North Korea has delivered a major blow to freedom of expression in the US and emboldened Internet hackers everywhere by successfully coercing Sony Pictures into axing the release of its new film, The Interview. The movie, which is about a plot to assassinate Kim Jong-un (and looks terrible), was due to premiere on Christmas Day but now won’t be shown in theatres. The decision was made in response to a massive malware attack on Sony, claimed to be the most damaging cyber attack ever on an American company and included threats of 9/11-magnitude violence on cinemagoers.
The attack, which the FBI has linked to North Korea, has been called an ‘act of war’ by Senator John McCain and labeled ‘cybervandalism’ by President Barack Obama. In response to the attack, the US is considering putting North Korea back on the list of state sponsors of terrorism while Republicans are calling for a restoration of sanctions lifted under the Bush Administration. So, what else can be done? A number of responses have been proposed, including prevention and punishment.
On the prevention side, cyber security experts and North Korea analysts have recommended that businesses fortify their Internet security through encrypting data and creating stronger passwords and safeguards as well as making an IT security team a vital component of their organisations (which Sony didn’t do).
On the punishment side, while the Obama Administration mulls over a ‘proportional response’, former NSA research scientist and cyber security expert Dave Aitel suggests the US consider changing the law around cyber attacks so that, when appropriate, they would be considered terrorist acts and the groups behind them terrorists. According to Aitel, that would ‘set in motion a wider range of legal authority, US government/military resources, and international options’. The problem with that approach, however, is distinguishing between cyber crime and cyber terrorism, not to mention the lag in lawmaking behind the rapidly evolving cyber threat. Aitel mentions other offensive options for the US, including launching its own cyber attack against North Korea and shutting down what little Internet access Pyongyang has. But he concedes that tit-for-tat cyber attacks might lead to escalation.
Without doubt, American and other companies should be better equipped to deal with cyber attacks and North Korea should face punishment in order to dissuade it from future attacks. But neither will do much to address the underlying problem: when you have a regime that’s motivated by a desire for survival at the expense of all else, prevention and punishment mightn’t be enough. What you need is a new policy.
The current US policy of ‘strategic patience’ is clearly defunct, but unfortunately the prospects of the US adopting a new policy on North Korea now are extremely unlikely: Obama has just reopened full diplomatic relations with Cuba and may not want to weather further criticism or appear weak by doing something similar with North Korea. Moreover, Obama has only two years left in office and is already committed to addressing the expanding ISIL threat. He lacks time and energy, and engaging North Korea this late in his presidency would probably bear little fruit (North Korea would likely just wait him out).
What about North Korea’s somewhat reluctant bodyguard China? While China is perhaps less concerned than the US over North Korea’s hacking activities, Pyongyang is an increasing burden on and embarrassment to Beijing. China’s longstanding policy has been to protect North Korea but it has major opportunity through the UN to adjust this policy and begin applying pressure to Pyongyang.
As a consequence of the February 2014 UN report into human rights in North Korea, UN Security Council members are poised to vote on whether to refer North Korea to the International Criminal Court. China faces the embarrassment of vetoing the move, thus tacitly approving North Korea’s human rights violations at a time when it wants to be considered a responsible global power. Another outcome—although less likely—would be for Beijing to abstain from voting, leaving it to Russia to veto the decision: the result would be the same—a North Korea sheltered from scrutiny—but with the added benefit of signaling to Pyongyang that China’s support is contingent on good behaviour. Unfortunately, both of these potential outcomes would miss a gift-wrapped opportunity to pressure North Korea into reforming. Few, if any, expect China to support the resolution.
Missing out on The Interview isn’t a big deal; failing to reassess our policies on North Korea, is. This case reinforces what South Korea has known for some time—from within its own walls, North Korea can reach out and touch groups in other countries, cause damage worth millions of dollars, harm reputations and threaten democratic values, all with little fear of retribution. That’s the real challenge. As well as addressing weaknesses in our cyber security and punishing the perpetrators, let’s not forget that if we don’t attack the root of the problem, the tree will still grow.