The Sony Pictures hack is important, and the Sony Pictures hack is terrifying.
In a series of cyberattacks that were first noticed on Nov. 24, a mysterious group calling itself the Guardians of Peace stole and subsequently leaked personal and medical information from every Sony Pictures employee, revealed scads of confidential internal information, left the company technologically crippled, and issued vague demands that “our request be met.” That last one increasingly appears to center on The Interview, a James Franco–Seth Rogen comedy about killing North Korean leader Kim Jong-un, which Sony is now offering theaters the choice of not showing. (As of today, the four largest movie-theater chains say they won’t screen the movie. Update, Dec. 17, 5:06 p.m.: After those exhibitors decided not to show The Interview, Sony Pictures announced that it had “decided not to move forward with the planned December 25 theatrical release.”) We don’t yet know exactly who is behind this cyberassault. (Update, Dec. 17, 7:52 p.m.: The New York Times is now reporting that “American intelligence officials have concluded that the North Korean government was ‘centrally involved’ in the recent attacks.”) What’s clear, however, is that it represents a wake-up call that’s been coming for a long time.
The Sony hack isn’t important because of its technological sophistication, which is impressive but probably not particularly innovative. While neither Sony nor the FBI has released the exact details, so far there is little to suggest that this was some brilliant, unprecedented maneuver on the order of the NSA’s still-astounding StuxNet, a virus which managed to sneak its way into the isolated nuclear facilities of Iran and sabotage them. What’s remarkable is the sheer destruction leveled at Sony and its employees. For perhaps the first time, a major American company really did suffer a worst-case cyberassault scenario.
As someone who suffered through and reviled the hysteria of the post-9/11 era, I want to stress that most hackers, from script kiddies to the members of Anonymous, are not terrorists. The Guardians of Peace are different. With yesterday’s threat of violence against theaters showing The Interview—“The world will be full of fear. Remember the 11th of September 2001.”—I don’t know what else to call them.
Consider most of the high-profile hacks of recent years, like the theft of millions of credit card numbers from Target, or The Fappening’s stolen celebrity nudes from Apple accounts, or, indeed, the theft of 77 million Sony PlayStation accounts in 2011. All of these were costly, damaging thefts of private information, but they were fundamentally thefts. Not this time. While tabloid rags are salivating over the juicy Hollywood gossip and Aaron Sorkin is writing impassioned polemics against revealing stolen information, these hackers, whoever they are, genuinely do deserve to be termed cyberterrorists. Many attacks are for financial gain or revelation of valuable or salacious information. The latter is a factor here, but the overriding aim seems to have been to damage Sony Pictures and its employees to the point at which they could barely even function. To my knowledge, there has never before been a cyberattack of this scale. The Guardians of Peace didn’t just steal 100 TB (an ungodly amount) of sensitive data, they also used “wiper malware” to more or less destroy Sony’s internal systems, leaving its entire infrastructure crippled. Just consider what Kevin Roose of Fusion has reported:
Sony Pictures’ network subsequently went down for two days, forcing employees to use personal e-mail accounts, work from home, and in some cases, resort to paper and pencil to do their work … “It’s just business as usual, if the year was 2002,” one Sony TV staffer wrote to me in a Facebook message. “[There are] lots of PAs having to run jump-drives back and forth all over the place, and hand delivering hard copies of files and scripts.”
Or what another insider told the Wrap: “Every PC in the company is useless and all of the content files have either been stolen or destroyed or locked away. … The IT department has absolutely no idea what hit them.” Since Sony’s security “department” is apparently the Three Musketeers plus managerial overhead —“Three information security analysts are overseen by three managers, three directors, one executive director and one senior-vice president,” according to Fusion—I don’t blame them, though I do blame Sony Pictures. The studio’s security appears to be little better than Sony Playstation’s was in 2011, and probably worse.
This is the real story. Sony Pictures’ systems were not just compromised but obliterated, with the company now sent back to what’s comparably the technological Stone Age. Because of the centrality of IT infrastructure to every aspect of a company’s functions, it’s not even clear whether Sony has the ability to pay people accurately at the moment, as its payroll system has been reportedly destroyed. In this, the attack resembles two other wiper incidents, as reported by Kaspersky’s Kurt Baumgartner: the 2012 “Shamoon” attack against Saudi Aramco, and the 2013 DarkSeoul attacks against South Korean banks and broadcasters. Those events skirted the line of cyberterrorism without quite crossing it. And while this attack is particularly damaging to Sony’s rank and file, the hack itself poses no threat to people’s lives or critical infrastructure. But by so effectively creating a climate of fear and making threats of actual violence, the Guardians of Peace have raised the specter of genuine cyberterroristic acts to come. These acts aren’t scary because they’re ingenious, but because they could be easily replicated by anyone with the right resources and enough malice.
Sony, in contrast, has played up the technical sophistication of the attack, which is both an overstatement and a distraction. FBI Assistant Director James Demarest said that 90 percent of systems couldn’t have withstood the Guardians of Peace’s attack, but that’s not really saying much. As we’ve seen in so many cases, the average state of cybersecurity is rather weak. I take Demarest’s number to mean that Google, Apple, Microsoft, the federal government, and other companies with serious security expertise could have easily withstood the attack, but companies closer to the average haven’t yet insulated themselves against whatever particular vectors the Guardians used to compromise Sony. That’s the scary part: In terms of security, Sony Pictures wasn’t terrible, but just average. It’s likely that comparable amounts of damage could have been inflicted on many companies via the same vectors of attack.
That doesn’t mean we should panic. Again, a good security system could have prevented the hack, but, compared to most previous attacks, this is a whole new ballgame. It’s not about money or humiliation. It’s about fear and wanton destruction, possibly with the intent of causing Sony and others to accede to the demand to “Stop immediately showing the movie of terrorism.” The threat of the Guardians is serious, and they herald a world in which a bad security story may not just mean the loss of user trust and revenue, but the obliteration of a company’s ability to function. So as the media fiddles while Sony burns, wallowing in the stolen emails and pointing fingers, there’s much we all need to learn about our own security vulnerabilities and longstanding inadequacies. We need to do it now.