Cyberwar and Sony

  • E-mail E-mail
  • Google+
  • Reddit Reddit

On November 14, 2014, Sony Pictures Entertainment was hacked, locking employees out of their computers, compromising important internal data, and leaking unreleased movies onto the internet.[1] Some speculated the attack came from North Korea because Sony's soon to be released movie, The Interview, depicted an assassination attempt on North Korean leader Kim Jong Un.[2] By December 19, the Federal Bureau of Investigation confirmed that North Korea was behind the attack.[3]

In response to the attack, President Obama said the U.S. would "respond proportionately."[4] Obama emphasized that the United States was not at cyberwar with North Korea and that the attack was an act of "cyber vandalism."[5] On December 22, North Korea experienced Internet outages for about ten hours.[6] This led to speculation that the U.S. was behind the outages, though others believe it is the work of “hacktivists” and not the government.[7] Additionally, on January 2, 2015, President Obama signed an executive order increasing sanctions against North Korea.[8] The President’s authority to respond proportionately to the Sony attacks is based in principles of international law.

First, the United Nations Charter affirms the right of UN Member states to defend themselves “if an armed attack occurs.”[9] Here, Sony experienced a data security breach. Although disruptive, this cyber-attack likely does not rise to the level of an “armed attack” justifying a response under Article 51.[10] While a cyber-attack could rise to the level of an armed attack under Article 51 if it causes loss of life or economic collapse, the mere loss of data does not justify such a response.[11] Thus, it is unlikely Article 51 provides a strong basis to “respond proportionately.”

However, the Responsibility of States for Internationally Wrongful Acts enumerates that a state may take countermeasures for an internationally wrongful act.[12] This principle is codified in North Atlantic Treaty Organization’s Tallinn Manual on the International Law Applicable to Cyber Warfare, which attempts to apply traditional international law rules to the rules of cyberwar.[13] “A state injured by an internationally wrongful act may resort to proportionate countermeasures, including cyber countermeasures against the responsible state.”[14]

North Korea’s attack on the United States’ sovereignty and Sony’s cyber security was a wrongful act, and the United States had the authority to respond under the principles of the Tallinn Manual. If the U.S. was responsible for the outage, it was likely proportionate because while the entire country of North Korea experienced an outage— a larger intrusion than a cyber attack on a single company— there is no evidence the United States destroyed and released any sensitive or confidential data. In contrast, North Korea breached Sony corporate and employee privacy. Thus, assuming the U.S. was responsible for North Korea’s Internet outage, the response was proportionate.

President Obama also authorized additional economic sanctions against North Korea.[15] These sanctions target North Korean leaders, limiting their access to capital and ability to enter the United States.[16] This response is likely also proportionate because the United States has a right to defend itself under international law.[17] President Obama merely targeted North Korean officials, who are already subject to strict economic sanctions, and not the North Korean people themselves.[18] Finally, legal experts agree that the U.S. does not have to fight cyber attacks with cyber countermeasures.[19] Accordingly, the economic sanctions were likely permissible under the Tallin Manual and under international law.

[1] Lori Grisham, Timeline: North Korea and Sony Pictures hack, USA Today (Jan. 5, 2015),

[2] Id.

[3] Id.

[4] David Jackson, Obama: We’re not at cyberwar with North Korea, USA Today (Dec. 21, 2014),

[5] Id.

[6] Id.

[7] Brian Fung, North Korea’s Internet outages was likely the work of hacktivists –but not the ones you might think, Washington Post (Dec. 23, 2014)

[8] Lori Grisham, supra note 1.

[9] U.N. Charter art. 51.

[10] See Michael Schmitt, International Law and Cyber Attacks: Sony v. North Korea, Just Security (Dec. 17, 2014),

[11] See U.N. Charter, supra note 9.

[12] See Responsibility of States for Internationally Wrongfully Acts G.A. Res. 65/19, U.N. Doc. A/RES/65/19 at Part III, Ch. II, Art. 51 (Jan. 10, 2011).

[13] SeeTallin Manual on the International Law Applicable to Cyber Warfare (Michael Schmitt 2013), available at The Manual was written by the International Group of Experts and is merely scholarly opinion and not binding law. Id.

[14] See Tallin Manual, supra note 13 at 36.

[15] Jim Acosta, U.S. slaps new sanctions on North Korea after Sony hack, CNN (Jan. 3, 2015)

[16] Id.

[17] See Responsibility of States, supra note 10.

[18] See Jim Acosta, supra note 12 (indicating Obama’s order did not aim to target North Korean citizens).

[19] See e.g., Kristen Eichensehr, International Law Permits a Measured Military Response to Cyberattacks, N.Y. Times (Dec. 23, 2014),

Posted by Andrew D. Johnstone on Wed. January 21, 2015 11:16 AM
Categories: Cyberwarfare, International Law, North Korea, United States
UNC School of Law | Van Hecke-Wettach Hall | 160 Ridge Road, CB #3380 | Chapel Hill, NC 27599-3380 | 919.962.5106

If you are seeing this, you are either using a non-graphical browser or Netscape 4.x (4.7, 4.8, etc.) and this page appears very plain. If you are using a 4.x version of Netscape, this site is fully functional but lacks styles and optimizations available in other browsers. For full functionality, please upgrade your browser to the latest version of Internet Explorer or Firefox.