December 22, 2014 | Issue Brief on National Security and Defense
Over the past week, the hack of Sony Pictures has gone from an embarrassing cybersecurity incident to successful international terrorism and extortion by North Korea. Several yet-to-be-released films were stolen from Sony Pictures and circulated on the Internet. The hackers, who call themselves the “Guardians of Peace,” released private e-mails and the health records and salaries of Sony employees to pressure Sony not to release the movie The Interview, a comedy about a fictional plot to assassinate North Korean leader Kim Jong-un. To up the ante, the hackers also threatened a 9/11-type attack on theaters showing the film.
Sony and theater chains quickly withdrew the film for financial and liability reasons. Cancelling the film’s release will cost Sony an estimated $100 million in lost revenue. The cancellation of The Interview, along with the cancellation of another planned satiric film on North Korea, comes amidst the FBI’s determination that the North Korean government was responsible for the hack. Although the attack is on a private company, there are steps that the U.S. government should take in response to this cyber attack by North Korea. The U.S. must signal to the world that dictators and terrorist groups cannot squelch free speech via extortion or a threat of violence.
Contrary to the perception that North Korea is a technically backward nation, the regime has an active cyber warfare capability. The Reconnaissance General Bureau has 3,000 “cyber-warriors” dedicated to attacking Pyongyang’s enemies. Seoul concluded that North Korea was behind cyber attacks against South Korean government agencies, businesses, banks, and media organizations in 2009, 2011, 2012, and 2013. A South Korean cyber expert assessed that North Korea’s electronic warfare capabilities were surpassed only by the United States and Russia.
While North Korea is a serious threat to peace and U.S. interests, this incident requires policymakers to think beyond the Hermit Kingdom. Such an act of extortion will likely inspire other enemies and challengers of the U.S. around the world. ISIS, al-Qaeda, Iran, Russia, China, and others now know they can force a company operating in the U.S. to fold by threatening terrorism. If the U.S. government does not respond, the U.S. will send the message to bad actors around the globe that U.S. citizens and companies can be coerced with impunity. President Obama denounced the attack in his press conference and said that the U.S. will “respond proportionally” in a way and time of the U.S.’s choosing. While this is a good first step, words and symbolic gestures are not enough. In light of other foreign policy retreats and mistakes, such as the recent announcement of normalization of relations with Cuba in return for nothing or the New Strategic Arms Reduction Treaty that was supposed to appease Russia, bad actors around the world are getting a clear message that the U.S. can be easily duped or coerced. A similar mistake should not be made in this case.
North Korea’s role in this cyber attack and its threats against Sony violate multiple laws. Before a criminal indictment can be sought by the Justice Department, though, the government will have to gather all the relevant and material facts. Those facts are not yet available, at least not to the public. Once the government finds out the facts, then they can, and should, find out what statutes the hackers violated and indict the individuals for participating in this egregious terrorist act. Indictments alone, however, are not the solution.
The U.S. government should take action to better defend U.S. cyberspace, punish North Korea, and deter further aggression by other malicious nations. Congress and the Administration should:
North Korea poses a growing national security threat to the United States and its allies. Pyongyang continues to augment and refine its nuclear and missile arsenals. In recent years, the regime has conducted cyber attacks against government and private targets. Without a firm response from the U.S. to North Korea’s hack of Sony and subsequent threat of terrorism, such attacks and threats against the U.S. and her interests will only grow more common.—David Inserra is Research Associate for Homeland Security and Cybersecurity in the Douglas and Sarah Allison Center for Foreign and National Security Policy, of the Kathryn and Shelby Cullom Davis Institute for National Security and Foreign Policy, at The Heritage Foundation. Bruce Klingner is Senior Research Fellow for Northeast Asia in the Asian Studies Center of the Davis Institute.
