copyright notice
link to the published version: IEEE Computer, February, 2015
Recognition as IEEE Computer Best Column of 2015
afterword - January 19, 2015


accesses since January 13, 2015

CYBER CHUTZPAH: The Sony Hack and the Celebration of Hyperbole

Hal Berghel


I’ve restrained myself from commenting on the Sony Hack until now. Frankly, this entire story is stuck on stupid. However, after Sony CEO Kazuo Hirai’s lame talk at the 2015 Consumer Electronics Show in Las Vegas (my fair city) I can hold back no more. It’s time to pull what little common sense is left of this event out of the Orwellian memory hole and try to get the narrative back on track.

REALITY CHECK

CEO Hirai said: “[Sony employees] were unfortunately the victims of one of the most vicious and malicious cyberattacks that we’ve known certainly in recent history….And I have to say that freedom of speech, freedom of expression, freedom of association – those are very important lifeblood/lifelines of Sony and our entertainment business.” (http://time.com/3655462/sony-chief-executive-hacking/) The hyperbole and drama befits a Mickey Spillane novel. The Sony hack is not in the upper echelon of cyber attacks! It’s not even in second or third tiers. As a matter of fact, apart from the embarrassing executive emails leaked (see below), it’s not even very interesting. Further, if Sony really believed in freedom of expression they wouldn’t have fired Sony corporate communications executive Charles Sipkins over an alleged snub of co-chairman Amy Pascal (http://www.rttnews.com/2430666/sony-executive-leaves-after-e-mail-reportedly-sought-his-firing.aspx). Sony’s corporate stance on this offends the senses.

In the scheme of things, the Sony hack seems to be a rather pedestrian compromise a security-challenged computer network. To be sure examples of “vicious and malicious cyberattacks” are easy to find. Consider the software hack (trojan horse) by the U.S. that lead to the 1983 Trans-Siberian Pipeline explosion – reportedly the largest non-nuclear explosion in recorded history (see Thomas C. Reed, At the Abyss: An Insider's History of the Cold War, Presidio Press, 2004). Now that's “vicious and malicious.”

Or, one might point to the Olympic Games attack that used the so-called Stuxnet worm to destroy the uranium centrifuges at the Iranian fuel enrichment facility at Natanz ( http://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-against-iran.html?pagewanted=all&module=Search&mabReward=relbias%3Ar%2C{%221%22%3A%22RI%3A5%22} ). Once again, that qualifies as a “vicious and malicious” cyberattack. Since both of these actions involve cyber-kinetic attacks of sovereign nations they remain politically charged, we'll pass over the geopolitical motives in silence.

For something to qualify as vicious and malicious, an action must have qualities that are savage, brutish, violent or fatal. Detestable and spitish conduct normally won't qualify. Attacks against sovereign nations, yes; hacks of corporate computer networks, not so much. The Sony hack is more similar to MafiaBoy, the Google Gmail hack, the Solar Sunrise hack, and Albert Gonzalez' compromise of TJX and Heartland Payment Systems than it is to the Siberia and Stuxnet examples. It is just another installment in the never-ending evolution of digital crime.

There is plenty of room for governments to wiggle in the continuum of state involvement in criminal activity: state-sponsored, state-proxied, state-tolerated, state-aware, kleptocratic, narco-kleptocratic, etc. But we need to be circumspect when we start assigning these tags to countries. We don't threaten and sanction Nigeria for the connection to the Nigerian 419 phishing scams, nor did we threaten and sanction Russia for the Gameover Zeus and Cryptolocker malware, even though both countries knew, or should have known, that these criminal activities took place on their soil.

WHAT DO WE KNOW AND WHEN DID WE KNOW IT?

So why was Sony targeted? We are led to believe that it was a result of offense taken by North Korean Supreme Leader Kim Jong Un (aka Dear One, Jr.) at the plot of the Sony motion picture The Interview. By most reports the perpetrators were an anonymous hacking group called the Guardians of Peace whom the U.S. government speculates is a cyber-attack group that acts on behalf of the North Korean government. Wouldn't it seem obvious that if this were a hack sponsored by North Korea that they would have instructed their agents to conceal this connection? At the level of state sponsorship, to borrow a phrase from Hobbes' Leviathan, history has shown that the lives of the perpetrators may become “nasty, brutish, and short.” History has shown that when nation states are involved in cyber-conflicts, any clues left behind are most likely false flags. Over the past sixty five years, the CIA has shown the entire global community the value of plausible deniability.

I am not saying that Kim Jong-Un is incapable of cyberwarfare. But ask yourself just how much he would gain by drawing attention to himself over an ego-motivated incident like this. This doesn't seem to be a sensible occasion for a nanananabooboo moment.

