Sony Baloney

Hack at Sony Pictures exposes other cybersecurity issues: ignorance, hype, and the lack of a national and International strategy.

As an information security analyst, I’ve been following the cyberattack details at Sony Pictures for some time now, just as I followed other events (i.e. Home Depot, JP Morgan Chase, Staples, UPS, etc.) earlier this year.

Yup, each of these events received its fair share of publicity, but nowhere near the amount of press that Sony is getting. Maybe it’s the Hollywood angle, maybe it’s the intrigue of geopolitical tensions between the U.S. and North Korea, or maybe it’s the general impression that this hack is juxtaposed to our first amendment rights. Whatever the reason, it’s big. I participated in a webinar yesterday with security guru Bruce Schneier (CTO of Co3), focused on security predictions for 2015. The Sony Pictures cyberattack dominated the conversation, and we both agreed that we could have discussed it for hours more. 

Now, in some ways, all of the Sony Pictures attention is good, as it shines a spotlight on cybersecurity issues to an unprecedented degree. I guess when Hollywood is involved, you are bound to get the Paparazzi effect. That said, the Sony hack has ignited a new level of cybersecurity hype bordering on hysteria. The mainstream media is approaching the Sony hack with a naïve perspective and bellicose rhetoric simultaneously. 

CNN has been actively fanning the cyberwar hyperbole flames over the past few days. I tuned into The Situation Room last night and there was anchor Wolf Blitzer (with a panel of “experts”) hyping this event as an act of cyberterrorism in its headlines and discussions. Cyber-terrorism? Really? This label was totally irresponsible on CNN’s part as it creates a misguided connection to 9/11 or the Boston marathon bombing. In my view, this attack should be reported as Hacktivism. The HB Gary federal attack in 2011 is the closest comp, as both attacks leaked thousands of documents and caused severe embarrassment and damage to each company.

CNN wasn’t finished, however. It went on to discuss how the Sony Pictures attack threatened our national security. Huh? Maybe it’s me, but I don’t see how Sony’s woes have anything in common with a kinetic attack. A cyberattack on the U.S. power grid = national security. Learning that James Franco was paid $6,000 to drive himself to the studio? Not national security. 

Finally, CNN asked a number of panelists inane rhetorical questions like, “are other organizations vulnerable to this type of attack?” Speaking for the cybersecurity community, the answer is a resounding “yes,” and we’ve been preaching this message to CNN and anyone else who would listen for the past 15 to 20 years. I would point CNN to the Moonlight Maze incident (1998), The PBS Frontline: Cyberwar episode from 2003, or Richard Clarke’s 2010 book Cyberwar for more details. 

A few last points about the Sony Pictures attack:

  1. In my humble opinion, CNN and other media outlets have given Sony Pictures a free pass, and that too is irresponsible. Sony could have made The Interview about a fictitious country, but it chose to disregard the risk of alienating North Korea and make this farcical movie a personal and cultural affront. And let’s not forget that it appears like Sony’s information security processes and controls were atrocious, making this event far more damaging than it needed to be. Sony’s naiveté and sloppiness have caused an International incident and it should be held accountable for this.
  2. We have to be careful about looking at the world through American eyes. In the U.S., anything is fair game for comedy, but in North Korea, you don’t joke around about killing the political leader. We have different cultures and we should respect that. We may not agree or like this, but we shouldn’t be surprised when our myopic cultural decisions alienate others.
  3. The scariest attack of 2014 was at JP Morgan Chase and not Sony Pictures.
  4. I think it’s best to keep Hollywood out of any national security decision. Theater owners made a risk management decision to eschew The Interview leading Sony to pull the picture. So this was a business decision and not an assault on our first amendment rights. I have the right to walk up to Mike Tyson and insult him, but I wouldn’t do that, for the sake of my own safety. 
  5. My fear is that Washington will overreact to this event with saber rattling, a commitment to more offensive cyberwar tactics, and the promise of heavy-handed cybersecurity legislation. Wrong, wrong, and wrong. So, what’s needed? A cybersecurity Geneva Convention led by China, Russia, the U.S. and others (France, Germany, Israel, Japan, South Korea, etc.). Cyberattacks embody asymmetric warfare as they can be conducted from anywhere by anyone (cybercriminals, nation states, or loosely coupled cabals) and the U.S. is extremely vulnerable to these kinds of attacks. We need some established global guidelines before this thing gets even more out-of-hand. 

Copyright © 2014 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline