By Andreas Haggman
On Thursday 7th and Friday 8th May, students from the Information Security Group and Department of Geopolitics at Royal Holloway attended a workshop on the hacking of Sony Pictures hosted by the cyber security Centre for Doctoral Training at Oxford university.
The workshop was co-organised by students from Royal Holloway and Oxford and funded by the CDTs at both universities as well as the Security and Sustainability research theme at Royal Holloway. The workshop was designed as an interdisciplinary event, covering a multitude of facets of the Sony hack which came to prevalence in November 2014. This topic is replete with both technical and geopolitical details, and it is intriguing to explore how a seemingly innocuous data breach came to have such widespread international effects. Special focus was afforded to the attribution of the hack to North Korea, which has proven especially contentious.
On the first day of the workshop participants heard talks from a more technical angle. Andrea Nini from Aston University presented a forensic linguistic analysis of a sample of texts from the hack. The texts displayed four distinct characteristics: article confusion, preposition misplacement, unusual collocations and uninflected “be” in passive subordinate clauses. This, according to Nini, was evidence of the author being a non-native English speaker as well as first-language interference. Furthermore, the errors were consistent with those one would expect to see from speakers of languages from east Asia, particularly Japanese and Korean. While this in no way proves that North Korea perpetrated the Sony hack, it certainly does not discredit that hypothesis.
Dmitri Alperovitch from Crowdstrike joined the workshop via video call to introduce a video demonstration of how the hack was conducted. Though it did not make any claims regarding the perpetrators, the video was a valuable insight into the techniques and tools used by the hackers. The credibility of the demonstration was reinforced by Crowdstrike’s accurate reconstruction of the actual topology of Sony’s corporate network.
Jeff Carr from Taia Global joined via video call to offer an alternative interpretation of the Sony hack, with a radical departure from the official attribution to North Korea. By leveraging his network of contacts in the seedier underbelly of the hacking world, Carr had discovered a Russian hacker who claimed to have been involved in, though not solely responsible for, the hack. In Carr’s view, North Korea had been an easy target on which to place blame, and in this case, as in many other cases of network intrusion, there are no obvious and easy answers.
The final presentation on the first day was from Hardin Tibbs from FutureLens. Tibbs presented a summary of a report he had recently produced for the UK Ministry of Defence, whereby he had constructed a game board on which incidents in cyberspace could be mapped and played out. The purpose of the exercise was to explore the nature of cyber power and how different actors interact on different levels in the international system. It was a broadly theoretical talk, interspersed with examples from recent history, inviting the audience to consider how the game board could be used to analyse the Sony hack.
To finish off the day, the speakers formed an interactive panel session with which a lively audience debate ensued. The fascinating discussions unfortunately had to be curtailed in the interests of dinner reservations, but conversations continued long into the night, hopefully a sign of a successful and stimulating opening day to the workshop.
Undeterred by the distraction of general election results, Friday morning kicked off with Michael Drury, formerly Director of Legal Affairs at GCHQ, delivering both an overview of the difficulties of law in cyberspace as well as commentary specifically on the Sony hack. Drury explained the lack of legal restraint to people, for example journalists, using material which has been leaked online, unless there is intellectual property involved. Furthermore, Drury claimed that the Sony hack had not meet the threshold of armed attack, posing difficulties to invoking Article 51 of the UN Charter (self-defence), as well as difficulties in determining whether US sovereignty had been impinged, given the mismatch between cyber and analogue space.
Madeline Carr from Aberystwyth University delivered a presentation on the international relations aspects of the Sony hack. She expressed lament at how ill-equipped international politics is in dealing with the cyber challenge, particularly the attribution problem, which had not been an issue prior to cyber. The difficulties in attribution, Carr claimed, prohibits states from falling back on existing frameworks of war/terrorism/crime which govern responses, and this is immensely frustrating to political leaders as they are left in a state of limbo and inaction. Additionally, the Sony hack clearly brought out tensions present in the public/private partnership, where roles and responsibilities are notoriously ill-defined leading to a lack of accountability.
Over lunch the workshop participants were divided into groups in an interactive scenario. The setting was a localised echo of the Sony hack, changing the locale to the UK, using a British film production company with the perpetrators being Russian. The task was to formulate short responses from the point of view of the film company, the British government, the National Crime Agency, a cyber security firm, and the Russian government on which a panel of speakers would provide feedback. The responses displayed great understanding of the wide variety of factors at interplay in such a situation – with the Russian decline to provide any comment proving the most astute (and humorous).
Our last presenter was a journalist* who spoke about the general difficulties of covering cyber in the news, particularly the use of technical jargon and finding stories the audience can relate to. With regards to this the Sony hack has actually proved particularly powerful for three reasons. Firstly, people can relate to films. Secondly, it involved celebrities. Thirdly, it shifted from just cyber to the physical world. This last point, the journalist claimed, is probably indicative of how cyber will be covered in the future because people can relate to physical consequences rather than just exfiltration of data.
Overall the workshop was a brilliant success (if I may say so myself), and feedback from participants has reinforced this conviction. The wide variety of speakers on offer provided a broad yet insightfully illuminating exploration of the Sony hack and its implications. The different angles of analysis ensured participants from varying backgrounds could find material to relate to and engage with. Here’s to hoping for a repeat in 2016!
*Name and affiliation withheld
Andreas Haggman is a PhD student in the Cybersecurity CDT at Royal Holloway. He completed his undergraduate and masters degrees in the War Studies department at King’s College London before joining the CDT in the autumn of 2014. Prior to and inbetween his degrees he spent time working in the video games industry, retail management and the defence sector. Andreas’s research interests lie in non-technical cyber security topics pertaining to military and government applications of cyber technologies, and organisational and policy responses to cyber security issues.