It has been one month since the hack attack on Sony. Thirty days rife with speculation, hype and hyperbole that threw the press into a feeding frenzy. In early days it seemed temptingly easy to believe the attack was in retaliation by North Korea for an American comedy that showed their beloved dictator, Kim Jong Un, being executed. North Korea made an excellent villain as the story played out, and the extent of the damage done to Sony was revealed. For most people, the information as presented in the media made the decision for them: North Korea was behind the attack. But after reading a particularly relevant blog post by Misguided Security (http://misguidedsecurity.blogspot.ca/2014/12/doing-un-walk.html), I realized I needed to carry the message forward: not everyone is getting all the details on the Sony hack, and that is as damaging as the hack itself.
Let me admit my guilt here and now. I did believe that North Korea was behind the attack, setting the tone for one of my earlier blog posts. While I still consider them an InfoSec menace, I’ve read and considered what other wiser, more informed minds had to say. I’m very glad I did because now, in the true spirit of this blog, I can share what I have learned.
From the outset there were many within the InfoSec community who declared that there wasn’t enough proof that it could be North Korea. Over the past few weeks, that chorus of voices has steadily grown, and consistently put forth solid reasons to back their arguments, all the time asking for definitive proof to back the allegations that it was North Korea. It was a fair and rational stance, taken by a group of people who are dedicated to and experts on Information security. More interested in promoting the truth than themselves, they put their reputations on the line to publicly dispute the assertions made by the FBI and high-profile press pundits.
These are people whose opinions I respect and trust, for good reason. They have years of experience tracking malware and real cyber threats. As events unfolded and coverage mushroomed, the CEO of TrustedSec showed the need for calmer heads to prevail when he said “Speculation backed with little facts …we need to be careful…” and then “ We are using some strong words right now and need to back it up without a shadow of a doubt.” His sentiments were echoed by another cautionary voice in the InfoSec community. “We have to be careful on our rhetoric of war and blame, as these little comments can mean big things.”(Jericho).
There are now many excellent blogs and posts about the attack on Sony, and they all give compelling reasons why we should think before we jump on any bandwagon, in this case the one that North Korea did it. The best place to start is with a simple, factual chronology of events. I like this on-going post, started Dec. 5 by Risk-Based Security (https://www.riskbasedsecurity.com/2014/12/a-breakdown-and-analysis-of-the-december-2014-sony-hack/). It states, for example, how the now-infamous “Passwords” folder likely was created by the hackers, GOP, when they released the files, and not Sony. But perception is paramount in the blame-game, and unfortunately Sony found itself caught in the unforgiving glare of speculation. Deflecting negative publicity onto North Korea as the evil perpetrator could help serve as damage control, especially if they were portrayed as a threat to national security. That wasn’t hard to do in the given current global concerns regarding ISIS and the Middle East.
It’s so easy to jump to conclusions, to see what we want to see. But as the Sony hack has hopefully taught us, we need to take the time to make informed decisions, and especially to listen to those who challenge assumptions with facts. Throwing around accusations without proof isn’t just foolish, it’s dangerous. It’s a great way to make a bad situation worse. When we know certain nation states are capable of irrational and unpredictable behaviour when provoked, levelling accusations requires more care and discernment. As ‘Jericho’ says, “make sure you are educated about what has happened the last 30 days, and then try to be a voice of reason in this ugly mess.” Because given all I’ve read, attribution can become a weapon, and not necessarily one of choice.