TIME foreign affairs

The Government Must Show Us the Evidence That North Korea Attacked Sony

President Obama Holds News Conference At The White House
President Barack Obama holds a press conference during which he discussed Sony Pictures' decision not to release "The Interview" in wake of the alleged North Korean hacking scandal at The White House on December 19, 2014 in Washington, DC. Leigh Vogel—WireImage

Bruce Schneier is a security technologist and fellow at the Berkman Center for Internet and Society at Harvard Law School.

American history is littered with examples of classified information pointing us towards aggression against other countries—think WMDs—only to later learn that the evidence was wrong

When you’re attacked by a missile, you can follow its trajectory back to where it was launched from. When you’re attacked in cyberspace, figuring out who did it is much harder. The reality of international aggression in cyberspace will change how we approach defense.

Many of us in the computer-security field are skeptical of the U.S. government’s claim that it has positively identified North Korea as the perpetrator of the massive Sony hack in November 2014. The FBI’s evidence is circumstantial and not very convincing. The attackers never mentioned the movie that became the centerpiece of the hack until the press did. More likely, the culprits are random hackers who have loved to hate Sony for over a decade, or possibly a disgruntled insider.

On the other hand, most people believe that the FBI would not sound so sure unless it was convinced. And President Obama would not have imposed sanctions against North Korea if he weren’t convinced. This implies that there’s classified evidence as well. A couple of weeks ago, I wrote for the Atlantic, “The NSA has been trying to eavesdrop on North Korea’s government communications since the Korean War, and it’s reasonable to assume that its analysts are in pretty deep. The agency might have intelligence on the planning process for the hack. It might, say, have phone calls discussing the project, weekly PowerPoint status reports, or even Kim Jong Un’s sign-off on the plan. On the other hand, maybe not. I could have written the same thing about Iraq’s weapons-of-mass-destruction program in the run-up to the 2003 invasion of that country, and we all know how wrong the government was about that.”

The NSA is extremely reluctant to reveal its intelligence capabilities — or what it refers to as “sources and methods” — against North Korea simply to convince all of us of its conclusion, because by revealing them, it tips North Korea off to its insecurities. At the same time, we rightly have reason to be skeptical of the government’s unequivocal attribution of the attack without seeing the evidence. Iraq’s mythical weapons of mass destruction is only the most recent example of a major intelligence failure. American history is littered with examples of claimed secret intelligence pointing us toward aggression against other countries, only for us to learn later that the evidence was wrong.

Cyberspace exacerbates this in two ways. First, it is very difficult to attribute attacks in cyberspace. Packets don’t come with return addresses, and you can never be sure that what you think is the originating computer hasn’t itself been hacked. Even worse, it’s hard to tell the difference between attacks carried out by a couple of lone hackers and ones where a nation-state military is responsible. When we do know who did it, it’s usually because a lone hacker admitted it or because there was a months-long forensic investigation.

Second, in cyberspace, it is much easier to attack than to defend. The primary defense we have against military attacks in cyberspace is counterattack and the threat of counterattack that leads to deterrence.

What this all means is that it’s in the U.S.’s best interest to claim omniscient powers of attribution. More than anything else, those in charge want to signal to other countries that they cannot get away with attacking the U.S.: If they try something, we will know. And we will retaliate, swiftly and effectively. This is also why the U.S. has been cagey about whether it caused North Korea’s Internet outage in late December.

It can be an effective bluff, but only if you get away with it. Otherwise, you lose credibility. The FBI is already starting to equivocate, saying others might have been involved in the attack, possibly hired by North Korea. If the real attackers surface and can demonstrate that they acted independently, it will be obvious that the FBI and NSA were overconfident in their attribution. Already, the FBI has lost significant credibility.

The only way out of this, with respect to the Sony hack and any other incident of cyber-aggression in which we’re expected to support retaliatory action, is for the government to be much more forthcoming about its evidence. The secrecy of the NSA’s sources and methods is going to have to take a backseat to the public’s right to know. And in cyberspace, we’re going to have to accept the uncomfortable fact that there’s a lot we don’t know.

Bruce Schneier is a security technologist, a fellow at the Berkman Center for Internet and Society at Harvard Law School and the CTO of Co3 Systems Inc. He blogs at schneier.com and tweets at @schneierblog.

