hire”) serving as surrogates for hostile foreign powers, particularly China. How about a team of cyber hit-men claiming to be freelance Social Justice Warriors avenging an insult against the dictator of China’s pet regime in North Korea? When China’s economy gets busy imploding over the next couple of years, there may come a moment when they find it very convenient to use such eminently deniable agents to crash financial computers and wreak economic havoc in the United States by blacking out a few major cities. With enough layers of separation between the communist regime and its cyber hit-men, there would be nothing worse to fear in retaliation than some grumbling from American officials, and maybe a few fiery op-eds in the U.S. papers Chinese citizens aren’t allowed to read. The First Cyber War will be fought from some very deep shadows… quite literal shadows, if the Sony hack was a prelude to an assault on our power grid.