![Sample our Politics & International Relations journals, sign in here to start your FREE access for 14 days]({"type":"image" , "src" : "/sda/5947/TOC-Subject-Sample-2021-Politics-International-Relations.jpg"})
ABSTRACT
This article challenges the conventional wisdom that cyber operations have limited coercive value. It theorizes that cyber operations contribute to coercion by imposing costs and destabilizing an opponent’s leadership. As costs mount and destabilization spreads, the expected utility of capitulation surpasses that of continued defiance, leading the opponent’s leaders to comply with the coercer’s demands. The article applies this ‘cost-destabilization’ model to the 2014 North Korean cyber operation against Sony. Through cost imposition and leadership destabilization, the North Korean operation, despite its lack of physical destructiveness, caused Sony to make a series of costly decisions to avoid future harm.
KEYWORDS:
Disclosure statement
No potential conflict of interest was reported by the author.
Notes
1 Robert Jervis, ‘Deterrence Theory Revisited’, World Politics 31/2 (1979), 289–324.
2 On earlier work see Michael Warner, ‘Cybersecurity: A Pre-History’, Intelligence and National Security 27/5 (2012), 781–99.
3 Elisabeth Bumiller and Thom Shanker, ‘Panetta Warns of Dire Threat of Cyberattack on U.S.’, New York Times, 11 Oct. 2012, <http://www.nytimes.com/2012/10/12/world/panetta-warns-of-dire-threat-of-cyberattack.html>.
4 Richard A. Clarke and Robert K. Knake, Cyber War (New York: Ecco 2010). Also see William J. Lynn III, ‘Defending a New Domain’, Foreign Affairs 89/5 (2010), 97–108.
5 Key second-phase works include Erik Gartzke, ‘The Myth of Cyberwar: Bringing War in Cyberspace Back Down to Earth’, International Security 38/2 (2013), 41–73; Thomas G. Mahnken, ‘Cyberwar and Cyber Warfare’, in Kristin M. Lord and Travis Sharp (eds.), America’s Cyber Future: Security and Prosperity in the Information Age, Volume II (Washington, DC: Center for a New American Security 2011), 55–64, <https://www.files.ethz.ch/isn/129907/CNAS_Cyber_Volume%20II_2.pdf>; Lucas Kello, ‘The Meaning of the Cyber Revolution’, International Security 38/2 (2013), 7–40; and Keir A. Lieber, ‘The Offense-Defense Balance and Cyber Warfare’, in Emily O. Goldman and John Arquilla (eds.), Cyber Analogies (Monterey, CA: Naval Postgraduate School 2014), 96–107.
6 Lene Hansen and Helen Nissenbaum, ‘Digital Disaster, Cyber Security, and the Copenhagen School’, International Studies Quarterly 53/4 (2009), 1155–75.
7 The U.S. Department of Defense (Citation2013, I-1) defines a cyber operation as ‘the employment of cyberspace capabilities where the primary purpose is to achieve objectives in or through cyberspace.’ Department of Defense, ‘Cyberspace Operations’, Joint Publication 3–12 (R), 5 Feb. 2013, I-1, <http://www.dtic.mil/doctrine/new_pubs/jp3_12R.pdf>.
8 Thomas Rid, ‘Cyber War Will Not Take Place’, Journal of Strategic Studies 35/1 (2012), 5–32.
9 David J. Betz and Tim Stevens, ‘Analogical Reasoning and Cyber Security’, Security Dialogue 44/2 (2013), 147–64.
10 David E. Sanger, Confront and Conceal (New York: Crown Publishers 2012); and Kim Zetter, Countdown to Zero Day (New York: Crown Publishers 2014).
11 Jon R. Lindsay, ‘Stuxnet and the Limits of Cyber Warfare’, Security Studies 22/3 (2013), 365–404; and Jon R. Lindsay, ‘The Impact of China on Cybersecurity: Fiction and Friction’, International Security 39/3 (2014/2015), 7–47.