TIME Ideas hosts the world's leading voices, providing commentary and expertise on the most compelling events in news, society, and culture. We welcome outside contributions. To submit a piece, email ideas@time.com.

MONEY privacy

Security Flaws Let Hackers Listen in on Calls

German researchers say the network that allows cellphone carriers to direct calls to one another is full of security holes.

TIME intelligence

New NSA Privacy Chief Promises Transparency

NSA Surveillance-Privacy Report
The National Security Agency campus in Fort Meade, Md., June 6, 2013. Patrick Semansky—AP

In a Q&A online, Rebecca Richards promised a new era in transparency at the United States’ eavesdropping agency

The National Security Agency’s newly appointed Civil Liberties & Privacy Officer Rebecca Richards said Monday in an online Q& A she hopes to inject a sense of transparency into the secretive spy agency.

“Until somewhat recently, relatively little information about NSA was public. And the information that was made available rarely discussed the safeguards in place to protect civil liberties and privacy,” Richards said. “One of my goals is to share what NSA does to protect civil liberties and privacy. This will take time, but we must start somewhere.”

Richards conducted an online question and answer session Monday through the website of the Office of the Director of National Intelligence. Richards position was create earlier this year following recommendations from the White House on privacy reforms within the NSA. Those recommendations were made in response to revelations of privacy violations contained in documents leaked by former NSA contractor Edward Snowden.

Much of her Q&A was little more than a defense of the agency but Richards did identify her four primary goals as privacy chief.

  1. Advise NSA leadership including the director.
  2. Build systematic and holistic civil liberties and privacy processes.
  3. Improve civil liberties and privacy protections through research, education, and training.
  4. Increase transparency.

Richards also revealed that the NSA is preparing to launch a privacy and civil liberties internship or work exchange program as part of its privacy initiative.

TIME Bill Cosby

Morning Must Reads: November 21

Capitol
The early morning sun rises behind the US Capitol Building in Washington, DC. Mark Wilson—Getty Images

Obama Unveils Immigration Plan

President Barack Obama announced on Thursday night he is granting temporary legal status and work permits to almost 5 million undocumented immigrants living in the U.S. illegally, the largest single immigration action in modern American history

Behind Bill Cosby’s Silence

The comedian and his wife Camille have largely been reticent about sexual-allegations directed at him. History tells us why this silence is oppressive

Forecasters Warn of Rain in N.Y.

After relentless snowfall blanketed much of western New York this week, officials warned on Thursday that a new danger is now threatening the area — rain

NSA Warns Cyber Attacks Could Cripple U.S. Infrastructure

NSA director Mike Rogers said U.S. adversaries are performing electronic “reconnaissance” on a regular basis so that they can be in a position to disrupt the industrial control systems that run everything from chemical facilities to water treatment plants

World Heads Toward Warmest Year Ever

October marked the fifth month to break worldwide heat records. The National Oceanic and Atmospheric Administration announced on Thursday that the average global temperature for October was 58.43ºF (14.74ºC)

U.S. to Up Nonlethal Aid to Ukraine, Says Report

Washington is ready to increase its delivery of nonlethal aid to the Ukrainian government, but will refrain from furnishing Kiev with weapons to use in its fight against pro-Russian forces in the country’s southeast, according to a Reuters report citing unnamed U.S. officials

University of California Approves Steep Tuition Hike

Tuition at University of California schools could rise by as much as 28% by 2019 under a plan approved on Thursday. The vote by the system’s board pitted top state officials, including Governor Jerry Brown, against those who run the UC’s 10 campuses

Michael Brown Sr. Urges Calm Ahead of Grand Jury

The father of Michael Brown, the black teenager shot by a police officer in Ferguson, Mo., this summer, has asked people not to “hurt others” or “destroy property” ahead of a grand jury decision into whether the officer will be indicted in the killing

Suicide Helpline Aims to Help Transgender People

On 2014’s annual day of remembrance for transgender victims of violence, Trans Lifeline, a crisis hotline staffed entirely by transgender people, aims to help transgender people struggling with depression or suicidal thoughts

How TIME Reviewed the Work of Mike Nichols

The Oscar-winning director, who died on Wednesday aged 83, first appeared in TIME in 1958 as he was becoming famous as a comedian. But after Hollywood came calling, his movies got rave reviews from our critics — with one or two notable exceptions

