Whenever news of a major computer breach breaks, the reactions of the affected company are just as revealing as the breach itself, if not more so. This is certainly true of the ongoing train wreck after the crippling Sony Pictures Entertainment hack, which has resulted in not only leaked emails, movies and financial data but also the cancellation of a major feature film.
The nightmare began on Nov. 24, when a group calling itself Guardians of Peace penetrated Sony’s network, wiped its servers and began leaking troves of stolen internal documents online. The leaks continued into December, revealing scandalous details of Sony’s anti-piracy plans and political strategies as well as embarrassing emails and sensitive data such as employee Social Security numbers, passwords and encryption keys. While the hackers’ goal originally seemed to be extortion, media reports billed the attack as an attempt to stop the release of “The Interview,” a comedy about two American journalists recruited to assassinate North Korean leader Kim Jong Un. Then on Wednesday, a new message (ostensibly from the same group) threatened attacks against theaters showing the film. When theaters began pulling out, Sony made the shocking decision to cancel the movie’s release.
There are conflicting theories about who is behind the attacks. Media outlets initially pointed at North Korea, noting the country’s previous vague threats over “The Interview” and similar cyberattacks believed to originate from the region. The FBI has declared the Hermit Kingdom responsible. But security experts note that identifying hacking culprits with 100 percent accuracy is often practically impossible. As far as we know, it’s possible that Sony’s network is being infiltrated by one or more groups of regular criminals or hacktivists fronting as North Korea for cover.
But behind this headline-making whodunit is another question: Given Sony’s reputation on cybersecurity and the horrible way it handled the breach, why should we have any sympathy for the company?
Far from a victim
When giant corporations such as Sony are hacked, they have one priority: Paint themselves as helpless victims by hyping the capabilities of the hackers to convince customers and shareholders that the breach was unavoidable. The public relations effort is often aided by top-dollar security specialists hired to investigate the breaches. Kevin Mandia, CEO of Mandiant, the security firm Sony hired to look into the hack, called the Sony Pictures attack “unprecedented” and claimed that neither Sony nor other companies “could have been fully prepared” for it. The reason, he said, is that the malware used by the intruders wasn’t detectable by any industry-standard antivirus scanners.
But as Global Cyber Risk CEO Jody Westby points out at Forbes, this is a moot point. Any hackers worth their salt use attack code that evades antivirus detection, and such code is frequently traded on online black markets. Writing it isn’t even that hard. And attacks that wipe out entire corporate databanks and email spools are hardly “unprecedented.”
Judging by the company’s long history of lax security and embarrassing breaches (a 2011 hack of the PlayStation gaming network exposed 77 million user accounts), it’s far more likely the success of the attack had to do with Sony’s failure to mitigate the damage. In fact, despite previous hacks, the leaks contain evidence that Sony is storing the Social Security numbers and passwords of its employees on its servers unencrypted. Two former employees have already filed a class-action lawsuit, alleging that the company knew about the risks it took but nevertheless failed to reform its security policies. “Sony gambled, and its employees — past and current — lost,” they wrote in the suit.
We need to increase liability and punish companies that don’t comply with information security standards, not coddle them when they leave their doors unlocked.
Even if that isn’t the case, Sony’s response to the leaks and threats undoubtedly made things worse. It started by sending legal threats to journalists reporting on the leaks, warning that they would be held “responsible for any damage or loss arising from ... use or dissemination” of the documents the hackers released. The letter, which reads like it’s from an era before the Internet existed, is a tone-deaf diatribe on the realities of 21st century journalism. Corporations and governments should know by now: Once it’s out on the Internet, it’s out.
Sony also allegedly attempted to stop the spread of the files by flooding BitTorrent sites with false data, an anti-piracy tactic the company has used before that could run afoul of hacking laws. The company’s decision to cancel the release of “The Interview” also drew criticism; observers saw it as a capitulation to whoever made clearly overblown threats against the movie theaters showing the film. In an interview with Vice’s technology magazine Motherboard, cybersecurity expert Peter W. Singer stated what should have been obvious: “The ability to steal gossipy emails from a not-so-great protected computer network is not the same thing as being able to carry out physical, 9/11-style attacks in 18,000 locations simultaneously.”
Which brings us back to that question, Why should anyone feel bad for Sony?
The company’s leaked emails provide many convincing reasons we shouldn’t. Prime among them is Project Goliath, a multipronged anti-piracy campaign waged by Sony and other Hollywood studios against Google. The project, according to leaked emails, is designed to “respond to/rebut [Google]’s public advocacy” and “amplify negative [Google] news,” and it includes a secret effort to revive through nonlegislative means the Stop Online Piracy Act (SOPA), the Internet censorship bill that was killed after nationwide protests in 2012. The documents mention influencing state attorneys general to take an anti-Google stance and even discuss blocking content by meddling with the Internet’s DNS addressing system — a dangerous proposition that was the most contentious part of the SOPA bill.
Draconian anti-piracy measures are nothing new for Sony. In the mid-2000s, Sony BMG, the conglomerate’s music division, tried to block users from copying music by secretly placing malicious rootkit software on their computers through legally purchased CDs. The malware modified customers’ operating systems to prevent CD copying and transmitted their private listening habits to Sony, prompting public outrage, government investigations and a partial recall.
True protection
Cybersecurity is a serious problem, even if Sony isn’t the most sympathetic victim. But as with any attack, the biggest long-term consequence comes from our overreaction. Warmongering commentators are already spinning the Sony hack as an act of war against the United States, and policymakers will surely use it to advance controversial laws such as the twice-failed Cybersecurity Information Sharing and Protection Act, which would allow companies to share private customer data with the government.
These bills aren’t real cybersecurity solutions; their hawkish proponents fearmonger about nonsensical action-movie scenarios such as a cyber Pearl Harbor or cyber 9/11 while pushing some of the same failed solutions as did the post-9/11 “war on terrorism”: decimating civil liberties to provide new capabilities that don’t offer any security. And all the while, the U.S. is developing its own cyber-arsenal to unleash on whomever it pleases, no matter the costs. As journalist Russell Brandom put it at The Verge, cyberwarfare isn’t about good guys versus bad guys; it’s about aggressors and victims, and we are all collateral damage.
Fortunately, there is a better way to protect Americans from hacking: Enforce better information security standards for corporations that hold sensitive data. Security experts already have a good idea of what these standards should be. We just need to increase liability and punish companies that don’t comply, not coddle them when they leave their doors unlocked.