North Korea may not have been behind Sony hack

Many commentators have been discussing responses to the cyber attacks against Sony. They feel qualified to do this, even though they know nothing about cyber security, because they believe they understand the larger context. If we look at the larger context from the standpoint of cyber conflicts, however, most of these discussions sound naive.

North Korean leader Kim Jong Un smiles during a visit to the Chonji Lubricant Factory, in this undated photo.
KCNA | Reuters
North Korean leader Kim Jong Un smiles during a visit to the Chonji Lubricant Factory, in this undated photo.

North Korea has never before demonstrated any advanced hacking capabilities. More important, it has hardly any way of acquiring those capabilities. It has no high-tech business sector or local hacker community from which it can recruit talent. It doesn't let its people attend courses and conferences outside its borders, where they could learn the necessary skills.

Read MoreObama: Sony made a mistake by pulling 'The Interview'

North Korea regularly carries out cyber attacks, but these attacks have always been relatively crude. Groups that monitor North Korea's cyber activities have never seen any sign that North Korea is currently a serious cyber threat or on the verge of becoming one.

The cyber attacks carried out against Sony required a much higher level of skill than North Korea could manage as recently as last spring. What's technically impressive about the attacks is not the fact that Sony was penetrated. It's the enormous amount of activity that the attackers managed to carry out inside Sony's computers and networks without detection. They were poking into everything, identifying and mapping everything on the corporate network, opening huge numbers of documents, running many applications, pushing the CPU's to very high utilization levels, and moving many terabytes of data around for months without being detected.

These skillful activities suggest either that North Korea had help in carrying out the attacks or that it wasn't responsible at all. It is possible that North Korea simply hired criminal hackers to assist them. But North Korea does not have the sort of contacts that would have allowed them to do this quietly, and there have been no rumors that they were shopping for hackers.

Read More5 things the Sony hack exposed

Most of the things the attackers were actually doing don't point to North Korea. None of their activity inside Sony's networks was focused on the film North Korea wanted to suppress. In fact, the demand for the film to be suppressed came relatively late in the communications that seem to have come from the attackers. It seems to have been added as an after-thought.

The forensic evidence that does point to North Korea is all ambiguous and circumstantial. It mostly involves software being re-used that was widely available and servers being used that any skilled hacker could have accessed. There is an alternative explanation for every detail that seems to implicate North Korea. What's more, any attackers capable of carrying out these specific attacks would also have been capable of faking the supposed evidence.

This raises the question, "Who would want to attack Sony other than North Korea?" Many hackers would be tempted to reply by asking, "Who wouldn't want to attack Sony?" Sony carried out a cyber attack on its own customers in 2005-7 by putting root kits into their computers in an effort to catch them in copyright infringement. They felt justified, because hackers had been sharing Sony music without paying for it. The resulting conflict between Sony and the hacker community escalated in 2011, when hackers showed how to play non-Sony games on Sony's Play Station. The hackers considered this a "righteous hack," adding to the value of Sony's product. Sony mounted an aggressive legal response and denounced hackers, using language the hackers regarded as insulting and incendiary. The hacker community responded by shutting down Sony's gaming website for months. There have been many other stages in this ongoing conflict. In fact, the Christmas attack on Sony's gaming network by Lizard Squad is just another instance of this ongoing conflict.

Read MoreOp-ed: Hey Sony —The 'e' in email stands for evidence

One consequence is that anyone who wants to attack Sony can find many sympathizers in the hacker world. Although North Korea would still find it difficult, it would be easier to assemble the information and tools for attacking Sony than for attacking most other corporations. This increases the likelihood of Sony being attacked by groups with a wide range of motives, including simple extortion.

The question then becomes, "Who, among the groups who might want to attack Sony, could be mistaken for North Korea?" Here are some of the possibilities:

1) A criminal enterprise, perhaps ethnically Russian, that wants to confuse anyone investigating its extortion attempt by dragging in North Korea.

2) A group of criminal cyber attackers, perhaps South Korean, who have been mistaken for North Korea, because they simply used some of the same generally available attack tools and servers that North Korea would have used.

3) Ideologically-motivated hackers in Western countries who hate Sony and feel a common cause with anyone else who is Sony's enemy, including North Korea.

4) Former employees who want to hurt Sony and who figured they could add to Sony's woes by stirring up a conflict between Sony and a foreign government, such as North Korea.

5) Any group that wants the United States to take a harder line with North Korea, including many South Koreans, Japanese, and others in East and Southeast Asia.

Read MoreHow millennials are shaking North Korea's regime

The list of possibilities grows larger, the more you think about it. Even more possibilities emerge when you consider that different groups could have cooperated in the attacks, and that the same attackers might have had more than one motive.

Does this make the proposals in the media for making North Korea pay for these attacks sound more than a little naive? Welcome to the world of cyber conflict! We all better get used to it, because this is what faces us in the year ahead.

Commentary by Scott Borg, director and chief economist of the U.S. Cyber Consequences Unit, an independent, nonprofit research institute that offers intensive day-long courses in how to analyze cyber threats, cyber consequences, and cyber risk.