FBI Director: Yes, I’m sure North Korea did it. (Update: So is NSA’s Director)

The other day, a reporter asked me whether the “considerable doubt” about Pyongyang’s responsibility for the Sony hacks and terror threats undermined the legitimacy of the President’s response. I suppose the answer depends on your perspective. I’m not privy to the FBI’s evidence against North Korea, but my greater doubt is whether the President’s response, so far, is meaningful.

A week ago, however, I decided that the FBI was losing the battle for public opinion. I recalled the CIA’s video about the North Korean-built reactor at Al-Kibar, Syria, and wondered if it would be possible to create something like this for Sony.

As a result of this video, there’s little room for serious doubt about North Korea’s responsibility for Al-Kibar. The irony of Al-Kibar is that while one part of the Bush Administration did a fine job of making its case — once forced to do so by Congress — Bush himself was just as determined to do nothing about it. After an equally slow start, the FBI Director is now making an effort to shore up public confidence in its case.

Federal Bureau of Investigation Director James Comey on Wednesday said the U.S. is confident about North Korea’s involvement in the December threats against Sony Pictures because the people involved at times slipped up and didn’t properly use tactics designed to obscure the source of the messages.

When that happened, investigators were able to see clearly that they came from Internet addresses used solely by North Korea, Mr. Comey said. “There is not much in this life that I have high confidence about,” Mr. Comey said. “I have very high confidence about this attribution.”

Mr. Comey also highlighted other evidence, such as analysis by FBI personnel that matched patterns of writing and other signatures to those found in other attacks launched by North Korea. [….]

Mr. Comey said the U.S. has more evidence that North Korea was behind the attack that it can’t release publicly. He said those who have questioned the conclusion North Korea was involved “don’t have the facts that I have, they don’t see what I see.” [Wall Street Journal]

Comey delivered the remarks at a four-day cybersecurity conference in New York.

Though Mr. Comey did not offer more details about the government’s evidence in a speech in New York, senior government officials said that F.B.I.’s analysts discovered that the hackers made a critical error by logging into both their Facebook account and Sony’s servers from North Korean Internet addresses. It was clear, the officials said, that hackers quickly recognized their mistake. In several cases, after mistakenly logging in directly, they quickly backtracked and rerouted their attacks and messages through decoy computers abroad. [….]

Responding to critics who have questioned why the United States thinks North Korea was the source of the attacks, Mr. Comey said on Wednesday that the hackers became “sloppy” as they tried to cover their tracks. He acknowledged that the North Koreans had used decoys but did not elaborate about the specific mistakes the hackers made that gave him “high confidence” the country was behind the attack.

Mr. Comey urged the United States intelligence community to declassify all the information that showed that the hackers had used such servers, something that could take months. [N.Y. Times]

This is a good start, particularly the call to declassify as much of the evidence as can be declassified without compromising sources and methods the intelligence community will need again. The Director’s statement alone won’t be enough to marginalize the skeptics to the fringes and gain enough support for the President to take effective action, assuming (as I don’t) that the administration really wants to take effective action.

Different motives are driving different reactions to Sony, and not all of those motives necessarily yield to the evidence.

Some of the skepticism is based on IT forensic analysis, and seems conscientious, if inconclusive. After all, most of those criticisms began by arguing that IT forensics is an inexact science, and then proceed to offer their own alternative IT forensic theories. Not everyone agrees that the skepticism is even conscientious:

[T]he F.B.I. and other security experts say those critics have had access to only some of the evidence from the attack. They say the accumulation of the evidence collected by the F.B.I., Sony and Mandiant, a security firm hired by Sony, makes clear that North Korea was the culprit.

Just before Mr. Comey made his statements, a leading cybersecurity expert took those critics to task.

“One of the joys of the Internet is that anyone with a keyboard and a connection can be an expert,“ James A. Lewis, a director and senior fellow at the Center for Strategic and International Studies in Washington, wrote in an essay posted online on Wednesday. “Opinion substitutes for research. The uninformed debate over the Sony cyberincident is the most recent example of the Internet’s limitations.” [N.Y. Times]

Some of the skepticism, such as the analysis of the hackers’ English, reads like pseudoscience. Lewis’s comment reminds me of the two years after 9/11, when everyone with a GeoCities account was suddenly a structural engineer.