12 Brandon Valeriano and Ryan C. Maness, ‘The Dynamics of Cyber Conflict between Rival Antagonists, 2001–11’, Journal of Peace Research 51/3 (2014), 347–60; Timothy J. Junio, ‘The Politics and Strategy of Cyber Conflict’, PhD thesis, University of Pennsylvania, 2013; Jason Healey (ed.), A Fierce Domain: Conflict in Cyberspace, 1986 to 2012, (Washington, DC: Cyber Conflict Studies Association 2013); Thomas Rid and Ben Buchanan, ‘Attributing Cyber Attacks’, Journal of Strategic Studies 38/1–2 (2015), 4–37; and Rebecca Slayton, ‘What Is the Cyber Offense-Defense Balance? Conceptions, Causes, and Assessment’, International Security 41/3 (2016/2017), 72–109.
13 The article purposefully uses the term coercion because it endeavors to develop concepts applicable to both deterrence and compellence scenarios. The Sony incident was a compellence attempt.
14 Works on cyber coercion, not cyber war or cyber deterrence, include Peter D. Feaver, ‘Blowback: Information Warfare and the Dynamics of Coercion’, Security Studies 7/4 (1998), 88–120; Craig Neuman and Michael Poznansky, ‘Swaggering in Cyberspace: Busting the Conventional Wisdom on Cyber Coercion’, War on the Rocks, 28 June 2016, <http://warontherocks.com/2016/06/swaggering-in-cyberspace-busting-the-conventional-wisdom-on-cyber-coercion/>; and Benjamin M. Jensen, Brandon Valeriano, and Ryan C. Maness, ‘Cyber Victory: The Efficacy of Cyber Coercion’, Working paper, 2016, <http://www.brandonvaleriano.com/uploads/8/1/7/3/81735138/cyber_victory.pdf>.
15 Michael S. Rogers, ‘Implementing the Department of Defense Cyber Strategy’, Testimony before the Armed Services Committee, U.S. House of Representatives (Washington DC: Government Publishing Office 2016), 6, <https://www.gpo.gov/fdsys/pkg/CHRG-114hhrg97198/pdf/CHRG-114hhrg97198.pdf>.
16 Destructiveness refers to the ability to inflict physical damage on a scale comparable to an operation using conventional military force.
17 Erik Gartzke, ‘Fear and War in Cyberspace’, Lawfare, 1 Dec. 2013, <https://www.lawfareblog.com/foreign-policy-essay-erik-gartzke-fear-and-war-cyberspace>.
18 It is always difficult to disentangle how overlapping policies affect a single coercion outcome. But the debate should proceed by dissecting available evidence from actual cases.
19 As a clear cyber coercion attempt by an actor with a major power advantage, North Korea’s operation against Sony is a ‘most likely’ case. If the cost-destabilization model does not matter here, it probably will not matter anywhere. Harry Eckstein, Regarding Politics: Essays on Political Theory, Stability, on Change (Berkeley: University of California Press 1992), 152–60.
20 One might consider the 2007 cyber operation against Estonia to be another candidate case. However, the ambiguity surrounding the attacker means that it does not satisfy my known coercer plus known demand standard (see below). Stuxnet is another potential case, but it fails to meet the same condition, which is why most scholars consider it sabotage.
21 Jean-Jacques Rousseau and others described the stag hunt first. I am in no way comparing this article to those classics. Thomas C. Schelling, Arms and Influence (New Haven: Yale University Press 1966), 116–21; and Robert Jervis, ‘Cooperation Under the Security Dilemma’, World Politics 30/2 (1978), 167–214.
22 Amy Zegart, ‘Can Drones Coerce?’ Working paper (Stanford University 2016); and Jeremy Rabkin and John Yoo, Embracing the Machines: Drones, Cyberwar, and Coercion without Conquest (New York: Encounter Books 2017).
23 Schelling, Arms and Influence, 2.
24 Ibid., 3. Emphasis in original.
25 Not all scholars consider deterrence and compellence to be sub-types of coercion.
26 Daniel Kahneman and Amos Tversky, ‘Prospect Theory: An Analysis of Decision under Risk’, Econometrica 47/2 (1979), 263–91.
