Page 46 - index
P. 46
No, It Was Not Cyber Terrorism
Why the Attack on attack on Sony Pictures Entertainment (SPE) Was Not Terrorism
by Edwin Covert, CISSP, CISM, CRISC
The recent attack on Sony Pictures Entertainment (SPE) has garnered a lot of attention, both in the
popular media (Katersky & Newcomb, 2015) and in the cybersecurity press (Krebs, 2014). While
there is ample debate about who attacked SPE, much of speculation centers on North Korea. I am
not going to dispute any of the evidence either for or against the Hermit Kingdom. My dog in this
fight focuses on this: Those who call it cyberterrorism; it was not a cyberterrorist attack.
A (Short) Timeline
The Guardian (Shoard, 2014) website has a good timeline of the events leading up to the attack on
SPE. In the early part of the summer of 2014, after Sony released the first trailer for The Interview,
North Korea began protesting on the international stage about the movie (Shoard, 2014). These
protestations continued through the rest of the summer and into early autumn. In November, SPE
announced it had been hacked by a group called Guardians of Peace (Shoard, 2014). In December,
the FBI announced it had evidence connecting the North Korean government to the
attack (Laughland & Rushe, 2014). However, others have suggested that an insider was
responsible for the attack (Spargo, 2014). Companies such as Norse (CBS Interactive, 2014) and
CloudFlare (Rogers, 2014) both cited technical evidence to back up their claims.
Was It Cyberterrorism?
When people use the word terrorism, instinctively we understand what that word connotes: the 2001
attacks on the Pentagon and the World Trade Center, the transportation bombings in London and
Madrid, the Achille Lauro hijacking, or the Black September attack at the Munich Olympics..
Constant use of the word "terrorism" has led to people believing that terrorists using computers are
automatically cyberterrorists (Mueller, 2012). This is not the case.
The US Department of State defines terrorism as “premeditated, politically motivated violence
perpetrated against noncombatant targets by subnational groups or clandestine agents, usually
intended to influence an audience” (US Department of State, 2012). While others have provided
variations on this theme, I use Hoffman’s (2006) definition as the standard: a calculated use of
violence or the threatened use to force a political change by non-state actors. Simply “being” in
cyberspace does not satisfy either definition of terrorism.
"Cyberterrorism is non-state entities using computers or information systems to cause politically
motivated damage or destruction to information, computer systems, and/or computer programs that
could result in violence or the threat of violence against innocent people.(Conway, 2002). In this
vein, Ahmad and Yunos (2012) describe five key criteria an act of cyberterrorism must satisfy. The
act must:
Be motivated to change policy and lead to death or injury
46 Cyber Warnings E-Magazine – February 2015 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