 Brent Lang, “Sony Hackers Threaten 9/11 Attack on Movie Theaters that Screen ‘The Interview,’” Variety, December 16, 2014, https://variety.com/2014/film/news/sony-hackers-threaten-911-attack-on-movie-theaters-that-screen-the-interview-1201380712/ (accessed December 19, 2014).
 Nate Silver, “Killing ‘The Interview’ Could Cost Sony $100 Million,” Five Thirty Eight, December 17, 2014, http://fivethirtyeight.com/datalab/killing-the-interview-could-cost-sony-100-million/ (accessed December 19, 2014).
 Esther Zuckerman, “Steve Carell North Korea-Set Movie Dropped,” Entertainment Weekly, December 17, 2014, http://insidemovies.ew.com/2014/12/17/steve-carell-north-korea-set-movie-dropped/ (accessed December 19, 2014).
 News Release, “Update on Sony Investigation,” Federal Bureau of Investigation, December 19, 2014, http://www.fbi.gov/news/pressrel/press-releases/update-on-sony-investigation (accessed December 19, 2014).
 Sangwon Yoon, “North Korea Recruits Hackers at School,” Al-Jazeera, June 20, 2011, http://www.aljazeera.com/indepth/features/2011/06/201162081543573839.html (accessed December 19, 2014).
 “N.K. Third for Cyber War Capabilities,” The Korea Herald, June 7, 2012, http://www.koreaherald.com/view.php?ud=20120607001276 (accessed December 19, 2014).
 “Obama Pledges Proportional Response to Sony Hack,” Associated Press, December 19, 2014, http://abcnews.go.com/Politics/wireStory/obama-pledges-proportional-response-sony-hack-27721995 (accessed December 19, 2014).
 James Jay Carafano, “More Reasons Not to Trust Russia on New START,” Daily Signal, December 15, 2010, http://dailysignal.com/2010/12/15/more-reasons-not-to-trust-russia-on-new-start/; Ana Quintana, “Q&A on Obama’s Policy Changes Toward Cuba,” Daily Signal, December 18, 2014, http://dailysignal.com/2014/12/18/q-presidents-recent-policy-changes-toward-cuba/; and Kim R. Holmes and James Jay Carafano, “Defining the Obama Doctrine, Its Pitfalls, and How to Avoid Them,” Heritage Foundation Backgrounder No. 2457, September 1, 2010, http://www.heritage.org/research/reports/2010/08/defining-the-obama-doctrine-its-pitfalls-and-how-to-avoid-them.
 David Inserra and Paul Rosenzweig, “Cybersecurity Information Sharing: One Step Toward U.S. Security, Prosperity, and Freedom in Cyberspace,” Heritage Foundation Backgrounder No. 2899, April 1, 2014, http://www.heritage.org/research/reports/2014/04/cybersecurity-information-sharing-one-step-toward-us-security-prosperity-and-freedom-in-cyberspace.
 Bruce Klingner, “Time to Get North Korean Sanctions Right,” Heritage Foundation Backgrounder No. 2850, November 4, 2013, http://www.heritage.org/research/reports/2013/11/time-to-get-north-korean-sanctions-right.
 North Korea Sanctions Enforcement Act of 2014, H.R. 1771, 113th Congress, http://docs.house.gov/billsthisweek/20140728/BILLS-113hr1771-SUS.pdf (accessed December 19, 2014).
 Executive Order 13224, September 23, 2001, http://www.state.gov/j/ct/rls/other/des/122570.htm (accessed December 19, 2014).
 18 U.S. Code § 1030, http://www.law.cornell.edu/uscode/text/18/1030 (accessed December 19, 2014).
 Steven P. Bucci, Paul Rosenzweig, and David Inserra, “A Congressional Guide: Seven Steps to U.S. Security, Prosperity, and Freedom in Cyberspace,” Heritage Foundation Backgrounder No. 2785, April 1, 2013, http://www.heritage.org/research/reports/2013/04/a-congressional-guide-seven-steps-to-us-security-prosperity-and-freedom-in-cyberspace.