BLOOMINGTON, Ind. -- The Federal Bureau of Investigation has accused the government of North Korea of perpetrating the cyber attacks on Sony Pictures Entertainment that damaged Sony computer systems, stole and disseminated confidential information, and led to the cancellation of its new film "The Interview," making it one of the most important cybersecurity incidents in recent years, according to Indiana University Maurer School of Law professor David P. Fidler, who is also a senior fellow at the IU Center for Applied Cybersecurity Research.
“We have previously called out China for conducting economic cyber espionage against U.S. companies, but the cyber attack on Sony was not intended to steal corporate secrets in the shadows. It was government-sponsored cyber retribution for private-sector behavior,” said Fidler, the James Louis Calamaras Professor at the Law School. “The attack was coercive and, to make matters worse, effective in humiliating Sony and forcing it to cancel the film’s release.”
Fidler said the incident’s implications are far-reaching because it revealed continuing cyber vulnerabilities of U.S. companies; involved foreign intimidation of U.S.-based activities associated with freedom of expression; and underscored the national security threats the country faces from cyber attacks.
“With North Korea, fact always seems stranger than fiction, and this episode, which is bizarre in so many ways, remains true to form," Fidler said. "However, if correct, the U.S. government’s accusation means the power and cyber capabilities of the U.S. did not deter this government from brazenly attacking an American company in U.S. territory.”
Fidler said legal issues arise in terms of how the U.S. government responds to this incident, which the FBI described as “outside the bounds of acceptable state behavior."
“The Sony hack certainly violated U.S. law, but successfully prosecuting anyone in North Korea is not going to happen. In terms of international law, it is less clear how to characterize the hack. Was it an armed attack? A use of force? State-sponsored terrorism? Identifying the international legal rules the attack violated directly informs what countermeasures the U.S. government can take against North Korea,” Fidler said.
The lack of clear answers to these questions underscores the problems cybersecurity threats create for the U.S. and other countries.
“We are still getting our heads around the post-Snowden world,” Fidler said, recalling Edward Snowden’s disclosures about U.S. cyber activities. “Now we are also in a post-Sony world, and a Hollywood ending to the cybersecurity problems we and other nations face is looking increasingly unlikely.”
Fidler, who is editor of the forthcoming "The Snowden Reader" (Indiana University Press, 2015), can be reached at [email protected] or 812-855-6403.