November 14, 2014, Sony Pictures Entertainment was hacked, locking employees
out of their computers, compromising important internal data, and leaking unreleased
movies onto the internet. Some speculated the attack came from North
Korea because Sony's soon to be released movie, The Interview, depicted an assassination attempt on North Korean
leader Kim Jong Un. By December 19, the Federal Bureau of Investigation confirmed that North Korea was
behind the attack.
response to the attack, President Obama said the U.S. would "respond
proportionately." Obama emphasized that the
United States was not at cyberwar with North Korea and that the attack was an
act of "cyber vandalism." On December 22, North Korea experienced
Internet outages for about ten hours. This led to speculation that the U.S. was
behind the outages, though others believe it is the work of “hacktivists” and
not the government. Additionally, on January 2, 2015, President
Obama signed an executive order increasing sanctions against North Korea. The President’s authority to respond
proportionately to the Sony attacks is based in principles of international
First, the United Nations Charter affirms the right of UN Member states to
defend themselves “if an armed attack occurs.” Here, Sony experienced a data security breach.
Although disruptive, this cyber-attack likely does not rise to the level of an “armed
attack” justifying a response under Article 51. While a cyber-attack could rise to the level
of an armed attack under Article 51 if it causes loss of life or economic
collapse, the mere loss of data does not justify such a response. Thus,
it is unlikely Article 51 provides a strong basis to “respond proportionately.”
the Responsibility of States for Internationally Wrongful Acts enumerates that
a state may take countermeasures for an internationally wrongful act. This principle is codified in North Atlantic Treaty Organization’s Tallinn Manual
on the International Law Applicable to Cyber Warfare, which
attempts to apply traditional international law rules to the rules of cyberwar. “A
state injured by an internationally wrongful act may resort to proportionate
countermeasures, including cyber countermeasures against the responsible
North Korea’s attack on the United
States’ sovereignty and Sony’s cyber security was a wrongful act, and the
United States had the authority to respond under the principles of the Tallinn
Manual. If the U.S. was responsible for the outage, it was likely proportionate
because while the entire country of North Korea experienced an outage— a larger
intrusion than a cyber attack on a single company— there is no evidence the
United States destroyed and released any sensitive or confidential data. In
contrast, North Korea breached Sony corporate and employee privacy. Thus,
assuming the U.S. was responsible for North Korea’s Internet outage, the
response was proportionate.
President Obama also authorized
additional economic sanctions against North Korea. These
sanctions target North Korean leaders, limiting their access to capital and
ability to enter the United States. This response is likely also proportionate
because the United States has a right to defend itself under international law. President
Obama merely targeted North Korean officials, who are already subject to strict
economic sanctions, and not the North Korean people themselves. Finally, legal experts agree that the U.S. does not have to fight cyber attacks
with cyber countermeasures. Accordingly, the economic sanctions were likely permissible under the Tallin
Manual and under international law.
 Lori Grisham, Timeline: North Korea and Sony Pictures hack, USA Today (Jan. 5, 2015), http://www.usatoday.com/story/news/nation-now/2014/12/18/sony-hack-timeline-interview-north-korea/20601645/.
 David Jackson, Obama: We’re not at cyberwar with North
Korea, USA Today (Dec. 21,
 Brian Fung, North Korea’s Internet outages was likely
the work of hacktivists –but not the ones you might think, Washington Post (Dec. 23, 2014) http://www.washingtonpost.com/blogs/the-switch/wp/2014/12/23/north-koreas-internet-outage-was-likely-the-work-of-hacktivists-but-not-the-ones-you-might-think/.
 Lori Grisham, supra note 1.
 U.N. Charter art. 51.
 See Michael Schmitt, International
Law and Cyber Attacks: Sony v. North Korea, Just
Security (Dec. 17, 2014), http://justsecurity.org/18460/international-humanitarian-law-cyber-attacks-sony-v-north-korea/.
 See U.N. Charter, supra note 9.
 See Responsibility
of States for Internationally Wrongfully Acts G.A. Res. 65/19, U.N. Doc. A/RES/65/19 at
Part III, Ch. II, Art. 51 (Jan. 10, 2011).
 SeeTallin Manual on the
International Law Applicable to Cyber Warfare (Michael Schmitt 2013),
available at https://ccdcoe.org/tallinn-manual.html. The Manual was written by
the International Group of Experts and is merely scholarly opinion and not
binding law. Id.
 See Tallin Manual, supra note 13 at 36.
 Jim Acosta, U.S. slaps new sanctions on North Korea
after Sony hack, CNN (Jan. 3, 2015) http://www.cnn.com/2015/01/02/politics/new-sanctions-for-north-korea-after-sony-hack/.
 See Responsibility of States, supra note 10.
 See Jim Acosta, supra note 12 (indicating Obama’s order did not aim to target North Korean citizens).
 See e.g., Kristen Eichensehr, International
Law Permits a Measured Military Response to Cyberattacks, N.Y. Times (Dec. 23, 2014), http://www.nytimes.com/roomfordebate/2014/12/23/when-does-a-cyberattack-warrant-a-military-response/international-law-permits-a-measured-military-response-to-cyberattacks.
Posted by Andrew D. Johnstone on Wed. January 21, 2015 11:16 AM
Cyberwarfare, International Law, North Korea, United States