Peter Singer and Allan Friedman: Sony hack has lessons for us all
It's important not to treat all cybercrime the same, authors say
There is no such thing as 100% security, they argue
Editor’s Note: Peter W. Singer is strategist at the New America Foundation. Allan Friedman is a research scientist at the Cyber Security Policy Research Institute at George Washington University. They are the authors of “Cybersecurity and CyberWar: What Everyone Needs to Know.” The views expressed are their own.
From North Korean hackers to embarrassing emails about our favorite stars, the recent hack of Sony Pictures seems to have all the makings of a Hollywood movie.
And maybe one day it will be. After all, there seems to be a new plot twist almost daily, the latest coming Wednesday with news that movie theaters across the country were canceling plans to screen “The Interview” after a group calling itself the Guardians of Peace warned that moviegoers would suffer a “bitter fate” if they went to see the film.
But as surreal as the Sony story sounds, it actually holds a number of valuable lessons on cybersecurity for all of us. Five stand out.
1) Different types of cybercrime have different goals. The hack of Sony has often been lumped in with stories ranging from run of the mill online credit card theft to the Target, Home Depot and JP Morgan breaches to the time that Iranian-linked hackers allegedly “erased data on three-quarters of Aramco’s corporate PCs.” In fact, most of these crimes have little more in common than the fact that they were committed using computers. It’s a lot like lumping together every incident in New York that involves a gun, whether it’s a bank robbery, a murder or a football player accidentally shooting himself.
What made the Sony hack distinct is that it mixed an evidently organized effort, using advanced tools (what is known as an “advanced persistent threat”) that some have linked to the North Korean state, but with the goal of maximizing attention and embarrassment for the target. That is, they weren’t a few hackers phishing after any target, nor were they trying to keep quiet, so that they could continue to secretly exfiltrate data. Rather, they appear to have wanted to cause havoc – and make sure everyone knew.
Differentiating between these kinds of threats is critical, because different risks require different types of responses. The claims some have made that the Sony hack is an act of “cyberterrorism” are a case in point. The FBI definition of cyberterrorism requires “an act that results in violence,” which stealing scripts about James Bond carrying out acts of violence wouldn’t meet. This also applies to the recent threats by the hackers to create 9/11 style events at any movie theater that shows the film. Rapidly becoming an illustration on how not to handle online threats, virtually all the major U.S. theater companies have now said they won’t show the movie. Yet the ability to steal gossipy celebrity emails is clearly not the same as having the capacity to undertake physical attacks at thousands of movie theaters across the country. So, at least based on their actions so far, the “bitter fate” the hackers promised moviegoers is most likely to be the price they pay for popcorn.
2) There is no such thing as 100% security. There is no perfect security system, and even those organizations that take information security extremely seriously may find that attackers have been successful. And while the Target and JP Morgan breaches differed greatly, what they shared is that both their IT teams were well respected by the cybersecurity industry, and yet they still got hit. Companies should therefore expect that the bad guys will get in, and, indeed, should plan for it.
As Wired reporter Kim Zetter put it, “Security isn’t just about detecting malware – it’s about preventing it from succeeding in stealing data once on your system.” Large organizations have to understand their new responsibilities that come with storing large amounts of sensitive information. Whether it’s your scripts or employee Social Security numbers, protect it on the inside, not just the outside.
3) Your email privacy will not be respected, so act like it. One of the stranger aspects of the Sony breach is how executives acted like their communications were taking place behind an inviolable wall. The sad reality is that as more of our data inevitably finds its way into the public eye, we’ll have to assume that private emails may not always remain private. So the rule your parents told you that you should never write something you wouldn’t be OK with seeing in a newspaper holds all the more true now, even as newspapers disappear. And if you won’t listen to your parents, then at least listen to what Oprah recently told CNN on this.
Frankly, this was common sense over a decade ago; Enron’s analysts, for example, got caught joking about cheating “Grandma Millie.” While it would be great if media outlets (and the government, for that matter) respected our email privacy, the fact is that they’ll choose to disclose based on their own protocols. Indeed, it has been telling that while many of the media outlets called for respecting celebrity privacy when it came to leaked nude photos of celebrities, they have been happy to report on the Hollywood gossip revealed by this hack.
4) The cost of a cybersecurity breach isn’t just about the technical cleanup. When businesses think about the costs of a cybersecurity incident, they usually only contemplate the hard numbers on the technical side, roughly the cost of the technical and legal investigation and cleanup added to the business lost from being knocked offline. With this in mind, some have estimated this particular breach may cost Sony as much as $100 million.
The reality, as the studio is now experiencing, is that the costs often go well beyond. The hit for the firm encompasses everything from future business opportunities missed to lost customer trust to a certainly unwanted new role in the debate over gender pay disparity.
This means that while most of us won’t have to face a lifetime of icy stares from Angelina Jolie, we do need to think of cybercosts in a different, broader way. Indeed, a survey by PWC of business executives found that only 39% of them weighed the impact of a cyberattack on their brand image and only 25% on lost secrets and other intellectual property. This gap is important, because how you weigh the potential costs shapes what you are willing to do to prevent them.
5) Attribution is hard, and sometimes doesn’t matter. Victims understandably want to know who hit them, but knowing with certainty who is responsible for an attack is incredibly difficult. In the Sony case, most signs point to North Korean linked hackers; the government of North Korea had expressed deep anger over “The Interview,” and there are similarities to other attacks traced back to North Korea in certain reported attack techniques. But these are mostly context-based, good enough so far only for the court of public opinion.
But even if we felt a high degree of confidence, it’s unclear what Sony could or should do next. North Korea’s government would likely still deny its direct involvement even in the case of damning evidence. And even if it admitted its role, Sony’s actual recourse appears to be limited. This means that whether one is looking at the Sony breach, the Iranian hack of the Sands Casino or the massive Chinese campaign of theft of corporate secrets, the real problem isn’t one of attribution, but accountability.