MELISSA BLOCK, HOST:
The White House is considering what it calls a proportional response to the cyberattack on Sony Pictures. Intelligence officials have privately said North Korea is behind the hack. Today White House spokesman Josh Earnest stopped short of naming North Korea, but he added...
(SOUNDBITE OF NEWS CONFERENCE)
JOSH EARNEST: This is something that is being treated as a serious national security matter. There is evidence to indicate that we have seen destructive activity with malicious intent that was initiated by a sophisticated actor.
BLOCK: It's believed the attack is retaliation for Sony's movie "The Interview." It's a comedy in which a couple of journalists are asked by the CIA to assassinate North Korean leader Kim Jong-un. We'll hear about the cost of Sony's decision to cancel the movie's theatrical release just ahead, but first, what's known about North Korea's ability to launch cyberattacks? I put that question to James Lewis. He's with the Center for Strategic and International Studies, specializing in international security in cyberspace.
JAMES LEWIS: North Korea's been building a cyberattack capability for more than a decade and currently their (unintelligible) put a lot of money into building an IT industry, people who knew about software. It's part of their intelligence agency. There's probably several-thousand North Korean government employees who practice hacking every day. And they've gotten better every year. They've gone out of their way to learn new techniques, acquire tools from the black market and they practice against South Korea on a regular basis. So the amazing thing about this attack is not only the duration and the vindictiveness, but the improvement in a North Korean capabilities that we've seen.
BLOCK: And in the past what have been the motives of North Korea's hacks? When you mentioned they've been practicing on South Korea, what have they been trying to do?
LEWIS: They follow a political agenda and so sometimes people get confused and they call it cyber war. This is not warfare. This is politics. The North Koreans are very touchy about their leaders and if the South Koreans say something that offends them. But they've gone after banks, television stations, newspapers, government agencies. It's part of a larger political campaign to either soften up the South Koreans in preparation for talks, or to make a political point or to defend their leader's reputation.
BLOCK: This is obviously a different thing, a blurrier line, right? A foreign attack not on U.S. infrastructure or the U.S. government, but a private company, Sony Pictures, a Japanese company based in the United States.
LEWIS: One of the things that we've seen develop over the last couple years is that a number of these countries like Russia, Iran, Syria and now North Korea have figured out they can use cyberattack as a political tool to manipulate public opinion, to damage their opponents. And so what's interesting is the North Koreans, who've done this four or five times against the South in the last few years, felt bold enough to do it against an American target. Some of that has to do with the subject of the film. This is sacrilege in North Korea, to portray the assassination of their leader, who has a godlike status. And that was apparently enough to send them over the edge and have them go against Sony. So I think we can expect to see things like this in the future.
BLOCK: What do you think the broader implications of this are? I mean what does it say if North Korea did engineer this hack and then through these threats forced a huge company to capitulate? Where does this go?
LEWIS: We've sort of seen this coming for a while. The FBI said last year they notified 3,000 American companies that they had been hacked. It's incredible. And this is the most dramatic in some ways because it wasn't done for commercial motives. It was done for political reasons. And we have not built, nationally, the defenses we need to protect ourselves. We don't have international agreement on what is stability in cyberspace. Although the administration has done a pretty good job of trying to get that. We're not in a place where we can say this is an infrastructure we depend on and it's safe to use. It's not safe to use. And this is what I do - and I've done it ever since I worked for the government. We used to call it The New York Times test. When I write an email, I ask myself how would I feel if this email appeared on the front page of The New York Times? Company executives need to start thinking that. And they need to maybe put a little more attention into cyber security than they have in the past.
BLOCK: Beyond companies though, you're talking about national defenses. You're formally with the State and Commerce Departments. What do you think the U.S. response should be or will be?
LEWIS: So no country has good cyber defenses. I guess that should make us feel a little better. But recently the administration has launched an initiative to improve critical infrastructure protection coming up with a cyber security framework. But our problem is we just move really, really slow so the cyber security framework will take years to implement. We don't have a good way to track whether it's working or not or who's actually doing it. So we've kind of done this in a haphazard fashion and people have just underestimated the risks we face. There's a whole debate. We don't want to be regulated, I get that. But maybe when it comes to national security, we're going to have to think about how we do this in a better way.
BLOCK: James Lewis directs the Strategic Technologies Program with the Center for Strategic and International Studies here in Washington.
Mr. Lewis, thanks.
LEWIS: Thanks very much.
NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.