Let's look at the reported evidence. The FBI initially reported that North Korea was the likely source of mischief ( http://www.politico.com/story/2014/12/fbi-briefed-on-alternate-sony-hack-theory-113866.html ). But then it was noticed that the timestamps of some of the recovered files indicated that downloads may have been done at USB speeds - suggesting an inside job ( http://www.4thmedia.org/2014/12/breaking-we-can-conclusively-confirm-north-korea-was-not-behind-sony-hack/ ) . The FBI then revised their account to suggest that the North Koreans may have subcontracted freelance hackers to do their bidding ( http://in.reuters.com/article/2014/12/30/northkorea-cyberattack-idINL1N0UD1IB20141230 ). So the source and rationale at this point seems to be a moving target. But FBI Director James Comey still holds firm that North Korea must somehow to blame. When asked upon what solid evidence ithis mass media celebration is based, we get the timeworn shibboleth “Trust Me.”

Consider two of his statements in a recent article in Wired magazine ( http://www.wired.com/2015/01/fbi-director-says-north-korean-hackers-sometimes-failed-use-proxies-sony-hack/ ). First, he states “I want to show you, the American people, as much as I can about the why, but show the bad guys as little as possible about the how…This will happen again and we have to preserve our methods and our sources.” Then, in an effort to neutralize the critics, he says: “they don't have the facts that I have. They don't see what I see.”

First, let's deal with the issue of how the FBI came to “know” what they claim. According to Wired, “ Comey now says that the hackers in the attack failed on multiple occasions to use the proxy servers that bounce their Internet connection through an obfuscating computer somewhere else in the world, revealing IP addresses that tied them to North Koreans.” Really? Are we to believe that hackers that have the full financial and military backing of the government of North Korea – the same government that has enough resources to build a missile program ( http://www.bbc.co.uk/news/world-asia-17399847 ) - doesn't have the resources to hire hackers who know how to spoof IP addresses and use proxy servers? Does this sound reasonable to you? Script kiddies know this much? If this is true, Kim Jong-Un is getting ripped off by his cyber mercenaries. Such claims should be viewed with considerable suspicion. Also, I have no idea what if anything Comey means by preservation of methods and sources if that doesn't involve subpoenas and warrants. The technical “methods” are on analyzing network attacks are taught in SANS (SANS.ORG) classes. Any claim that FBI network forensics specialists have a monopoly on network traffic analysis as such and in general is preposterous.

As to “facts,” I seriously doubt that Comey did the network traffic analysis himself. So the “facts” in his possession would probably be better characterized as reportage. Perhaps it might have been more accurate for Comey to state “the summary that was presented to me [by …..] seems compelling.” But I think that the suggestion that Comey has possession of, and is in a position to interpret, the ground truth data is a bit of a stretch. Recurring misrepresentations of alleged facts by senior government officials so often proves to be gaffes that invite subsequent ridicule that I, for one, would rely much more on the opinions of those who have appropriate backgrounds in digital forensics. For all we know, Comey is making representations that have been filtered by layers of mid-level management with little or no understanding of the technological issues, or worse yet, through political filters to ensure the leadership stays on message. Rrecall that Iraq's possession of weapons of mass destruction, uranium yellowcake from Niger, aluminum tubes for centrifuges and the Prague connection with Al-Qaeda were all reported as certainties by the Bush administration prior to the invasion.

That said, unlike some of the other leaders of the military-industrial-intelligence community, Comey is a bureaucrat I would like to believe. He was the Deputy Attorney General that appointed Patrick Fitzgerald to investigate the outing of Valerie Plame as a covert CIA officer (a violation of Federal Law). Nothing much came from the investigation (sans conviction of Scooter Libby for making false statements and obstruction of justice –which was commuted), but one can't fault Comey for that. Comey also refused to re-certify the NSA's domestic bulk metadata collection program in 2004 which sent shock waves through the White House. Comey, along with DoJ Office of Legal Counsel Jack Goldsmith, FBI Director Robert Mueller III, Attorney General John Ashcroft, and others threatened to resign if Bush didn't bring the NSA program in line with the law (see Barton Gellman, Angler: The Cheney Vice Presidency, Penguin, 2009; Michael Isikoff and David Corn, Hubris: The Inside Story of Spin, Scandal, and the Selling of the Iraq War, Broadway Books, 2007). Again, nothing came much came from this because of subsequent decisions by the FISA Court and passage of the 2007 Protect America Act. But in both of these cases, Comey et al positioned themselves on the right side of history at least in terms of these issues. So we should try to give him the benefit of the doubt! But he's making this difficult with his pronouncements. The doubts about the North Korean connection are not without substance: ( http://marcrogers.org/2014/12/21/why-i-still-dont-think-its-likely-that-north-korea-hacked-sony/ , http://blog.norsecorp.com/2014/12/29/ex-employee-five-others-fingered-in-sony-hack/ and http://www.theatlantic.com/international/archive/2015/01/we-still-dont-know-who-hacked-sony-north-korea/384198/ ). (Bruce Schneier has links to relevant data on his blog ( https://www.schneier.com/blog/archives/2014/12/more_data_on_at.html )).

Of course, if a connection between an adversary and a hostile act is never proven , bureaucracies default to cognitive bias. On this account, the “absence of evidence is evidence of clever deceipt.” Logicians refer to this as a variety of the argument from ignorance. In whatever way you wish to characterize the phenomena, it has been used masterfully for a half-century by the neoconservatives: e.g., Team B‘s claims of Soviet economic and military superiority as it was imploding, to Donald Rumsfeld's dismissal of the failure to find weapons of mass destruction in the second Iraq war as irresponsible impatience. Don't be surprised to see this tidy piece of illogic and belief perseverance resurface again in this context.