27 Glenn H. Snyder, Deterrence and Defense: Toward a Theory of National Security (Princeton: Princeton University Press 1961), 35–6.
28 David E. Johnson, Karl P. Mueller, and William H. Taft, Conventional Coercion Across the Spectrum of Operations (Santa Monica, CA: RAND Corporation 2002), 17, <http://www.rand.org/pubs/monograph_reports/MR1494.html>.
29 Patrick C. Bratton, ‘When Is Coercion Successful? And Why Can’t We Agree on It?’ Naval War College Review 58/3 (2005), 101.
30 James D. Morrow, ‘The Strategic Setting of Choices: Signaling, Commitment, and Negotiation in International Politics’, in David A. Lake and Robert Powell (eds.), Strategic Choice and International Relations (Princeton: Princeton University Press 1999), 77–114.
31 James D. Fearon, ‘Signaling Foreign Policy Interests: Tying Hands Versus Sinking Costs’, Journal of Conflict Resolution 41/1 (1997), 68–90.
32 For a skeptical take, see Jack Snyder and Erica D. Borghard, ‘The Cost of Empty Threats: A Penny, Not a Pound’, American Political Science Review 105/3 (2011), 437–56.
33 Richard J. Harknett, ‘The Logic of Conventional Deterrence’, Security Studies 4/1 (1994), 86–114.
34 The critiques can be found in Martin C. Libicki, Cyberdeterrence and Cyberwar (Santa Monica, CA: RAND Corporation 2009), 79–80, <http://www.rand.org/content/dam/rand/pubs/monographs/2009/RAND_MG877.pdf>; John B. Sheldon, ‘Deciphering Cyberpower: Strategic Purpose in Peace and War’, Strategic Studies Quarterly 5/2 (2011), 100; Brandon Valeriano and Ryan Maness, ‘The Fog of Cyberwar’, Foreign Affairs Online, 21 Nov. 2012, <https://www.foreignaffairs.com/articles/2012–11-21/fog-cyberwar>; Evgeny Morozov, ‘What Fearmongers Get Wrong About Cyberwarfare’, Slate, 28 May 2012, <http://www.slate.com/articles/technology/future_tense/2012/05/cyberwarfare_what_richard_clarke_and_other_fearmongers_get_wrong_.html>; Adam P. Liff, ‘Cyberwar: A New “Absolute Weapon”? The Proliferation of Cyberwarfare Capabilities and Interstate War’, Journal of Strategic Studies 35/3 (2012), 414, 421; Ryan Grauer, ‘Old Wine in New Bottles: The Nature of Conflict in the 21st Century’, The Whitehead Journal of Diplomacy and International Relations 14/1 (2013), 17; Gartzke, ‘The Myth of Cyberwar’, 43, 47, 60; Jon R. Lindsay and Erik Gartzke, ‘Coercion Through Cyberspace: The Stability-Instability Paradox Revisited’, in Kelly M. Greenhill and Peter J. Krause, eds, Coercion: The Power to Hurt in International Politics (Oxford: Oxford University Press 2017), <http://deterrence.ucsd.edu/_files/LindsayGartzke_CoercionThroughCyberspace_DraftPublic1.pdf>; and Chris McGuffin and Paul Mitchell, ‘On Domains: Cyber and the Practice of Warfare’, International Journal 69/3 (2014), 397.
35 Alexander B. Downes and Todd S. Sechser, ‘The Illusion of Democratic Credibility’, International Organization 66/3 (2012), 475.
36 Todd S. Sechser, ‘Militarized Compellent Threats, 1918–2011’, Conflict Management and Peace Science 28/4 (2011), 380.
37 Forrest Hare, ‘The Significance of Attribution to Cyberspace Coercion: A Political Perspective’, 4th International Conference on Cyber Conflict, 2012, <https://ccdcoe.org/cycon/2012/proceedings/d2r1s2_hare.pdf>.
