The message from North Korean hackers read like the opening of a bad script for a cyber-thriller. In fact, it was the direct predicate for Russia’s cyberterrorists hacking of the DNC and the Clinton campaign. If only America had been paying closer attention.
Sony employees who logged on to their desktops early on Monday morning, November 24, 2014, were greeted with the sound of digital gunfire and the image of an ominous red skeleton under the title “Hacked By #GOP,” which stood not for the Grand Old Party, but for a shadowy organization called Guardians of Peace. Below was a message that read, in not very good English, “We’ve already warned you, and this is just a beginning. We continue till our request be met. We’ve obtained all your Internal data Including your secrets and top secrets. If you don’t obey us, we’ll release [that] data.” It read like the opening of a bad script for a cyber-thriller.
But for Sony, the horror movie was just the beginning. Before the entire system went dark, the malware wiped out half of Sony’s global digital network. It junked 3,262 of Sony’s 6,797 personal computers and 837 of its 1,555 servers. Within hours, the global media giant was back in the 1980s, its employees using fax machines and pens and paper. The studio shop would only accept cash.
And it got worse. The hackers had actually been inside Sony’s system for weeks, and stolen all of Sony’s data before deleting it. Over the next month, they released nine batches of confidential files onto the public internet: everything from executives’ salaries to embarrassing emails about “no-talent” movie stars, to unfinished film scripts to actual unreleased films like Annie and Fury. Eventually all of the hacked emails were published by WikiLeaks.
Does that sound familiar? Two years later, in 2016, after we learned of Russia’s hack of the Democratic National Committee and Clinton campaign chairman John Podesta and their dark bargain with WikiLeaks to release that stolen information, it’s clear that the Sony hack foreshadowed not only the Russian attack on our election, but provided a panoramic vista of the modern, global information war. It’s all there. The vulnerability of major American institutions, the late and inept response of government, the press’s obsession with gossip that blinded them to a national-security threat, and a trampling of the First Amendment. Well, we were certainly unready when it happened in 2014. We were unready in 2016. And we seem barely more ready for 2020. Once again we have a candidate for president encouraging a foreign power to help him in his election campaign. Only now he’s president. The story of the Sony hack is worth reexamining as a model of modern information war, how we got it so wrong, and what we might do to prevent it from happening again.
Within weeks, U.S. intelligence agencies were pointing the finger at North Korea. Their motivation seemed to be a dark comedy called The Interview. The movie starred Seth Rogen and James Franco as a pair of bumbling journalists who go to North Korea to interview Kim Jong Un and eventually assassinate him. For months, North Korea had complained about the pending film. In June, a government spokesperson warned that the movie was “the most blatant act of terrorism and war” and threatened “a merciless countermeasure.” A couple of months earlier, North Korea had sent a letter to the secretary-general of the U.N., saying that unless the U.S. government banned the film, “it [would] be fully responsible for encouraging and sponsoring terrorism.” (That same day, Rogen tweeted: “People don’t usually wanna kill me for one of my movies until after they’ve paid 12 bucks for it.”)
Ten days after the initial hack, the “Guardians of Peace” released a message saying that Sony had “refused to accept” its terms and must “stop immediately showing the movie of terrorism.” A week later, they released another message saying that anyone who went to The Interview would suffer a “bitter fate.”
The FBI had now formally attributed the attack to North Korea and declared it one of the largest cyberattacks ever perpetrated in the U.S. I was then the undersecretary for public diplomacy and public affairs at the State Department, and my job was in part to worry about how America’s image around the world was affected by communications issues like this one. But this was more than a communications issue. From the moment that North Korea was identified as the source of the attack, I considered this an example of information warfare. An American media company had been attacked by a hostile foreign power. How was this different than Russia cyber-hacking the Ukrainian government? Or ISIS hacking Iraq’s government servers? It was also, I thought, a free speech issue. A despotic foreign state had attacked a company on U.S. soil and was trying to prevent it from releasing a silly comedy.
I brought this up in our weekly public-diplomacy meeting at the State Department. I brought it up at the assistant secretaries’ meeting that happened every Tuesday. I mentioned it at the small daily 8:30 a.m. meeting hosted by the secretary of State. I talked to the public affairs department about it. I said we needed to make a statement defending Sony, criticizing the attacks, and supporting the release of the film. The collective reaction by everyone at the State Department was a yawn. Responses ranged from, It’s not our problem, to Sony was stupid to use Kim’s actual name, to What do you expect when you insult a head of state and threaten another country? Really? I was dumbfounded. We’re always on the side of protecting free speech in every country where we have a post—how about protecting free speech here at home from the predations of a foreign power? Calm down, I was told; it’s a comedy starring Seth Rogen, for Chrissake.
Folks outside the government weren’t much more receptive. I called my friend Jeff Shell, the chairman of the Broadcasting Board of Governors, and, more importantly, the head of Universal Pictures. Jeff agreed with me, but wasn’t yet ready to speak up. Almost no one in Hollywood was. Even the Motion Picture Association of America kept mum.
The press was completely suckered and abdicated its real responsibility. As the Guardians of Peace had released the hacked emails of Sony executives, a scrum of journalists gleefully reported on the embarrassing, and sometimes salacious, emails of Sony execs, big-time producers, and actual movie stars. In particular, an exchange between Sony’s co-chair Amy Pascal and producer Scott Rudin about President Barack Obama’s taste in movies seemed to get more attention than the whole act of cyberterrorism. Pascal had emailed Rudin asking for advice before going to an Obama fundraiser hosed by Jeffrey Katzenberg. What should she ask President Obama “at this stupid Jeffrey breakfast?”
Both Pascal and Rudin were Democratic and Obama donors, and the stories focused on their contemptible interchange about Obama and a range of African American–centric films.
Now that I was in government, I saw things from the other side: Why was the press publishing what was in effect stolen property—that is, emails hacked and leaked by a hostile foreign power? Why was that acceptable behavior? Shouldn’t you consider the origin of the information before deciding to use it? If you don’t, aren’t you incentivizing other attacks? You could still report on the hack, but without using the poisoned fruit of the hack. By publishing the emails, the press was making itself complicit not only in North Korea’s crime, but in its goal of censoring Sony. What exactly was the public interest in Scott Rudin speculating that President Obama likes Kevin Hart movies compared to a foreign power assaulting free expression in America?
I also had a personal interest. Michael Lynton, the chairman of Sony, was a good friend of mine, and, while I was in office, I had asked him to help me with what had become the focus of my job: countering ISIS messaging and countering Russian disinformation and propaganda. Sony, it turned out, was one of the largest sellers of content for the Russian periphery. A few days into the attack, I had reached out to Michael to see if there was anything I could do at State to help him. He was frustrated. The press, he said, was focused on “a movie studio’s dirty laundry being exposed to the world, with no discussion of the damage itself and the larger threat.” He added, “They think because a movie star is involved, it’s less serious.” Michael told me that he had been in touch with Valerie Jarrett at the White House, but that was mainly to allow Amy and Scott to apologize to President Obama. He said, “Just speak out about it.”
There was one profile in courage during this whole story, one person in Hollywood and Washington who stood up for freedom of speech and expression, though he was not a senator, or the head of a studio, or the publisher of a newspaper: George Clooney. Clooney had immediately recognized the threat of the hack against Hollywood and the media business, and had drawn up a letter that he and his agent, Bryan Lourd, sent to all the heads of all the studios and big Hollywood production companies, asking them to support Sony. “We know that to give in to these criminals now,” they wrote, “will open the door for any group that would threaten freedom of expression, privacy and personal liberty.”