The suspected hack by North Korea into the computer system of an American movie company has gotten a lot of people excited without a lot of thinking about the significance, or lack of it, of what has happened and without addressing some longstanding conceptual problems that have plagued discussions related to terrorism. The problems persist even if we simplify matters by accepting the widespread assumption that the North Korean regime did in fact perpetrate the hack—an assumption that, based on public knowledge to date, is not necessarily correct.
It appears that the net effect of the electronic intrusion has been to delay release of a movie—not usually the stuff of which national security crises are made, or should be made. Some of those who are agitated about the incident refer to subsequent bellicose-sounding statements from the North Korean regime that, while denying responsibility for the computer intrusion, refer angrily to the same movie. Some of what that regime is said to have said in the current instance regarding threats against the United States it did not really say. Besides, Pyongyang makes bellicose-sounding statements, including ones specifically directed at the United States, all the time.
Perhaps some of those alarmed about this latest incident believe that the successful hack demonstrates a capability as well as a willingness to inflict more substantial harm on Americans who go to see the movie that the North Korean regime does not want them to see. The imagined scenario might involve something like North Korean hackers taking over the electronics of movie theaters in the United States and somehow manipulating the climate control system to have debilitating or lethal consequences on people in the audience. As ridiculous as such a scenario is, it is not improbable that such images are affecting the thinking of some Americans worrying about what North Korea might do, because this kind of fancifulness has roots in a larger tradition of American thinking about terrorism.
There has been fascination, dating at least back to the 1990s, with possible unconventional methods of terrorist attack, which is to say use of chemical, biological, radiological, or nuclear (CBRN) means or anything having to do with cyber capabilities. And such hypothetical means do indeed make for fascinating scenarios. The sheer sexiness of the subject fires the imagination. That fascination has led to grossly disproportionate attention in commentary and alarmism about terrorism using CBRN and cyber methods—disproportionate when compared to the ways terrorists actually have been harming people.
An example of this misplaced focus and how long it has been around was an article that President Obama's nominee for secretary of defense, Ashton Carter, wrote 16 years ago along with John Deutch, another former deputy secretary of defense, and Philip Zelikow, who supervised writing of the 9/11 commission report. The danger the authors wanted to warn us about was that “terrorists may gain access to weapons of mass destruction, including nuclear devices, germ dispensers, poison gas weapons, and even computer viruses.” All of their imaginative hypothetical examples involved the use of either CBRN or cyber techniques. They argued that the big divide between, on one hand, terrorism we really ought to worry about more and would be “catastrophic,” and on the other hand conventional terrorism which the authors assured us was already getting sufficient attention, was whether or not such unconventional techniques or weapons were used.
The 9/11 attacks, which had nothing whatever to do with either cyber methods or CBRN capabilities, demonstrated how mistaken that analysis was. Nothing terrorists have done in the years since then suggests that the analysis is any less misdirected. And yet, the fascination continues, as do mistaken attributions of newness to threats that fit the fascinating mold. Thus, for example, David Rothkopf tells us this week that “we are at a critical juncture in the dawning days of the cyber era,” that we need “to start writing a new playbook” on foreign policy because of cyber threats, and that in response to the Sony Pictures incident we ought to be talking about using not just cyberattacks but even military action against North Korea. Senator John McCain, not to be outdone by anyone when it comes to talking about getting involved in wars, said the presumed North Korean hack of Sony was “the manifestation of a new form of warfare.”
Another old terrorism-related issue that the Sony matter has raised concerns the official U.S. list of state sponsors of terrorism. President Obama says he will review whether there is reason to put North Korea back on the list. Such a review would be appropriate insofar as it actually focuses on terrorism. The state sponsor designation has been one of the most abused listings the U.S. government promulgates, with most of the listings and delistings, under several different administrations, having little or nothing to do with terrorism. Cuba's remaining on the list long after ceasing to be involved in anything that could be considered sponsorship of terrorism has been a glaring anomaly, although one that may be corrected in the course of implementing the president's initiative on Cuba. Iraq under Saddam Hussein was moved off and on the list for reasons other than any change in Iraq's terrorism-related behavior; it came off during the Reagan administration as part of the U.S. tilt toward Iraq during the Iran-Iraq war, and it was put back on when Saddam invaded Kuwait. North Korea perpetrated very nasty terrorism back in the 1980s but remained on the list for many years after it had stopped doing anything of the sort. When the George W. Bush administration removed it from the list six years ago the real reason had to do not with terrorism but with circumstances associated with the nuclear weapons issue.
Although the fascination with hypothetical cyber shenanigans as a terrorist tool, and the entrenchment of the term cyberterrorism in the language, provide an impetus for labeling the presumed North Korean action against Sony Pictures as terrorism, there surely is a case to be made for maintaining a clear distinction—in terminology as well as in responses—between actions that delay a movie's release and ones that have the more material effects commonly associated with terrorism.
Another reason for pause in applying the label of terrorism to what has occurred, and no doubt a reason the Obama administration is pausing before applying it, is to think about what the United States, or countries the United States calls allies, have done or might do with their own cyber capabilities overseas. If one action is to be called terrorism, then so must the other.
This gets to an asymmetry that has kept us Americans from fully coming to terms with how we and others use state-sanctioned violence for political purposes. The most common conceptions of terrorism mostly correspond to the legal U.S. definition that is used for another one of those official lists (the one for foreign terrorist organizations). That definition refers to politically motivated violence conducted against noncombatants by either a nonstate organization or clandestine agents of a state. Most of the politically motivated violence that we, or our purported allies, practice (much of which affects noncombatants, sometimes in very bloody ways) is conducted openly as military operations. Others may not have that opportunity, either because of weakness in military capabilities or lack of recognition as a state, or both. So we get to apply the label of terrorism to the other guy's politically motivated violence but don't have to apply it to our own, or perhaps to that of a putative ally. A distinction is made in semantics, even if not in morality or material effects. But if we apply the label to any hostile cyber operations in a foreign country and have conducted any such operations ourselves, we lose that convenient terminological asymmetry.
Of course, one could follow McCain's approach of simply calling everything war, but that leads to two other observations. One is that if we have conducted hostile cyber operations not in response to anything that could be called either terrorism or war but instead in response to something else (such as, say, a nuclear program we don't happen to like), then we would have to say we started a war. (And is that any better than initiating other forms of politically motivated violence?) The other observation is that if we are in a state of war any time a hacker goes after a movie he doesn't happen to like and affects its box office receipts, we are in worse trouble than any of us thought.