Accurately Attributing the Sony Hack is More Important than Retaliating

By Michael Sexton, Columnist

Beginning November 24, 2014, Sony was struck by an aggressive cyber attack, which involved the release of employees’ private information and threats to terrorize movie theaters showing The Interview, a comedy centered on a CIA assassination plot against Kim Jong-Un. The popular narrative of the attack’s origin, supported by the US government, is that North Korean government hackers carried out the attack. [1] In response, President Obama has imposed new sanctions on North Korean government officials[2] – a move that is hardly objectionable but is unlikely to be impactful against the quintessential pariah state. While policy circles have debated how to respond to the attack, cyber security experts have questioned the attribution to North Korea outright, pointing out that the FBI’s publicly released evidence is not conclusive.[3] The government should heed experts’ skepticism and rigorously demonstrate North Korea’s culpability before carrying out Obama’s “proportional response.”[4]

The purpose of this column is not to dispute the attribution of the hack to North Korea;[5] rather, the premise is that the evidence released thus far does not prove North Korea’s guilt. FBI Director James Comey recently doubled-down on the government’s attribution, stating that the hackers failed to mask their IP addresses at certain points during the attack (itself inconclusive, as these addresses could have been proxies, too). He then asserted how exceptionally confident he is in the attribution, as if that would allay experts’ concerns.[6] It is likely the FBI has evidence implicating North Korea in the attack that it cannot divulge. For example, if the attribution to North Korea is corroborated by a human intelligence source in the North Korean government, the US cannot state that without jeopardizing the informant’s life. Comey, nevertheless, cannot grumble that cyber experts do not buy his claims: he has not properly supported them, and even trusted, classified human intelligence can backfire catastrophically.[7]

The US must seriously make its attribution case before retaliating further, or else that retaliation may be considered illegitimate internationally, and any ensuing escalation can be perceived as the US’s fault. President Obama vowed a “proportional response,” which is understood to mean a retaliatory cyber attack.[8] In practice, that will not be a simple task. The available, internet-connected targets are the military, the elite, and the propaganda complex,[9] and targeting any of them runs the risk of escalation. Furthermore, if the attribution to North Korea proves false, the “retaliatory” cyber attack would be a violation of international law.[10] We should not forget how confident the government and public were about Iraq’s WMD program in 2003, and the impact our misguided response had on America’s image abroad.

The perennial issue of strategy and ends is an oft-misunderstood dimension of the attribution process. To amend Carl von Clausewitz’s claim,[11] cyberwar is politics by other means (even if the political ends are just “the lulz.”) In the Sony hack, the popular narrative posits a straightforward strategy: North Korea finds The Interview offensive and hacked Sony to prevent its release. However, the narrative that The Interview provoked the attack began as media speculation before the hackers claimed it as motivation.[12] It is conceivable from the publicly available evidence that The Interview narrative is a strategic red herring – a means of obscuring the perpetrators by redirecting attention towards a belligerent foreign government. If that were the case, the US would be the true provocateur in any retaliation, and it could fail in bringing the perpetrators to justice.

Unfortunately, media hype, celebrity involvement and the knee-jerk frenzy over terrorist threats have impeded the ability of the government and cyber security firms to properly investigate, analyze, and present all suitable evidence in the Sony hack. When an unidentified hacker threatens a second 9/11[13] and, suddenly, no one can see The Interview in theaters, it is not easy for the government to respond by warning us that attribution of cyber attacks is a slow, nuanced and probabilistic process.[14] However, the US government must, for its own sake, remain above the fray and make its case as a prosecutor does in court: methodically and persuasively and with consideration to sources and tactics. If the US retaliates further without doing so, it may be going rogue in the eyes of its allies at best, and, at worst, instigating a low-level cyberwar under false pretenses.


Mike Sexton is a columnist at the Georgetown Security Studies Review, an Analyst Intern at Ntrepid Corporation and an MA Candidate in the Security Studies Program. Previously, he worked as the Data Manager at the Chicago Project on Security and Terrorism. He holds a BA in Mathematics from the University of Chicago and writes on cyber security and other issues at the intersection of computer science and security policy.


[1] Robb, David. “Sony Hack: A Timeline.” Deadline. December 22, 2014. Accessed January 10, 2015.

[2] Sanger, David, and Michael Schmidt. “More Sanctions on North Korea After Sony Case.” The New York Times. January 2, 2015. Accessed January 10, 2015.

[3] Uchill, Joe. “After Comey’s Speech, Critics Still Unconvinced by the FBI’s Sony Hack Theories ( Video).” The Christian Science Monitor. January 9, 2015. Accessed January 10, 2015.

[4] Brunnstrom, David, and Jim Finkle. “U.S. Considers ‘proportional’ Response to Sony Hacking Attack.” Reuters. December 18, 2014. Accessed January 11, 2015.

[5] To understand the problems with the F.B.I.’s evidence, I recommend reading Marc Rogers’s refutation of the attribution and Bruce Schneier’s alternative theoretical attributions: Rogers, Marc. “No, North Korea Didn’t Hack Sony.” The Daily Beast. December 24, 2014. Accessed January 10, 2015.; Schneier, Bruce. “Did North Korea Really Attack Sony?” The Atlantic. December 22, 2014. Accessed January 10, 2015.

[6] Greenberg, Andy. “FBI Director: Sony’s ‘Sloppy’ North Korean Hackers Revealed Their IP Addresses | WIRED.” January 7, 2015. Accessed January 10, 2015.

[7] “The Record on CURVEBALL.” The National Security Archive. November 5, 2007. Accessed January 11, 2015.

[8] Perlroth, Nicole, and David Sanger. “North Korea Loses Its Link to the Internet.” The New York Times. December 22, 2014. Accessed January 11, 2015.

[9] Ibid.

[10] “International Law in Cyberspace.” U.S. Department of State. September 18, 2012. Accessed January 11, 2015.

[11] Clausewitz, Carl Von, and Michael Howard. On War. Princeton, N.J.: Princeton University Press, 1976. 87.

[12] Schneier, Bruce. “Did North Korea Really Attack Sony?” The Atlantic. December 22, 2014. Accessed January 10, 2015.

[13] Boot, William. “Sony Hackers Issue 9/11 Warning.” The Daily Beast. December 16, 2015. Accessed January 11, 2015.

[14] Rid, Thomas, and Ben Buchanan. “Attributing Cyber Attacks.” Journal of Strategic Studies, 2014. Accessed January 10, 2015.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.