I’m no expert on computer forensics. I can only hope that the FBI was very confident about its conclusions before making such a serious charge. Those conclusions are obviously based on classified evidence, but it would be a mistake to assume that the FBI is basing its conclusions on computer forensics alone. I don’t know what the FBI knows. More importantly, neither do the inside-job theorists. Unfortunately, intelligence agencies that do have that information have to keep their sources and methods secret, or they won’t have those sources and methods for long.

Mr. Lewis said a close reading of classified documents leaked last year by Edward J. Snowden, the former National Security Agency contractor, made clear that American intelligence officials maintained deep access in North Korea’s networks.

The real debate, Mr. Lewis said, was one of government mistrust by the cybersecurity community, particularly after the revelations by Mr. Snowden. [N.Y. Times]

Of course, the FBI isn’t always right. In this case, however, the criticism doesn’t persuade me to deny the FBI a presumption of veracity.

First, I don’t see any motive for the FBI or the President to fabricate a case against North Korea. If you’ve been watching this administration’s North Korea policy, what’s remarkable is the extraordinary efforts it has made to ignore North Korea; hence the term “strategic patience.” In fact, this administration has been forced to turn to a whole series of foreign policy problems that it would have preferred to ignore — the Arab Spring, the Green Revolution in Iran, Libya, the South China Sea, Ukraine, Syria, the rise of ISIS, and now, North Korea. The last thing it wanted was yet another foreign policy crisis, or for North Korea to make it look incapable of protecting the United States from the tantrums of a porcine adolescent heir to a blighted kingdom.

Second, the ease with which some readers have seized on inside-job theories reminds me that a dubious political psychology often drives them. Among some quarters of the left, there is a capacity for introspection and self-criticism that makes our society more just and more fair when imbibed in moderation, but which quickly becomes witless masochism when drunk to excess. In recent years, both the far left and the far right have been seized by the temptation to deny, at any cost, the frightening thought that our freedom and our safety are threatened by thugs from beyond our borders. It makes them feel safer, somehow, to cling to inside-job explanations that would relieve us from the burdens of confronting hard questions that spring from unwelcome conclusions. But feeling safer isn’t the same as being safer.

None of which should really be reason to debate the legitimacy of blocking Kim Jong Un out of the financial system. There were many good reasons for tougher sanctions against North Korea long before the Sony hack. Michael Kirby called for them a year before Sony, and Congress introduced sanctions legislation nearly two years before. The administration could have taken action against North Korea for any number of reasons — North Korea’s crimes against humanity, proliferation, money laundering, support for terrorism, military provocations, or its refusal to give up its nuclear weapons programs. The administration didn’t necessarily have to blame Pyongyang for Sony, but if it was convinced of Pyongyang’s guilt, but a President who is unwilling to assign blame to those who attack and threaten us in our own country signals an unwillingness to deter the next attack.

I commend President Obama for putting the country’s interest before his political interest by doing so. Having come this far, his administration must make its case. I hope it makes a compelling one.

~   ~   ~

Update, Jan. 10, 2015: The NSA’s Director weighs in:

Rogers, the NSA director, discussed the Sony hack at numerous points throughout his talk, prior to the question and answer period. “I have very high confidence—I remain very confident—that this was North Korea,” he said, echoing FBI Director James Comey the day before. He said this was the first time a nation-state has carried out an act to “stop the release of a film with a particular viewpoint and characterization of a leader.” [….]

Naming North Korea and announcing economic sanctions was critical for deterrence of future nation-state or other types of cyber attack, Rogers argued. “The entire world is watching how we as a nation are going to respond to this,” he said. [The Intercept]

So far, the administration’s response has been to designate ten low-level individuals and three mid-level entities that have been designated for years.


  1. Red flags went up for me when emails of a gender pay gap at Sony were leaked. Why would DPRK care about a gender pay gap in the USA?


  2. That’s an easy one to answer: North Korea’s consistent approach is to accuse the U.S. of hypocrisy when it comes to social justice. Look at how it used the protests in Ferguson.


  3. Regardless of the scientific validity of stylometric analysis, anyone citing the Taia Global report forfeits the right to complain about the U.S. government’s lack of transparency with regard to the evidence: apparently Taia’s white paper (which is available only on request) doesn’t actually any cite examples from Russian or other languages to back their assertions, and instead just baldly states that “this construction suggests a native Russian speaker because we say it does.” Perhaps there’s some sort of “trade secrets” rationale at work here, but so far Taia’s claims seem to require as much or more faith as the USG’s.