38 Downes and Sechser, ‘The Illusion of Democratic Credibility’, 475.
39 Zero-day exploits are system vulnerabilities that engineers have not found or fixed, giving defenders zero days to prepare before the attack hits. Stuxnet contained four zero-days, an unprecedented amount for one operation. Eric P. Oliver, ‘Stuxnet: A Case Study in Cyber Warfare’, in Panayotis A. Yannakogeorgos and Adam B. Lowther (eds.), Conflict and Cooperation in Cyberspace (New York: Taylor & Francis 2014), 129; and Leyla Bilge and Tudor Dumitras, ‘Before We Knew It: An Empirical Study of Zero-Day Attacks in the Real World’, Proceedings of the 2012 ACM Conference on Computer and Communications Security, 2012, 833, <https://users.ece.cmu.edu/~tdumitra/public_documents/bilge12_zero_day.pdf>.
40 Ben Buchanan, ‘The Life Cycles of Cyber Threats’, Survival 58/1 (2016), 39–58.
41 Schelling, Arms and Influence, 124.
42 Alex Weisiger and Keren Yarhi-Milo, ‘Revisiting Reputation: How Past Actions Matter in International Politics’, International Organization 69/2 (2015), 492.
43 Daniel R. Fleming and Neil C. Rowe, ‘Cyber Coercion: Cyber Operations Short of War’, Proceedings of the 10th International Conference on Cyber Warfare and Security, 2015, 3, <http://faculty.nps.edu/ncrowe/oldstudents/flemming_iccws15.htm>.
44 National Research Council, Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities (Washington, DC: National Academies Press 2009).
45 Robert Jervis, ‘Getting to Yes with Iran’, Foreign Affairs 92/1 (2013), 109.
46 Neil C. Rowe, ‘Towards Reversible Cyberattacks’, Proceedings of the 9th European Conference on Information Warfare and Security, 2010, 6, <http://faculty.nps.edu/ncrowe/rowe_eciw10.htm>.
47 Thomas C. Schelling, The Strategy of Conflict (Cambridge, MA: Harvard University Press 1960), 34–5.
48 Andrew W. Marshall, Problems of Estimating Military Power (Santa Monica, CA: RAND Corporation 1966), 2, <https://www.rand.org/content/dam/rand/pubs/papers/2005/P3417.pdf>.
49 Gartzke, ‘The Myth of Cyberwar’, 68.
50 Neil C. Rowe, ‘Personal email message to author’, 20 November 2015.
51 See, for example, Alexander L. George, David K. Hall, and William E. Simons, The Limits of Coercive Diplomacy (Boston: Little, Brown and Company 1971), 279–88; Barry M. Blechman and Stephen S. Kaplan, Force without War (Washington, DC: The Brookings Institution 1978), 96–7; John J. Mearsheimer, Conventional Deterrence (Ithaca: Cornell University Press 1983), 28–66, 203–8; Robert A. Pape, Bombing to Win: Air Power and Coercion in War (Ithaca: Cornell University Press 1996), 10; and Daniel Byman and Matthew Waxman, The Dynamics of Coercion (New York: Cambridge University Press 2002), 30–46.
52 John O. Brennan, ‘Remarks at the Center for Strategic and International Studies Global Security Forum’, Washington, DC, 16 November 2015, <https://www.cia.gov/news-information/speeches-testimony/2015-speeches-testimony/brennan-remarks-at-csis-global-security-forum-2015.html>.
53 Bradley A. Thayer, ‘The Political Effects of Information Warfare: Why New Military Capabilities Cause Old Political Dangers’, Security Studies 10/1 (2007), 57.
54 Kristin M. Lord and Travis Sharp, America’s Cyber Future: Security and Prosperity in the Information Age, Volume I (Washington, DC: Center for a New American Security 2011), 36, <https://s3.amazonaws.com/files.cnas.org/documents/CNAS_Cyber_Volume-I_0.pdf>.
55 Michael S. Schmidt and David E. Sanger, ‘Russian Hackers Read Obama’s Unclassified Emails, Officials Say’, New York Times, 25 Apr. 2015, <http://www.nytimes.com/2015/04/26/us/russian-hackers-read-obamas-unclassified-emails-officials-say.html>.
