Was The Sony Hack Actually An Act Of Cyberwar?

Cyberwhatever, man

Personnel With U.S. Cyber Command

Personnel With U.S. Cyber Command

U.S. Air Force, via Wikimedia Commons

It is hard to concisely describe how strange our cyberpunk present is. Yesterday Sony announced it wouldn't be releasing "The Interview," a rather raunchy film that features the assassination of Kim Jong-Un. The decision to pull the film came after hackers released tons of Sony's internal emails and documents to the public, and then threatened attacks if the film was released, maybe even on theaters showing the movie.

Former Speaker for the House Newt Gingrich declared in a tweet that: "With the Sony collapse America has lost its first cyberwar. This is a very very dangerous precedent." This is the weirdness of modernity: Hackers, suspected (but not confirmed) to be acting under the auspices of North Korea, release emails from a Japanese company, prompting the company to not release a movie made by Americans, and that is a new war lost.

No shots were fired in this war, and there are unlikely to be any casualties. Most academic studies of war set a threshold of at least 1,000 battlefield casualties for the conflict to count as a war. But the Sony hack isn't conventional war. It is, instead, cyberwar, a newer and stranger beast. In 2013, the Director of National Intelligence published a report identifying cyber attacks as America's top security threat. While that sounds scary, it's mostly good news. Past number one threats included nuclear stand-offs and terrorism, both of which have actual body counts. Cyberwar is, so far, mostly sabotage and information theft.

Here's an example of the confusing boundaries of cyberwar from last year. Chinese Army Unit 61398 is clearly a military entity, and one engaged in nefarious acts online. According to a report from security consulting firm Mandiant, 141 computer attacks from 2007 to 2013 can be traced back to their Shanghai headquarters building. The most famous of these attacks involved hacking into the email accounts of 53 New York Times employees, people who certainly are not military targets. But was that cyberwar?

NATO, an alliance built for total and even nuclear war, has put serious thought into the rules of cyberwar. From 2009 to 2012, NATO gathered legal scholars to contribute to a tome known as the Tallinn Manual. The manual is named for the capitol of Estonia, a technically savvy former Soviet Bloc country that was admitted to NATO in 2004 and which has suffered a fair amount of "cyber terrorism" from its neighbor Russia. The Tallinn Manual provides guidance and perspective from legal scholars on what international law for conflicts online should look like. However, it is not a codified body of law.

When it was published last year, the Tallinn Manual was greeted with controversy over a section that condones nations bombing or physically harming civilians who are participating in cyber attacks. While the idea of a military attacking hackers with bombs seems disproportionate, the manual placed this exception fully within the context of hackers actively participating in an armed conflict. In other words, a cyberattack would have to result in the death of civilians before the hackers could be targeted by a nation's military. Additionally, targeting a hacker outside of a war before shots are fired is unlikely, but if nations are already fighting a shooting war and hackers are involved, then the hackers might be targeted. It's an exception for wartime.

So what about the (suspected) North Korean hackers and “The Interview”? Is this, as former speaker Gingrich argued, an actual cyberwar?

Michael Schmitt is a professor of international law at the U.S. Naval War College, and is currently working on the Tallinn 2.0 project for NATO, which is a follow-up on the earlier manual. Writing at Just Security, Schmitt says the attack on Sony probably failed to rise to that of an armed conflict:

The cyber operation against Sony involved the release of sensitive information and the destruction of data. In some cases, the loss of the data prevented the affected computers from rebooting properly. Albeit highly disruptive and costly, such effects are not at the level most experts would consider an armed attack. Additionally, some states and scholars reject the view that the right of self-defense extends to attacks by non-state actors. Even though the attribution of the Sony incident to North Korea has been questioned, this debate is irrelevant because the operation failed to qualify as an armed attack in the first place.

Schmitt’s full post goes in depth about a range of interpretations of the attack, as well as possible responses for each scenario. The rules for cyberwar are young, and the Tallinn Manual provides a good idea of what form that law might take. And as further commentaries and revisions are written, the international community gets closer to understanding when online hacks by other countries are considered warfare, and when, instead, they’re just really rude.

UPDATE: 10:11 a.m. on Dec. 19, 2014

Last night, Newt Gingrich held a question and answer session on Facebook. The topic was "North Korea, Cyber War, Sony and the U.S." We asked what about the hack brings it to the level of war, and if he thought the Tallinn Manual is too limited in how it codifies attacks. Gingrich responded:

I am not familiar with the tallinn manual and will look it up. A cyber action designed to coerce behavior and connected to an explicit threat to kill people if theaters show the movie would seem to me to be an act of war. You have foreigners coercing an American. Company, threatening American theaters and proposing to kill Americans. If that isn't an act of war what is it?