Zoolander Will Return, With Penelope Cruz Attached

The Spanish actress will bring her finest Blue Steel to Ben Stiller’s long anticipated sequel to his 2001 supermodel comedy. No word yet on whether Will Ferrell and Owen Wilson will return for the follow-up, which is reportedly set in Europe

Oakland Raiders Win First Game Since 2013

The Raiders used a 17-play touchdown drive and a late defensive stop to pull off the shocking upset, 24-20. It was their first victory since a 28-23 triumph at Houston on Nov. 17 of last season

We will hold an #AskTIME subscriber Q&A today, Friday, November 21, at 1 p.m., with TIME Washington bureau chief, Michael Scherer, who wrote this week’s story on America’s New Anchor, Jorge Ramos of Noticiero Univision. His other stories can be found here.

You can submit your questions beforehand on Twitter using the #AskTIME hashtag or in the comments of this post. We depend on smart, interesting questions from readers.

You will need to be a TIME subscriber to read the Q & A. ($30 a year or 8 cents a day for the magazine and all digital content.) Once you’re signed up, you can log in to the site with a username and password.

Get TIME’s The Brief e-mail every morning in your inbox

TIME intelligence

Tech Firms Push NSA Reform Bill as Senate Vote Approaches

The USA FREEDOM Act still faces challenges from both sides

In an open letter to U.S. Senators a powerful coalition of technology companies including Google, Apple, Facebook and others called for passage of the USA FREEDOM Act surveillance reform package as Sen. Harry Reid scheduled a vote to advance the measure Tuesday.

“The Senate has the opportunity to send a strong message of change to the world and encourage other countries to adopt similar protections,” wrote CEOs of the companies comprising the Reform Government Surveillance coalition. The CEOs called the bill “bipartisan” and said it “protects national security and reaffirms America’s commitment to the freedoms we all cherish.” Signatories to the letter include Facebook’s Mark Zuckerberg, Apple’s Tim Cook, Google’s Larry Page, Microsoft’s Satya Nadella, Twitter’s Dick Costolo and others.

The USA FREEDOM Act is a package of changes to the way the U.S. National Security Agency conducts mass surveillance of American citizens chiefly sponsored by Judiciary Committee chair Sen. Patrick Leahy (D—VT). Debate over the issue accelerated a year and a half ago after leaks from former NSA contractor Edward Snowden revealed vast non-public surveillance programs and duplicity on the part of some officials about the extent of the programs.

U.S. Senate Majority Leader Harry Reid (D—Nevada) called for a cloture vote on Tuesday to end debate. Cloture requires a 60-vote majority is likely to be the biggest hurdle the legislation would face on its path out of Congress.

Though major interest groups, including the American Civil Liberties Union, the Electronic Frontier Foundation and the President’s own surveillance reform task force have backed the compromise legislation passage is anything but certain. Intelligence Committee chair Sen. Dianne Feinstein (D—CA) is reported to have reservations about the bill and other surveillance hawks have expressed outright hostility toward the measure. On the other side of the issue, libertarian-leaning Sen. Rand Paul has said he will oppose the bill for not going far enough to rein the NSA.

In current form the bill puts new limits on the NSA’s ability legally to gather up bulk U.S. phone meta-data and installs special privacy advocates in the Foreign Intelligence Surveillance Court, the body that oversees and authorizes NSA activities. The measure also forbids the NSA from storing data it collects in its own computers, instead requiring telecom companies to retain the data for up to five years. Some critics say the measure puts onerous restrictions on the NSA’s ability to protect Americans from harm. Others say the bill actually codifies and formalizes surveillance practices that once existed in a legal grey area.

“This is a first step in surveillance reform. This is by no means the whole kit and caboodle,” Director of the ACLU’s Washington Legislative Office Laura Murphy tells TIME. “For over the last decade we’ve been empowering government with more and more capabilities to surveil with less and less protections for its citizens. This legisaition would mark a departure from the trajectory since 9-11. We think it’s a very important first step.”

