2014 was a watershed year for the intersection of cybersecurity and the media/entertainment industry with the hack of Sony Pictures Entertainment (SPE). This article will examine the facts of the SPE attack. It will also review the ethical and legal aspects. For ethical considerations, this article will identify the proper framework to consider the actions SPE took. On the issue of legal concerns, this article will determine what recourse SPE has under the law.
Key Facts of the SPE Case
Henrikson (2015) defines a cyber attack as a “politically or strategically motivated hostile cyber-activities that ‘disrupt, deny, degrade, or destroy information resident in computers and computer networks, or the computers or networks themselves’” (pp. 330–331). What happened to SPE certainly meets this definition. Right before the Thanksgiving holiday in 2014 as it was preparing to release a satirical movie about North Korea called The Interview, SPE was attacked by a cyber group called the Guardians of Peace (GOP) (Reynolds, 2019).
In this attack, the GOP robbed SPE of internal sensitive documents including salary information, emails and even passport information, according to Reynolds (2019). Contemporary news reports of the SPE attack said the GOP released the data they stole adding embarrassment to SPE’s woes along with physical destruction of SPE information technology systems (Peterson, 2014 and Reynolds, 2019). As a final touch of agony, GOP threatened to blow up theaters that showed The Interview, a film that mocked the regime of North Korea and its leader in particular; while initially SPE did pull the film out of an abundance of caution, the film was eventually streamed and shown to the world (Peterson, 2014 and Reynolds, 2019). Ultimately, SPE lost approximately $15 million which is a relatively small sum in the movie-making industry (Rushe, 2015).
The attackers, or threat actors, in the SPE attack were quickly linked to the North Korean government through public and private technical analysis and what the Federal Bureau of Investigation (FBI) called a “significant overlap between the infrastructure used in this attack and other malicious cyber activity the U.S. government has previously linked directly to North Korea” (FBI, 2014, para. 6). This was the first time the US Government had publicly attributed a cyber attack to a nation state (Haggard & Lindsay, 2015). They did this based on the scope of the attack and examples from the technical analysis including in-common obfuscation efforts, encryption keys, and network communications (Blasco, 2016).
Ethical Analysis of the SPE Case
When discussing ethical issues, it is appropriate to have a framework to gauge one’s actions against. Velasquez et al. (2015) present five approaches to view SPE’s activities: utilitarian, rights, fairness/justice, virtue and common good. By publicly reporting the attack and immediately involving the FBI, one could make the argument SPE employed an utilitarian approach i.e. achieving the greatest good for all. The “all” in the case was the United States.
SPE could also make a rights-based approach. With this framework entities (typically humans) have moral rights that must be protected and actions should consider the goal of protecting and respecting those moral rights (Velasquez et al., 2015). This view fails however because corporations don’t have a moral center in the modern capitalist economy. They exist to make money within the bounds of the law. Additionally, the fairness/justice framework falls short in this analysis as it is centered around the idea that “all equals should be treated equally (Velasquez et al., 2015, para. 7). Being a corporate entity, it is difficult to measure equality among companies outside of financial metrics.
The virtue approach states that entities should live to achieve the highest potential we can and focus on common virtues such as honesty, courage, generosity, fidelity, and integrity among others (Velasaquez et al., 2015). This approach does not feel appropriate for a corporate entity either. That leaves common good. The common good approach is similar in nature to the utilitarian but the focus shifts to the idea of community. The “community” here is the cadre of fellow Hollywood studios as well as SPE stakeholders. This seems to be the best framework to evaluate SPE’s actions because as part of a global conglomerate headquartered in Japan, SPE holds no special allegiance to a single or group of nations (necessary in the utilitarian approach).
Legal Aspects of the SPE Case
There are plenty of cyber security laws in the United States (Nelson, 2021). However, two key aspects make it difficult for SPE to take advantage of these laws. First, movie making is not considered one of the key critical infrastructure sectors with enhanced protection status (CISA, 2021 and Macias, 2021). The second issue revolves around jurisdiction. According the the United Nations Office on Drugs and Crime (UNODC) (2019):
Cybercrime jurisdiction is established by other factors, such as the nationality of the offender ( principle of nationality; active personality principle), the nationality of the victim ( principle of nationality; passive personality principle), and the impacts of the cybercrime on the interests and security of the state (para. 4).
