Five years ago, South Korea was hit by a computer virus that took more than 20,000 computers and had them attack banks, television stations and its ministry of defence. A Vietnamese company was asked to investigate and eventually traced the attack order to a small internet company in Brighton — which, of course, knew nothing. If a missile is fired, it is easy to find out who to retaliate against. But in cyber warfare, you can only guess — as Hollywood is finding out.
Even now, it is impossible to blame North Korea for the hacking that embarrassed Sony Pictures into pulling out The Interview, a film about a plot to kill Kim Jong-un, the North Korean leader. It is a screwball comedy about a hapless talk-show host sent to assassinate Kim and has plenty of jokes about the “Dear Leader” claiming to be able to talk to dolphins and never needing to go to the loo. His regime did not see the funny side and threatened “a merciless countermeasure” if Sony went ahead with film. North Korea threatens merciless countermeasures of some kind almost every day, so this threat, in itself, was not taken seriously — until a hacking collective called “Guardians of Peace” disabled Sony’s computer system, wiped data, stole 10 years’ worth of emails and published the most embarrassing excerpts. The hackers then moved on to more serious threats. “Soon all the world will see what an awful movie Sony Pictures Entertainment has made. The world will be full of fear. Remember the 11th of September 2001,” it promised. “All the world will denounce the SONY.” But no one, for now, will know how awful (or otherwise) the film is. The threat may itself sound like a line in an Austin Powers remake, but it was enough to make American cinema chains say they would not screen the film. Now, Sony has cancelled what was supposed to be the film’s Christmas Day release. Rob Lowe, one of its stars, said that Hollywood “has done Neville Chamberlain proud” by appeasing dictators. Jimmy Kimmel, a real-life US talk show host, denounced an “act of cowardice that validates terrorist actions and sets a terrifying precedent”. They have had a point. Hollywood has been defeated — and probably at the hands of tiny, bankrupt, crackpot North Korea. We can expect more of this. The phrase “cyberwar” may sound so fantastical as to have been drawn from a Bond script — but the war is real, and the West is losing. This debacle over The Interview is just the most spectacular example of the kind of conflict that has been going on for years.
The Pentagon ranks cyber as the fourth field of military conflict after land, sea and sky. British Prime Minister David Cameron’s National Security Strategy ranks it as one of the four largest threats to Britain. MI5’s remit now extends to helping companies guard against what it calls “hostile state cyberactivity”.
This is an invisible war, and one where the West is at a distinct disadvantage. The Russians and Chinese can spend all year developing better ways to steal secrets from their rivals in Britain, but it is illegal for us to consider how to counter-attack. Cameron has been generous with funding to Government Communications Headquarters (GCHQ), which has to think if it is desirable or even possible for Britain to work out how to turn the lights off in Beijing. But Britain observes laws, while its opponents do not. And diplomacy is impossible, because all of the attacks are deniable.
Take Russia: For some time, its legion of cyberwarriors have been menacing countries that the Kremlin wishes to destabilise. Just before the South Ossetian conflict in 2008, computer servers in Georgia came under sustained attack. Estonia was hit the year before. A few months ago, it emerged that the embassies of former Soviet bloc countries had been hacked for years by a collective known as Turla. But none of this is traceable to the Kremlin. When challenged, it suggests that patriotic hackers take matters into their own hands. And can a government be held responsible for rogue computer nuts?
Cyberattacks have become bolder and more brazen over the years, especially from China, which is understood to have devoted an entire military division to cyberespionage. The American prosecutors say they now have proof of Chinese soldiers operating from a Shanghai office block (named “Unit 61398”) spying on several American companies. A grand jury in Pennsylvania even named five Chinese military officers responsible, but the Chinese government denies it and blames random hackers. They exist, it says, even in America. So even when intelligence agencies have a detailed dossier of cybercrime, it is frustratingly hard to do anything with it. It is an unfair fight. Huge, bureaucratic western military forces are pitted against nimble, ever-mutating and lawless hackers. We struggle to accuse; they have no difficulty in denying. Bureaucracies are good at centralising information, but bad at securing it — which is why Bradley Manning, a bored private in the American Army, was able to pass so many secrets to Wikileaks.
No wonder Chinese hackers can find almost anything they like. The Israelis do all this best. They have a programme called Talpiot, which recruits the very brightest graduates to work on military computer systems. Francis Maude, the Cabinet Office Minister, was in Tel Aviv a few weeks ago, admiring how the Israeli government has managed to harness entrepreneurial talent — something that could, of course, be replicated in Britain.
Amid all the cuts, the cyber security budget has grown, and Britain is generally seen as being better than most western countries at this area of expertise. But that, alas, is not saying much. GCHQ estimates that about 80 per cent of cyber attacks in Britain are due to failure to implement basic internet security. Solving this is difficult because companies tend not to like sharing secrets with each other — preferring competition to collaboration. Nor do companies like admitting, even to their own staff, that they have been hacked. (Understandably: Sony is now being sued by staff who say it didn’t take enough care in keeping their personal details from the hackers).
But here, companies and spies are facing the same threat from the same people — and they are having to learn how to collaborate. Last year, analysts from MI5 and GCHQ set up the Cyber Information Sharing Partnership — a kind of corporate confessional, where businessmen can admit to their vulnerabilities and learn from each other. But they do so knowing that the hackers are learning at an even faster rate and thinking of newer ways to attack and destabilise.
In the old days, Sony might have roughed this out and declared that The Interview was a fine film, which it would stand by. But this time, its embarrassing truth has been exposed: Sony’s own executives think the film is a dud. Leaked emails show one damning The Interview as “desperately unfunny and repetitive” with “violence that would be shocking in a horror movie”. So the hackers pressed hard, because they knew there was a good chance that their victim would cave.
“No one should kid themselves,” grumbled Newt Gingrich, a former US House Speaker. “With the Sony collapse, America has lost its first cyberwar.” He is right, but until the West learns to fight, and how to work with companies in the firing line, this defeat will be the first of many.
— The Telegraph Group Limited, London, 2014