56 I thank my colleague John-Michael Arnold for sharing this observation.
57 Abby Phillip, ‘North Korea Threatens “Merciless” Retaliation over James Franco and Seth Rogen Assassination Comedy’, Washington Post, 25 June 2014, <https://www.washingtonpost.com/news/worldviews/wp/2014/06/25/north-korea-threatens-merciless-retaliation-over-james-franco-and-seth-rogen-assassination-comedy/>.
58 Nigel Inkster, ‘Cyber Attacks in La-La Land’, Survival 57/1 (2015), 106.
59 Risk Based Security, ‘A Breakdown and Analysis of the December, 2014 Sony Hack’, <https://www.riskbasedsecurity.com/2014/12/a-breakdown-and-analysis-of-the-december-2014-sony-hack/>.
60 Ken E. Gause, North Korea’s Provocation and Escalation Calculus: Dealing with the Kim Jong-un Regime (Arlington, VA: CNA 2015), 36, <https://www.cna.org/cna_files/pdf/COP-2015-U-011060.pdf>.
61 Brett Arnold, Michael B. Kelley, and Aly Weisman, ‘Sony Just Canceled the Dec. 25 Release of “The Interview”’, Business Insider, 17 Dec. 2014, <http://www.businessinsider.com/reports-top-movie-theater-chains-just-caved-to-sony-hackers-2014-12>.
62 The leadership destabilization subsection below has several examples.
63 David Goldman and Jose Pagliery, ‘New York Cinema Cancels “The Interview” Premiere after Hackers’ Threat’, CNN Money, 29 Dec. 2014, <http://money.cnn.com/2014/12/16/technology/security/sony-hackers/>.
64 Federal Bureau of Investigation, Update on Sony Investigation, 19 Dec. 2014, <https://www.fbi.gov/news/pressrel/press-releases/update-on-sony-investigation>. The Obama administration revealed that the National Security Agency had penetrated North Korea’s networks for years, so it had proof Pyongyang was culpable. David E. Sanger and Martin Fackler, ‘N.S.A. Breached North Korean Networks Before Sony Attack, Officials Say’, New York Times, 18 Jan. 2015, <http://www.nytimes.com/2015/01/19/world/asia/nsa-tapped-into-north-korean-networks-before-sony-attack-officials-say.html>.
65 David E. Sanger, Michael S. Schmidt, and Nicole Perlroth, ‘Obama Vows a Response to Cyberattacks on Sony’, New York Times, 19 Dec. 2014, <http://www.nytimes.com/2014/12/20/world/fbi-accuses-north-korean-government-in-cyberattack-on-sony-pictures.html>.
66 Stephen Haggard and Jon R. Lindsay, North Korea and the Sony Hack: Exporting Instability Through Cyberspace (Honolulu, HI: East-West Center 2015), 3, <http://www.eastwestcenter.org/system/tdf/private/api117.pdf?file=1&type=node&id=35164>.
67 Department of Homeland Security and Federal Bureau of Investigation, ‘November 2014 Cyber Intrusion on USPER I and Related Threats’, Joint Intelligence Bulletin, 24 Dec. 2014, <https://firstlook.org/wp-uploads/sites/1/2014/12/DEC-24-JIB-Intercept.pdf>.
68 The case probably also satisfies the stricter Downes-Sechser standard because the coercer’s identity and demand became relatively explicit.
69 Two million people watched the movie online. I estimate that approximately one million people watched the movie in theaters, based on the following assumptions. An average movie theater has 225 seats per screen and shows each new movie four times per day. If all the showings sold out over the four-day holiday weekend – an unrealistically generous estimate – then 1.2 million people watched the movie in theaters. Zachary M. Seward, ‘Everything We Know About How People Watched “The Interview” and What It Means for the Future of Internet Video’, Quartz, 30 Dec. 2014, <http://qz.com/319387/everything-we-know-about-how-people-watched-the-interview-and-what-it-means-for-the-future-of-internet-video/>; and Dan Ackman, ‘Movie Theaters of the Absurd’, Forbes, 2 Mar. 2001, <http://www.forbes.com/2001/03/02/0302movies.html>.