TIME movies

Joseph Gordon-Levitt Will Play Edward Snowden in New Movie

"White Bird In A Blizzard" - Los Angeles Premiere
Actor Joseph Gordon-Levitt attends the premiere of "White Bird in a Blizzard" at ArcLight Hollywood on October 21, 2014 in Hollywood, California. Jason LaVeris—FilmMagic/Getty Images

Backers confirm the casting choice

Producers confirmed Monday that Joseph Gordon-Levitt will play Edward Snowden in the Oliver Stone movie set to start shooting in Munich in January.

The casting choice has been rumored since September, but was finally confirmed today, just two months before the film is set to begin filming, the Guardian reports.

Oscar-winning director Oliver Stone wrote the screenplay based on two books about Snowden and NSA surveillance (The Snowden Files: The Inside Story of the World’s Most Wanted Man by Luke Harding and Time of the Octopus by Anatoly Kucherena) and reportedly sought out independent production companies Open Road and Endgame in order to protect the production from political pressures.

TIME Terrorism

Facebook and Twitter Are ‘Command-and-Control Networks’ for Terrorists

Spy chief: U.S. technology companies are in denial over the extent they aid terror and crime

The head of Britain’s equivalent of the NSA has said that U.S. technology firms that dominate the Internet must contribute more to the battle against violent extremism and child exploitation.

Robert Hannigan, the new head of Government Communications Headquarters, has accused Internet firms of being “in denial” over the role they play in crime and terrorism, demanding they work with security services to combat the growth of groups like the Islamic State of Iraq and Greater Syria (ISIS).

Writing in the Financial Times on Tuesday, Hannigan says that unlike other extremist groups, including al-Qaeda, ISIS has “embraced the web” and grown increasingly savvy in improving the security of their communications.

While technology companies may aspire to stand outside politics, their services increasingly facilitate crime and terrorism, argues Hannigan. “However much they may dislike it, they have become the command-and-control networks of choice for terrorists and criminals, who find their services as transformational as the rest of us,” he adds.

He says U.K. security agencies need better support from “the largest U.S. technology companies which dominate the web” and calls for greater cooperation, adding that most Internet users would prefer “a better, more sustainable relationship between the agencies and the technology companies.”

[FT]

TIME National Security

Postal Service Approved 50,000 Requests to Track U.S. Mail, Report Says

US Postal Service Mail Delivery Ahead Of Second-Quarter Results
U.S. Postal Service delivery trucks sit at the Brookland Post Office in Washington, D.C. on May 9, 2013. Bloomberg—Getty Images

An internal audit raised concerns over mail-tracking oversight

The United States Postal Service (USPS) approved some 50,000 requests from law enforcement officials and its own inspectors in 2013 to track Americans’ mail for security and criminal purposes, a New York Times report revealed Monday.

An internal 2014 USPS audit cited by the Times suggested that the protocol for approving the tracking of U.S. mail suffered from a number of flaws, as some requests to track mail were approved without adequate oversight while others didn’t receive immediate attention.

“Insufficient controls could hinder the Postal Inspection Service’s ability to conduct effective investigations, lead to public concerns over privacy of mail and harm the Postal Service’s brand,” the report found.

Read the full story in the New York Times

TIME movies

REVIEW: Citizenfour Is This Halloween’s Scariest Chiller

Radius/The Weinstein Company

Edward Snowden is both the ghost and the hero of Laura Poitras' documentary about blowing the whistle on the spooks at the NSA

In December 2012, a mysterious person known only as Citizenfour contacted documentary filmmaker Laura Poitras with promises of important revelations about the U.S. government’s spy apparatus. Before they met, Citizenfour sent her this warning: “For now, know that every border you cross, every purchase you make, every call you dial, every cell-phone tower you pass, friend you keep, site you visit and subject line you type is in the hands of a system whose reach is unlimited but whose safeguards are not.”

As Edward Snowden typed that email, was he humming the 1983 Police song “Every Breath You Take” and transposing Sting’s threat of an ex-lover’s surveillance to the National Security Agency? (“Every single day/ Every word you say/ Every game you play, every night you stay/ I’ll be watching you.”) Snowden, an IT analyst under contract with the consulting firm Booz Allen Hamilton, had downloaded thousands of NSA documents to present to journalists he could trust to sift through the material and publish what was pertinent. This included Poitras and political gadfly Glenn Greenwald, with Greenwald’s Guardian colleague Ewen MacAskill soon joining them in a Hong Kong hotel room.

