Sony hack is serious
After nearly three weeks of embarrassing leaks involving business correspondence and personal data, Sony Pictures Entertainment announced on Wednesday it would not go ahead with its planned Christmas Day release of “The Interview,” a fictitious comedy that depicts an assassination plot against the leader of the North Korean regime.
For Sony, it was a decision the company had hoped would start the end of a massive headache, one that has severely impacted its business operations and connected its brand name with one of the largest cybersecurity breaches against a private corporation in history.
The decision not to release “The Interview” as planned has brought mixed reaction: Everyone, from Hollywood to Washington, seems to have an opinion as to what Sony should have — or should not have — done in response to the compromise.
On Friday, the Federal Bureau of Investigation announced it had singled out North Korea as the instigator of the attack, something that had been rumored since late November when a shadowy group calling itself the “Guardians of Peace” began leaking intimate data from Sony’s computer network. So far, no one has been specifically singled out as the cyber assailant, but federal investigators seem confident that North Korea had some involvement due to the types of malware used in the attack as well as a pattern of behavior that rings similar to past hacks that were blamed on the regime.
The attack was the dominant topic at U.S. President Barack Obama’s year-end press briefing on Friday, with journalists inquiring more about Sony and “The Interview” than on diplomatic relations with Cuba, race in America or even the recently-released Senate brief on CIA torture. Obama seemed almost happy to oblige those questions, telling reporters that he felt Sony had made “a mistake” by announcing the postponement of “The Interview,” suggesting it set a precedent as to how companies might respond if similar attacks occurred in the future.
“We cannot have a society in which some dictator someplace can start imposing censorship here in the United States,” Obama said. “If somebody is able to intimidate folks out of releasing a satirical movie, imagine what they start doing when they see a documentary that they don’t like, or news reports that they don’t like.
“I wish they had spoken to me first,” Obama earnestly said. “I would have told them, do not get into a pattern in which you’re intimidated by these kinds of criminal attacks.”
Sony’s chief executive denied the company surrendered to hackers, saying the press had been mistaken in reporting that the company had taken a hard stance against a future release for “The Interview” (a spokesperson told Variety on Wednesday that the studio had “no further plans” to release the movie, but stopped short of saying it would never release the film). Sony CEO Michael Lynton, whose own corporate e-mails were leaked by hackers early last week, said the company is actively pursuing other platforms on which to release the film — but doing so requires the cooperation of third parties.
“To date, we don’t have any takers — neither on the video demand side nor on the e-commerce side,” Lynton said. “People have been generally fearful about the possibility of their systems being corrupted, and so there have been a lot of conversations about the robustness of various systems to be able to make sure they’re not hacked, if and when we put the movie out digitally.” (On Sunday, the New York Post reported that Sony is exploring the possibility of giving the movie away for free on its streaming video service Crackle, although the company has yet to confirm this itself.)
What should Sony do now?
One reason companies have shied from extending a hand to Sony is because they, too, are concerned that their digital world could become a target for a hacker or hackers bent on wreaking havoc and causing mayhem. Their reaction is indicative of a corporate culture where, like Sony, cybersecurity is presented as an afterthought — something that is prioritized after a compromise, not before.
In 2005, Sony’s then-executive director of security information told an auditor that it was not worth spending “$10 million (in resources) to avoid a possible $1 million loss.” Since then, Sony has found itself the target of disruptive online campaigns four times, with the Sony Pictures compromise being the worst by far. Sony’s failure to invest in resources that could have prevented such an attack could now cost it up to $200 million (it’s worth noting the executive who made those comments in 2005 still works at the company today).
Sony isn’t alone — many large companies in America and around the world are in the same position, even if they don’t realize it. Many only do realize it after it’s too late — if they’re lucky, the hassle will be something minimal like having hackers steal social media credentials or modifying a news article, something easily remedied by adapting some extra security measures like not sharing passwords via e-mail and enabling two-step authentication where it’s offered.
If a company is unlucky, it has an experience similar to what Sony is going through — the theft of a trove of sensitive personal and business data, the leaking of which has consequences that reach far beyond the studio’s lot in Hollywood.
It is very easy for high-ranking politicians, movie critics and Twitter pundits to weigh in on what Sony should or shouldn’t have done following the breach. Was it correct to postpone the movie, or was it cowardice? By postponing the film, did Sony cave to the will of hackers, or was it trying to mitigate further damage to its employees and its brand? Is the company setting a dangerous precedent, sending a message to hackers that they gain the upper hand if they seek to inflict maximum damage?
Read more: FAILED $850 MILLION EXTORTION, FAKE SWEDISH “MODEL” FLED AMERICA…
Sony finds itself in an awkward position. On the one hand, it seeks to cater to moviegoers who desire to see the film released (and there are, no doubt, more of them now than before the hack — you can’t buy that kind of publicity). On the other hand, they recognize that hackers have the upper hand here, and they don’t want to poke the bear any further (perhaps I should note here that several current and former employees have filed civil lawsuits against Sony alleging the company was reckless with their personal information). What should Sony do now? Nobody really knows — it’s the kind of advice you can’t really offer if you’ve never experienced it before.
Computers and computer networks are, by their very nature, designed to be open. The Internet was intended to be a system that fostered cooperation and collaboration between machines and individuals — it was not envisioned to be a service that kept communications and financial transactions secure and secret. Over time, people have introduced some pretty great techniques and mechanisms that have paved the way for things like e-mail and e-commerce. But these safeguards only work moderately well — they can never be 100 percent guaranteed to protect someone’s privileged messages or credit card data.
That’s not to give Sony a free pass here: When any group makes a decision to use a computer network to store sensitive personal and business data, they are responsible for ensuring that data is secure to the absolute best of their ability. Sony didn’t do that, and now it’s facing the consequences that comes with it. Hopefully what happens to Sony serves as a wake-up call for the thousands of other large companies that are in the same position.
Read more: BURNED: SWEDISH PARTY GIRL SWIMS IN CRIMINAL HOT WATER?
But if history is any indication, it probably won’t.