The Sony hack and its larger implications for cybersecurity
The FBI Friday officially linked the cyber attack against Sony Pictures Entertainment to the government of North Korea.
Forensic analysis of the November attack, which destroyed thousands of Sony computers and stole large quantities of personal and proprietary financial data that forced the company to cancel the release of a movie, shows that the infrastructure and malware used in the attack could be linked to other incidents carried out by North Korean hackers, including last year’s attack against South Korean banks and media companies.
“For example, there were similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks,” the FBI said in a statement released Friday. The FBI also discovered “several Internet protocol (IP) addresses associated with known North Korean infrastructure communicated with IP addresses that were hardcoded into the data deletion malware used in this attack,” the statement said.
“North Korea’s actions were intended to inflict significant harm on a U.S. business and suppress the right of American citizens to express themselves. Such acts of intimidation fall outside the bounds of acceptable state behavior. The FBI takes seriously any attempt — whether through cyber-enabled means, threats of violence, or otherwise—to undermine the economic and social prosperity of our citizens,” the FBI said.
Does the Sony example matter?
President Barack Obama said Friday the U.S. “will respond proportionally” to the attack, but that Sony had “made a mistake” by pulling the movie. “I wish they would have spoken to me first,” Obama said during a press conference.
Obama made a clear connection between the impact of the attack on Sony and what other attackers could attempt to do in the future by targeting critical infrastructure. Future attacks are a certainty, Obama said. “They’re going to be costly. They’re going to be serious,” he said. “We cannot have a society in which some dictator some place can start imposing censorship on the United States.”
There is a legitimate debate taking place as to the broader implications of the Sony hack. Some experts look at the attack on Sony as a watershed moment in national cybersecurity policy, not because of its success in blocking the release of a goofball comedy or because George Clooney is worried about the chilling effect it might have on Hollywood’s willingness to take on controversial topics, but because of what it may portend for the future of critical infrastructure protection.
But others, like Christopher Budd, global threat communications manager at Trend Micro Inc., view the Sony attacks as largely irrelevant to critical infrastructure protection.
“What happened to Sony is basically cyber vandalism on steroids,” Budd said in an interview with FedScoop. “We’ve had concerns [about critical infrastructure cybersecurity] long before the Sony event. In that regard, it’s almost irrelevant. What we’re really concerned about is determined attackers focused on destruction.”
There’s little doubt as to the financial influence that Sony wields in Hollywood. There’s also little doubt that by caving in to the hackers’ demands and canceling the release of “The Interview,” Sony has allowed a foreign force to change the rules governing free speech in America. But Sony is not a critical infrastructure. Americans do not depend on Sony for electric power, drinking water, emergency communications, banking and financial transactions, government services, or transportation. Sony is just another large company with poor cybersecurity.
So why should policymakers care? The reality is that while Sony has suffered from multiple security breaches during the past several years, this latest incident demonstrates the ability of well-funded cyber attackers to target private sector entities with overwhelming digital force and leverage their intrusion to coerce their victims to take actions that undermine American social and financial stability.
Kevin Mandia, founder of the security firm Mandiant — which was hired by Sony to help investigate the breach — described the attack as “unprecedented in nature” and an “unparalleled crime,” according to an internal memo leaked to reporters. Not only was the attack undetectable by existing security systems, but it was of such sophistication that “neither SPE nor other companies could have been fully prepared,” Mandia wrote.
Such well-planned, well-funded, destructive attacks no longer seem to be the exception. This should raise serious concerns about the current state of cybersecurity among the private sector companies that own and operate U.S. critical infrastructure. These companies, including electric power grid operators and others, have been shown to be riddled with security vulnerabilities, many of which have been similar to those exploited in the Sony attack — weak passwords, vulnerable administrator accounts and a lack of defense-in-depth protections to provide a buffer between critical systems and the public Internet.
The electric power grid and other industrial processes around the country rely upon supervisory control and data acquisition (SCADA) systems. These are the systems, including real-time programmable logic controllers, that manage the actual flow of electricity and natural gas and perform other critical functions in other industries, such as chemical processing, water purification and delivery, wastewater management, and manufacturing. Control, disruption or alteration of critical commands, instructions and monitoring functions performed by these systems can be an issue of regional and possibly national security.
And that could raise the bar for cyber extortion attacks in the future. Although extortion is not new to the cybersecurity arena, the rise of politically motivated cyber extortion is new, Budd said. For now, however, “Sony is a good example of what it means to truly own a network,” Budd said.
“In this interconnected digital world, there are going to be opportunities for hackers to engage in cyber assaults both in the private sector and the public sector,” Obama said, adding that the first priority of the administration is to work with industry to improve information sharing and prevention strategies. “We’ve been coordinating with the private sector, but a lot more need to be done. We’re not even close to where we need to be.”