70 If each 225-person showing is only half full (because there is no cyber operation and thus no media attention in this counterfactual), then 2,000 screens yields 3.6 million viewers over the four-day weekend. I assume a constant level of illegal movie views, which was estimated at 1.5 million for the holiday weekend. Brooks Barnes and Michael Cieply, ‘Sony, in About-Face, Will Screen “The Interview” in a Small Run’, New York Times, 23 Dec. 2014, <http://www.nytimes.com/2014/12/24/business/media/sonys-the-interview-will-come-to-some-theaters-after-all.html>.
71 Seward, ‘Everything We Know About How People Watched “The Interview”’.
72 Dave McNary, ‘“The Interview” Will Lose $30 Million, “Not a Game-Changer,” Says NATO’, Variety, 16 Jan. 2015, <http://variety.com/2015/film/news/the-interview-will-lose-30-million-not-a-game-changer-says-nato-1201407514/>.
73 Sony Corporation, ‘Consolidated Financial Results for the Fiscal Year Ended 31 March 2015‘, No. 15-039E, 30 Apr. 2015, 5, <http://www.sony.net/SonyInfo/IR/library/fr/14q4_sony.pdf>.
74 Nash Information Services., ‘Box Office History for Sony Pictures’, The-Numbers.com, <http://www.the-numbers.com/market/distributor/Sony-Pictures>.
75 Richard Verrier, Ryan Faughnder, and Brian Bennett, ‘Sony Scraps “The Interview” Release’, Los Angeles Times, 17 Dec. 2014, <http://www.latimes.com/entertainment/envelope/cotown/la-et-ct-sony-box-office-20141218-story.html>.
76 Bernard Condon, Eric Tucker, and Mae Anderson, ‘The North Korea-Linked Sony Hack May Be Costliest Ever for A U.S. Company’, Associated Press, 18 Dec. 2014, <http://www.businessinsider.com/the-north-korea-linked-sony-hack-may-be-costlier-ever-for-a-us-company-2014-12>.
77 Nate Raymond, ‘Sony to Pay Up to $8 Million in “Interview” Hacking Lawsuit’, Reuters, 20 Oct. 2015, <http://www.reuters.com/article/2015/10/20/us-sony-cyberattack-lawsuit-idUSKCN0SE2JI20151020>. The first lawsuits were filed 15 December 2014, as the operation was still occurring, so the resulting payouts could be reasonably anticipated and thus count as proof of the mechanism.
78 While SPE recovered some of the losses through insurance, its leaders could not guarantee this outcome as the operation was occurring, meaning losses still would have affected their decision making.
79 Gavin J. Blair, ‘Sony Pictures Posts Hack-Delayed Quarterly Profit of $51 Million’, The Hollywood Reporter, 17 Mar. 2015, <http://www.hollywoodreporter.com/news/sony-pictures-confirms-hack-delayed-782423>.
80 Kevin Roose, ‘Inside Sony Pictures, Employees Are Panicking about Their Hacked Personal Data’, Fusion, 3 Dec. 2014, <http://fusion.net/story/31116/inside-sony-pictures-employees-are-panicking-about-their-hacked-personal-data/>.
81 Mark Seal, ‘An Exclusive Look at Sony’s Hacking Saga’, Vanity Fair, 28 Feb. 2015, <http://www.vanityfair.com/hollywood/2015/02/sony-hacking-seth-rogen-evan-goldberg>.
82 Sheila Marikar, ‘I Work at Sony Pictures. This Is What It Was Like After We Got Hacked’, Fortune, 20 Dec. 2014, <http://fortune.com/2014/12/20/sony-pictures-entertainment-essay/>.
83 Seal, ‘An Exclusive Look at Sony’s Hacking Saga’.
84 Kevin Roose, ‘Hacked Documents Reveal a Hollywood Studio’s Stunning Gender and Race Gap’, Fusion, 1 Dec. 2014, <http://fusion.net/story/30789/hacked-documents-reveal-a-hollywood-studios-stunning-gender-and-race-gap/>.
