The hacking of Sony Pictures’ computer files, apparently in revenge for a movie about a zany plot to assassinate North Korean leader Kim Jong-un, marks a new chapter in the saga of cybersecurity, cybercrime, and cyberwarfare.
Most cyberattacks to date—by China, Russia, Iran, Syria, North Korea, Israel, the United States, and a dozen or so other nations, as well as scads of gangsters and simple mischief-makers—have been mounted in order to steal money, patents, credit card numbers, or national-security secrets.
Matt Devost, president and CEO of FusionX LLC, one of the leading computer-security firms dotting the Washington suburbs, told me in an email this morning, “This is the dawn of a new age. No longer do you have to worry just about the theft of money or intellectual property, but also about attacks that are designed to be as destructive as possible—and to influence your behavior.”*
Bob Gourley, co-founder and partner of Cognitio, another such firm, agrees. “I have tracked cyber threats since December 1998 and have never seen anything like this. It might have roots in the early Web-defacements for propaganda”—usually by anti-war or animal-rights groups—“but they were child’s play, done really for bragging rights. A new line has been crossed here.”*
And the attack has had effects. Sony has canceled the film’s scheduled release due to terrorist threats against theaters (even though no evidence links the source of the threats to the source of the hacking). While a Seth Rogen comedy is an unlikely cause for a protest of principle, a case can be made that Sony’s submission to political pressure—especially pressure from a foreign source, especially if that source is Kim Jong-un—should be protested.
The precedent is disturbing. Thousands, maybe tens of thousands, of people in the world—ranging from military cyber officers to clever teenagers—have the means and talent to hack into corporate computers, especially those of arts and entertainment companies, which have never thought of themselves as cyberattack victims and have therefore never taken more than the most basic precautions. Will hackers now threaten to raid and expose the computer files of other studios, publishers, art museums, and record companies if their executives don’t cancel some other movie, book, exhibition, or album?
The Sony hack wasn’t the first instance of this new phenomenon.
Last February, Las Vegas Sands Corp.—which owns the Sands, Venetian, and Palazzo hotel-casinos—was hacked by Iranians, in revenge for a speech given by its CEO, Sheldon Adelson, calling for a nuclear attack on Iran.
Adelson may be a distasteful figure, but he has the right to express his views without having to worry about some anonymous techie from across the oceans wiping out his computer servers at a cost of $40 million in damages. (The damages to the Sony attack could total as much as $100 million.)
And there may have been more cyberattacks of this sort on who knows how many other companies. Adelson covered up the true scope and nature of the attack on his company until an article just this month in Bloomberg Businessweek revealed the full details. Dell SecureWorks, the firm Adelson hired to trace the intrusion, concluded that the “attack was in response to CEO comments regarding Iran.” Adelson had that line excised before releasing the report.
FireEye, one of the leading computer-security forensics companies, did the analysis for Sony and concluded that the hacker was an outfit called DarkSeoul, a frequent North Korean contractor, working from the Wi-Fi network at the St. Regis hotel in Bangkok. (North Korea, which has few indigenous resources to carry out high-powered cyber operations, is thought to do their extensive hackings through paid assets in China, Thailand, Singapore, and Syria.)
Should the U.S. government play some role in protesting this attack, taking retaliatory measures, or helping to prevent, trace, and repel such attacks in the future? In other words, is this a matter to be left to the private companies affected—or does it cross some line into the realm of diplomacy, national security, or (in the Sony case) a defense of American values?
The government and private industry—especially software, computer, and telecommunications companies—have been tossing around these questions for 30 years. The debate turned particularly fierce during Bill Clinton’s presidency. Clinton’s adviser on counter-terrorism and infrastructure-protection, Richard Clarke (who would later start a consulting firm on cyber security and write a book called Cyber War), argued for imposing mandatory security requirements on companies and utilities. Clinton’s economic advisers, as well as several CEOs, firmly resisted.
As a compromise, Clinton created ISACs, or “information sharing and analysis centers,” in which government agencies would help companies better secure their servers and networks. Presidents Bush and Obama strengthened these centers, but the arrangements remained voluntary—at the insistence of the private companies, which abhor regulation, and several civil liberties organizations, which are leery of any government intrusions into the Internet.
For the most part, these debates have involved the heads of “critical-infrastructure” enterprises—banks, telecommunications, energy, transportation, power lines, water works—as well as those of software and computer companies. These are the entities most likely to be hacked—and the entities whose hackings, if serious enough, could affect not just their own fortunes, but the economic well-being, and possibly the security, of the nation.
In some of these debates, the question of a “red line” has been discussed, though never resolved. If one bank gets seriously hacked, that’s the bank’s problem; there’s not much argument about that point. But what if two, three, four, or a dozen banks get seriously hacked? At what point does a problem of commercial risk become an issue of national defense?
Another problem in coming up with national policy on these issues is “attribution.” If a missile lands on American soil, its trajectory can be traced to the launch pad. If a server or network is crashed, the hacker’s signature can be traced, but it’s common for hackers to hijack other servers or hop from one platform to another. Sophisticated analysts—in the CIA, NSA, and a growing number of private computer-security companies—can usually track down the source, but it’s not a sure thing. North Korean spokesmen have praised, but denied involvement in, the Sony hacking. Even if President Obama were inclined to take some sort of action, would he do so without proof that Kim’s regime was the culprit? (As of early Wednesday evening, according to CNN, U.S. investigators have determined that hackers working for North Korea were behind the Sony attack. An announcement, on how the administration will pursue the matter, is expected Thursday.)
But what happens now, after the hacking of a major movie studio and hotel-casino chain, when it’s clear that every American enterprise might be hacked by foreigners—and when not just their assets, but their beliefs and public remarks might be the targets? (According to Bloomberg Businessweek, Adelson’s chain of hotels and casinos had five I.T. employees protecting 25,000 computers.)
It may be the dawn of a new age, but the glimmerings of this dawn lit up the sky decades ago, and those with the power and money to confront its challenges have evaded their responsibilities or been beaten down in their efforts. There never has been a serious debate about the issue’s costs, risks, benefits, and complexities. Maybe the unlikely pair of Sony Pictures and Sheldon Adelson will force the debate to happen now.
*Correction, Dec. 17, 2014: This post originally misidentified the name of Matt Devost’s company. (Return.) It also misidentified Bob Gourley’s titles at Cognitio, and misspelled that company’s name. (Return.)