Because the alleged attacker is the North Korean government, there is little SPE can do directly to obtain restitution although the US Department of Justice continues to indict alleged individuals in criminal cases (US Department of Justice, 2021). In short, SPE lacks jurisdiction to act independently.
Because the attack occurred against what could have been any studio, SPE took a community good approach to dealing with the attack by enlisting the federal government’s law enforcement apparatus. The conclusion to be drawn from this path is that they were not only attempting to help themselves but also the community they reside in: large Hollywood studios. From a legal perspective, SPE is left with very few options because the attackers were not only from another country but were a separate country themselves. With this in mind, they decided to leave the law enforcement aspects of their case to agencies with a global reach. After all, nation-state attacks are not going away; in fact, they are increasing (Mansfield-Devine, 2020).
Blasco, J. (2016, February 26). Operation blockbuster unveils the actors behind the Sony attacks. AT&T Cybersecurity. https://cybersecurity.att.com/blogs/labs-research/operation-blockbuster-unveils-the-actors-behind-the-sony-attacks.
CISA. (2021). Critical infrastructure sectors. Cybersecurity and Infrastructure Security Agency (CISA). https://www.cisa.gov/critical-infrastructure-sectors.
FBI. (2014, December 19). Update on Sony Investigation. https://www.fbi.gov/news/pressrel/press-releases/update-on-sony-investigation.
Haggard, S., & Lindsay, J. R. (2015). North Korea and the Sony hack: exporting instability through cyberspace. AsiaPacific Issues, 117, 1–8.
Henriksen, A. (2015). Lawful state responses to low-level cyber-attacks. Nordic Journal of International Law, 84(2), 323–351. https://doi.org/10.1163/15718107-08402008
Macias, A. M. (2021, July 28). Biden pushes for STRONGER cybersecurity in critical Infrastructure, wants companies to do more. CNBC. https://www.cnbc.com/2021/07/28/biden-to-sign-memorandum-to-improve-cybersecurity-for-us-infrastructure.html.
Mansfield-Devine, S. (2020, December). Nation-state attacks: the escalating menace. Network Security, 12–17.
Nelson, O. (2021, May 9). Cybersecurity laws — a complete overview. CyberExperts.com. https://cyberexperts.com/cybersecurity-laws/.
Peterson, A. (2014, December 18). The Sony Pictures hack, explained. The Washington Post. https://www.washingtonpost.com/news/the-switch/wp/2014/12/18/the-sony-pictures-hack-explained/.
Reynolds, G. W. (2019). Ethics in information technology. Cengage Learning.
Rushe, D. (2015, February 4). The interview REVENGE hack cost Sony just $15m. The Guardian. https://www.theguardian.com/film/2015/feb/04/guardians-peace-revenge-hack-sony-finances-unscathed.
UNODC. (2019). Cybercrime module 7 key issues: sovereignty and jurisdiction. Cybercrime Module 7 Key Issues: Sovereignty and Jurisdiction. https://www.unodc.org/e4j/en/cybercrime/module-7/key-issues/sovereignty-and-jurisdiction.html.
US Department of Justice. (2021, February 17). Three North Korean Military Hackers Indicted in Wide-Ranging Scheme to Commit Cyberattacks and Financial Crimes across the Globe. https://www.justice.gov/opa/pr/three-north-korean-military-hackers-indicted-wide-ranging-scheme-commit-cyberattacks-and.
Velasquez, M., Moberg, D., Meyer, M. J., Shanks, T., McLean, M. R., DeCosse, D., Andre, C., & Hanson, K. O. (2015, August 1). A Framework for Ethical Decision Making. Markkula Center for Applied Ethics. https://www.scu.edu/ethics/ethics-resources/ethical-decision-making/a-framework-for-ethical-decision-making/.