The news stories from this cache stash revealed a program monitoring the phone calls and social media of U.S. citizens, and earned the 30-year-old Snowden runner-up status as TIME’s Person of the Year for 2013. (He lost to the Pope, who gets his inside information from an even higher source.) For his service, the U.S. government charged Snowden with espionage, invalidated his passport and stranded him in Moscow’s Sheremetyevo Airport for 5½ weeks, before he found temporary asylum in Russia, because no other country would challenge U.S. pressure and accept him as a political refugee. Snowden must believe that, for the rest of his days abroad, they’ll be watching him.

Moviegoers will too, through Hollywood’s lens. Oliver Stone is preparing The Snowden Files, possibly starring Joseph Gordon-Levitt and based on a biography by the Guardian‘s Luke Harding (which Greenwald called “a bullshit book” because Harding didn’t speak to Snowden). Sony Pictures has an option to make a movie of Greenwald’s No Place to Hide.

But for the pure, driven Snowden, you must see Citizenfour, an inside view from a filmmaker who is also familiar with government pressure in the Land of the Free: for her 2006 doc My Country, My Country, about a Sunni physician and democracy advocate in U.S.-occupied Iraq, Poitras earned a spot on the Department of Homeland Security’s “watch list.” (Every breath you take, every call you make …) Focusing on the eight days in June 2013 when Snowden first spilled his and his computer’s guts to the three journalists in his 10th-floor room at the Mira Hotel, this is a fascinating, edifying and creepy record of history in the making.

Why Citizenfour? Here’s a wild guess: Snowden sees himself as the latest American — following Daniel Ellsberg with the Pentagon Papers, William Binney for his 2002 NSA whistle-blowing and Bradley (now Chelsea) Manning with the WikiLeaks documents — to risk his liberty by revealing U.S. government secrets. (Ellsberg, like Snowden, was charged under the 1917 Espionage Act, before being acquitted. Manning, accused of “aiding the enemy,” was convicted in a military court of 17 other charges and is serving a 35-year sentence at Leavenworth. Binney, the subject of Poitras’ short film The Program, never did time, but in 2007 armed agents broke into his home and confiscated his computer and business papers.)

Snowden wasn’t a Harvard-educated Beltway insider like Ellsberg, a 30-year NSA veteran like Binney or a soldier like Manning. Getting his high school diploma through a GED and doing a brief spell at a Maryland community college, he impressed employers with his intelligence and his command of encryption. That secured him jobs in the government and eventually a spot as a Booz Allen contractor. Quiet but not a loner, he has a longtime girlfriend, Lindsay Mills, who lived with him in Hawaii and eventually joined him in Moscow. He is a vegetarian who sometimes eats pepperoni pizza, because who doesn’t love pepperoni pizza?

In Poitras’ closeup view, Snowden is a pretty impressive specimen of the genus Nerdus. He speaks in long, fluent sentences, and his tone is serious with occasional flecks of humor. He correctly anticipates what’s in store for him and makes clear that the need for the public to know the range of government eavesdropping is worth the price he will pay. He radiates an almost Zen equilibrium; on one application form he listed Buddhist as his religion because agnostic wasn’t one of the choices. He keeps saying, “I’m not the story,” in the hope that the impact of the revelations he’s providing will distract the media from putting a face, his face, on the news.

He must have known that that wouldn’t happen. For all his calm, Snowden pursues the meticulous safeguards of a hunted man in a John le Carré spy thriller. He devises elaborate codes for meeting Poitras — “I’ll be playing with a Rubik’s Cube” — and when fire-drill bells ring unexpectedly in his room, he gets so jittery that Greenwald says, “You’ve been infected by the paranoia bug.” Snowden covers himself with a sheet while typing a certain password on his laptop; he calls it “my mantle of power,” alluding to the World of Warcraft video games. He also alerts Poitras to the enormous reach, or perhaps simply the enormity, of the U.S. snoop system, telling her, “Your adversary is capable of 1 trillion queries per second.” It’s fruitless to try outracing the NSA megacomputers; the only option may be exposing what’s inside them.

