Dec 30, 2014 · 2 minutes

The government remains convinced North Korea is behind the cyberattack against Sony Pictures Entertainment, but it's now considering the possibility of the country hiring outside help to carry out the attack, according to a new report from Reuters.

Federal Bureau of Investigation officials said North Korea might lack the technical ability to perform the attack, which was thought to have been prompted by a satirical film about assassinating North Korean leader Kim Jong Un, the Reuters report said.

The admission follows mounting evidence that the methods used to identify North Korea as the hacker are inconclusive and might actually implicate other parties. One company told the FBI the attack was likely perpetrated by a former Sony employee:

An investigation into the massive breach at Sony has focused on a group of at least six individuals that may have worked to compromise the company’s networks, including at least one ex-employee who had the technical background and system knowledge to carry out the attack.

Working on the premise that it would take an insider with detailed knowledge of the Sony systems in order to gain access and navigate the breadth of the network to selectively exfiltrate the most sensitive of data, researchers from Norse Corporation are focusing on this group based in part on leaked human resources documents that included data on a series of layoffs at Sony that took place in the Spring of 2014. Other digital security experts have warned against putting too much faith in the attribution methods used by the FBI to name North Korea as Sony's attacker. Some support the government's conclusions, but many more seem to remain unconvinced.

All of which leaves two options: either the FBI rushed to name North Korea as Sony's hacker based on weak information, or the government knows something it's not sharing with the many cybersecurity researchers who are intently studying the case.

Neither option is particularly compelling. As Harvard professor Jack Goldsmith explains at the Lawfare blog, which focuses on the intersection of security and law:

Even if the FBI’s attribution turns out to be right [...] its hesitation in the face of credible questions about its very thin public evidence will exacerbate the demand for publicly verifiable attribution before countermeasures (or other responses) are deemed legitimate.  In this small but significant sense, the United States has lost a battle in the early days of cyber conflict.
Attributing cyberattacks to specific groups is difficult work, and it's almost impossible to be completely sure that someone was behind an attack. It seems increasingly likely the government made a mistake in blaming North Korea.

Even if the FBI is holding the "smoking gun" some security researchers expect it to have found, it's clear that the government shouldn't have rushed to attribute the hack to anyone, and Obama certainly shouldn't have promised retribution for the attack.

[illustration by Brad Jonas for Pando]