EMAIL PROPRIETY 101

Some of you are old enough to remember the first principle of email propriety: “don't include things in email that you're not willing to post on your office door.” Apparently some ill-mannered executives at Sony never warmed up to this refrain. A choice selection of leaked email from Co-Chair Amy Pascal and producer Scott Rudin, were found to be of injudicious and in questionable taste. (A summary timeline may be found at http://www.usmagazine.com/celebrity-news/news/sony-hack-key-events-from-leaked-emails-terror-threats-20141812 .) Could it be that entertainment executives are occasionally petty, imprudent, and ill-tempered? Color me surprised! For over a century entertainment executives have given substance and form to the phrase “warm, caring, sensitive, and fair-minded” – especially when dealing with talent (actors, directors, artists, screenwriters, etc.). And who would have thought that an occasional racist thought might creep into their light-headed correspondence. Why even a cursory review of the list of Academy Awards will dispose any thought of bias and discrimination in Hollywood. There was no more minority or gender bias in the entertainment industry than there was, say, in professional sports or politics for goodness sakes. And no less either! There's nothing remotely newsworthy in the leaked email that I can see. Gossipy, yes. Newsworthy, no.

Now if I haven't convinced you yet that this story isn't stuck on stupid, I've got a hole card. Politicians and bureaucrats pushed the story over the event horizon of dumb. First President Obama made accusations apparently based on only the fungible intelligence mentioned above. These days such accusations are predictable ingredients of an intelligence state narrative. Obama castigated North Korea for the apparent “act of cyber vandalism” ( http://www.theguardian.com/us-news/2014/dec/21/obama-us-north-korea-state-terror-list-sony-hack ) as he promised a “proportional response” (drones?) even in absence of concrete evidence. Then Sony decided to withhold The Interview's holiday release. Obama criticized this action ( http://www.theguardian.com/us-news/2014/dec/19/obama-sony-the-interview-mistake-north-korea ). Not willing to concede the last point, Sony Entertainment CEO Michael Lynton responded that Sony sought advice from the White House without effect ( http://www.theguardian.com/film/2014/dec/18/fbi-north-korea-sony-pictures-hack-the-interview ). And so it goes. I'm confident that were he still with us Aldous Huxley would have said that this story does little more than feed mankind's almost infinite appetite for distraction from the more important affairs of our times.

KNOWN KNOWNS?

Someone hacked Sony. At this point the finger pointing and narrative is dominated by agendists who seek to create a usable history for themselves and their patrons. I am not claiming that Kim Jong-Un and North Korea aren't involved in the Sony hack. I'm claiming that it's irresponsible to make such accusations until verifiable proof is determined. Certainly the July 2009 DDOS attacks against against U.S. and South Korean interests point to North Korean involvement, so North Korea is capable of cyber transgressions. But in this case the incomplete and unreliable evidence that is being offered amounts to little more than smoke and mirrors. The Sony hack story has all the substance and veracity of Nessie and Sasquatch sightings.

But let's be realistic. Searching for Nessie, Sasquatch, and the Guardians of Peace carry no penalties for the media. If the filmed search didn't find Nessie where expected, that's one more place we can rule out (see photo inset, film at 11). We then get a few talking heads to follow up: “i never believed that Nessie would go there.”, “We're reviewing our evidence to see where we went wrong.”, etc. Even if we can't conclusively prove that Guardians of Peace are working for Kim Jong-Un, we can find some “senior government official to report that they probably are. That's almost the same thing as saying they might be, which in turn is just one semantic smidge away from having no idea. But reporting that we have no clue won't sell much advertising. And after all, we can always use some variant of the argument from ignorance/confirmation bias to cover sloppy reporting retroactively. And in the meantime, Sony gets some much-needed free advertising for a film with an arguably tasteless story line. And that may be the real story to get out: political satire works best when the audience is not bludgeoned with crude character assassination, suggestions of cruelty, and comical disrespect. Making films that make sport of killing world political leaders is just poor form and relies more on shock value than creativity. Moviegoers would be better served by a re-screening of Charlie Chaplin's 1940 classic, The Great Dictator, and using their imagination to port the concepts over to current affairs.

It is up to enlightened audiences to reject this background noise for what it is for the incentives of mass media tilt toward coverage of the inane (ala Huxley). But governments would be well advised to avoid attaching military and economic consequences to crimes taken against corporations when such crimes have no national security implications. And they should certainly avoid prejudging the outcome of an ongoing investigations that involve world leaders. The tough talk and bogus claims from all directions, together with threats, sanctions based on spoofy evidence, and accusations and counter-accusations serve us all poorly. Accusing attribution during an ongoing investigation is like painting falling leaves: it produces sloppy work and is unlikely to produce anything of enduring value. Thus far, the Sony hack reportage has been banal in the extreme.