85 Matthew Zeitlin, ‘Scott Rudin On Obama’s Favorite Movies: ‘I Bet He Likes Kevin Hart’, Buzz Feed, 10 Dec. 2014, <http://www.buzzfeed.com/matthewzeitlin/scott-rudin-on-obama-i-bet-he-likes-kevin-hart>.
86 Seal, ‘An Exclusive Look at Sony’s Hacking Saga’.
87 Barack H. Obama, ‘Remarks by the President in Year-End Press Conference’ Washington, DC, 19 Dec. 2014, <https://www.whitehouse.gov/the-press-office/2014/12/19/remarks-president-year-end-press-conference>.
88 Seal, ‘An Exclusive Look at Sony’s Hacking Saga’.
89 Michael Cieply and Brooks Barnes, ‘Amy Pascal Lands in Sony’s Outbox’, New York Times, 5 Feb. 2015, <http://www.nytimes.com/2015/02/06/business/amy-pascal-leaving-as-sony-studio-chief.html>.
90 Claire Atkinson, ‘Sony’s Lynton Looks to Shuffle Executive Team Post-Pascal’, New York Post, 5 Feb. 2015, <http://nypost.com/2015/02/05/sonys-lynton-looks-to-shuffle-executive-team-post-pascal/>.
91 Former U.S. National Security Agency analyst Charlie Miller estimated that North Korea spends $56 million annually on ‘cyber warfare.’ The marginal cost of the operation was only a fraction of this amount. Charlie Miller, ‘Kim Jong-Il and Me: How to Build a Cyber Army to Attack the U.S.’, Def Con 18, 2010, 8, <https://www.defcon.org/images/defcon-18/dc-18-presentations/Miller/DEFCON-18-Miller-Cyberwar.pdf>; and Todd Vanderwerff and Timothy B. Lee, ‘The 2014 Sony Hacks, Explained’, Vox, 3 June 2015, <http://www.vox.com/cards/sony-hack-north-korea>.
92 Though North Korea may not have appeared proficient in other, unrelated cases, its penetration of Sony’s systems made it appear proficient to Sony.
93 The United States had already penetrated North Korean networks prior to the cyber operation, which at worst elicited only further penetration. Haggard and Lindsay, North Korea and the Sony Hack, 3.
94 Adam Entous, Ellen Nakashima, and Greg Miller, ‘Secret CIA Assessment Says Russia Was Trying to Help Trump Win White House’, Washington Post, 9 Dec. 2016, <https://www.washingtonpost.com/world/national-security/obama-orders-review-of-russian-hacking-during-presidential-campaign/2016/12/09/31d6b300-be2a-11e6-94ac-3d324840106c_story.html>.
95 In other words, the target (United States) had less certainty about the coercer’s demand, as shown in . Ellen Nakashima and Adam Entous, ‘FBI and CIA Give Differing Accounts to Lawmakers on Russia’s Motives in 2016 Hacks’, Washington Post, 10 Dec. 2016, <https://www.washingtonpost.com/world/national-security/fbi-and-cia-give-differing-accounts-to-lawmakers-on-russias-motives-in-2016-hacks/2016/12/10/c6dfadfa-bef0-11e6-94ac-3d324840106c_story.html>.
96 Sanger, Confront and Conceal, x–xii, 202; and Zetter, Countdown to Zero Day, 348.
Additional information
Notes on contributors
Travis Sharp
Travis Sharp is a PhD candidate in security studies at Princeton University’s Woodrow Wilson School of Public and International Affairs. He is the coeditor, with Kristin M. Lord, of America’s Cyber Future: Security and Prosperity in the Information Age (Washington, DC: Center for a New American Security 2011). He thanks Aaron Friedberg, Tom Christensen, Chris Chyba, John-Michael Arnold, Omar Bashir, Alex Bollfrass, Rebecca Gong Sharp, Audrye Wong, and participants in Princeton University’s International Relations Seminar for feedback on earlier versions of this article.