Poitras’ movie works even better as a horror picture — perfect for Halloween week. (Even the title suggests a scare-film franchise: After Insidious 2 and Saw 3 comes Citizenfour.) The heroine of the new movie Ouija, who communicates with the dead through a Hasbro toy, can’t compete with Snowden. His Ouija board is his computer; it helps him access what he sees as the U.S.’s darkest real-life secrets. His hotel room is well lighted, but for eight days he’s trapped in it, like Cary Elwes in the Saw basement, with people he has to hope are on his side. The camera glare gives a ghostly pallor to the young man, who had spent his last few months in sunny Hawaii. He could be a specter reaching out from the other side to warn the living. When he picks up his hotel phone and tells the operator, “There’s no Edward Snowden here,” you almost believe him.

Now for the obligatory George Packer paragraphs. The New Yorker staff writer, in his Oct. 20 story based on his visit with Poitras as she completed the editing of her film in Berlin, criticized her for not taking a more skeptical view of her subject. Packer quoted Binney, a vocal supporter of Snowden and a prominent supporting voice in Citizenfour, as saying in USA Today that when Snowden went beyond leaking information about the NSA’s spying in the U.S. to revealing the agency’s spy strategies against China, he was “transitioning from whistle-blower to traitor.” Packer wrote, “This is a distinction that Poitras might have induced Binney to pursue.”

A Binney follow-up on this allegation would have been welcome, since elsewhere in the interview he lavishly praised Snowden’s efforts. But Packer can’t deny Poitras’ openness to potentially hostile journalists — i.e., him. Last year he wrote a piece for Prospectus called “The Errors of Edward Snowden and Glenn Greenwald” (and got his own assertions picked apart by Henry Farrell in “George Packer and His Problems”). Yet Poitras agreed to talk to Packer, who apparently never raised the question about Binney. That is a question he might have induced her to answer.

To state the obvious: Poitras didn’t intend her movie as a balancing act of pro- and anti-Snowden opinions — if any film or TV documentary has ever taken the impartial Olympian overview that Packer demands. Citizenfour is, at heart, a portrait of a man at the moment he chooses to change Americans’ understanding of what their government knows about them. And it ends with the hint of another lone wolf ready to spill more essential dirt. Greenwald doesn’t speak to Snowden of the new whistle-blower; he writes some information on papers he then tears into pieces. On one of the scraps we glimpse the word POTUS: President of the United States. Snowden sees this and whispers, “Holy shit.”

Stay tuned for Citizenfive.

TIME technology

FBI Director Implies Action Against Apple and Google Over Encryption

FBI Director James Comey testifies at a Senate Judiciary Committee hearing on "Oversight of the Federal Bureau of Investigation" on Capitol Hill in Washington
FBI Director James Comey testifies at a Senate Judiciary Committee hearing on "Oversight of the Federal Bureau of Investigation" on Capitol Hill in Washington May 21, 2014. Kevin Lamarque—Reuters

The law enforcement chief made it clear, however, that he was speaking only for his own agency and not others

FBI Director James B. Comey has expressed exasperation at the advanced data encryption technologies that companies like Apple and Google say they will offer their customers, and implied that the government might attempt regulations to ensure a way around them.

“Perhaps it’s time to suggest that the post-Snowden pendulum has swung too far in one direction — in a direction of fear and mistrust,” Comey told the Brookings Institution in a speech Thursday. Comey also spoke of the need for a “regulatory or legislative fix” to hold all communications companies to the same standard, “so that those of us in law enforcement, national security and public safety can continue to do the job you have entrusted us to do, in the way you would want us to.”

But in response to questions from reporters and Brookings experts, the FBI director made it clear that he was only talking on behalf of his own organization and thus could not speak for the NSA or other intelligence agencies, reports the New York Times.

This is not the first time that Comey has spoken out against Apple and Google’s move to give users complete control over data encryption, but the implications of legislative action against these companies is a step forward in government efforts to thwart it.

While Apple and Google have not commented on Comey’s latest remarks, technology companies have previously said that the move toward personal data encryption will not slow down, and will in fact probably be stepped up.

“I’d be fundamentally surprised if anybody takes the foot of the pedal of building encryption into their products,” Facebook’s general counsel Colin Stretch told the Times. He added that encryption was a “key business objective” for technology companies.

Your browser, Internet Explorer 8 or below, is out of date. It has known security flaws and may not display all features of this and other websites.

Learn how to update your browser