According to a Bloomberg report, the first bits of data leaked in the Sony hack were uploaded on Dec. 2, shortly after midnight, through the network of a fancy hotel in Thailand called the St. Regis Bangkok. But it was a global effort: the hack itself involved computers in Italy, Poland, Cyprus, Singapore and Bolivia. If this were a Bond movie, the culprit would obviously be terrorist organization SPECTRE–the five-star hotel is a dead giveaway–but the available evidence strongly suggests that the operation was in fact carried out by North Korea, most likely in response to the planned release by Sony of The Interview, a comedy starring James Franco and Seth Rogen about a CIA conspiracy to assassinate Kim Jong Un.
Most of the shocking revelations that have come out of the Sony hack have not, in the end, been all that shocking. If it’s news that studio heads write hyperaggressive emails to each other, then Entourage was the intelligence coup of the decade. The only really surprising development is the one in plain sight: North Korea launched an ambitious, highly public cyberattack against a major corporation in the U.S., and it actually worked.
It’s not news that a big corporation suffered a data breach. It happens all the time, literally. As networks get more complex, they get harder and harder to defend, to the point where there’s no such thing as an impenetrable system. There are always holes, and most networks, military and civilian, are under constant low-level attack from hackers of all kinds. It has become one of the basic laws of the digital universe that data tend to flow from private to public. The same way nature abhors a vacuum, the Internet abhors a secret.
There are surprising things about the Sony hack; they’re just not the obvious things. Nobody thought North Korea had the technical chops to pull off an operation on this scale. We’ve known for a while that cyberwar is a major focus of North Korea’s military, in part because its physical assets and infrastructure are crumbling into obsolescence and the country doesn’t have the cash to replace them. But until now North Korea wasn’t considered capable of playing in the big leagues.
And it’s playing by new rules. In the past, big media companies have been hit by public defacement–the kind of cybergraffiti in which a front page gets rewritten or bombed offline by a denial-of-service attack–or subjected to the discreet exfiltration of user passwords. But the Sony hack was a serious public mauling of a major media company, a deep, penetrating invasion of the kind usually reserved for much harder targets: military, intelligence, industry, infrastructure. You don’t hit movie studios with it.
Except now you do: North Korea has opened a new theater for cyberwarfare, a cultural one. It’s pathetic and embarrassing that North Korea responded to a satire about its leader with an act of large-scale cyberwarfare and threats of physical violence, but it’s not hard to see why it did. The U.S. is accustomed to exercising an easy pop-cultural hegemony over much of the world, effortlessly and lucratively exporting movies, TV and music, even to countries like China that in other ways are highly resistant to American influence. North Korea is pushing back, and successfully: following admittedly vague threats of violence by the hackers, the five largest movie chains in the U.S. pulled The Interview from their theaters, whereupon Sony canceled the movie’s release. Sony’s decision has been widely criticized, for plenty of theoretically sound reasons, but the idea that freedom of speech as represented by The Interview is worth risking lives for seems grotesque. Sony will eat around $100 million by canceling The Interview; we can spare it the constitutional arguments on top of that.
The fallout is very far from over: It’s estimated that the hackers extracted about 100 terabytes of information from Sony, of which only maybe 50 gigabytes have so far been made public. But just as surprising as the technical competence the North Koreans displayed is their deep grasp of American culture. The model here isn’t military or industrial hacking–it’s not Stuxnet or Target–it’s WikiLeaks and Snowden and even the iCloud celebrity-photo leak. The mere act of moving information across the line from private to public can turn that information into a weapon that can inflict all kinds of damage–especially in America, where we’re willing to turn on one another with minimal provocation. You don’t have to break hardware or steal credit cards, you just have to put some emails and salary figures where everybody can see them. We will then commence shaming each other, loudly and vigorously, all by ourselves.
This appears in the December 29, 2014 issue of TIME.