If the first indication that you have been hacked is your screens going blank or displaying an attacker’s message you are in real trouble. Another indicator that your organization does not understand cyber security is a call from the FBI to inform you that you are the source of a massive credit card theft. Both cases are becoming all too common.
Last year’s holiday shopping crime spree against Target had a remarkably positive effect on boardroom awareness of the consequences of having inadequate cyber defenses. However, I hate to report that I have recently heard the sentiment expressed from several CISOs that because they are not in retail they are not too concerned about the Target breach. This is the old refrain “I don’t have anything worth targeting.”
It is a failing of the pervasive Risk Management thinking to attempt to rank potential targets based on their value. Unfortunately it is impossible to get inside the heads of the broad spectrum of attackers. That thinking is revealing itself now as the United States grapples with a devastating attack against Sony. A foreign owned movie studio does not fall into any of the 16 sectors identified as critical infrastructure. It is not a power grid, or a transportation network, or even a national monument.
The one positive aspect of the Sony breach and destruction is that it will strike fear into the heart of all executives at large enterprises. A reported 100 terabytes of data has been stolen and is being selectively leaked. Embarrassing emails, results of a security audit from PwC, unreleased movies, and more to come, are details that will be hard to categorize as “not my problem.”
The security industry is frustrated because of the lack of hard information forthcoming. Debate is raging over whether it was a disgruntled insider or truly instigated by North Korea. Supposed official sources are indicating that US intel has evidence that it was indeed the DPRK.
The most devastating result of the Sony breach is Sony’s capitulation to the attackers. Everyone knows that giving in to blackmail or extortion puts a big target on your back. Was Sony really concerned about liability in the face of weak and unsupported threats of violence against theatergoers? Or do the attackers have damning email exchanges that Sony executives would do anything to keep out of the public domain? What organization, be it political or commercial, could survive having its most private communications exposed to scrutiny?
Cyber blackmail for monetary gain is hard. We have lots of history in the field of DDoS against online gaming sites. Carrying through on a threat is easy with denial of service attacks. But getting payment to the attackers inevitably creates a money trail that leads to their prosecution. Blackmail for political gain is a lot easier. A breach followed by a threat of exposure unless some action is taken represents a chilling new development.
The only way to fight blackmail is to not give in. Sony has failed in this. But it is not too late. They could still open The Interview on schedule in theaters around the world. I for one will go to see it opening day. They can release it on DVD world wide, making sure the Korean language version is available. Sony may have to beef up its security a bit before releasing it online but that should be a top priority. They could even announce the beginning of filming of a documentary of the human rights abuses in North Korea. A docudrama of the life of Kim Jong Un might be well received.
According to multiple news sources the US is considering a proportional response to the Sony hack. This would be ill advised. This is all Sony’s fault. Let them handle it.