Sony Pictures experienced what many are calling the most devastating cyber attack to date, disrupting a movie release, knocking its corporate systems offline for weeks, threatening its distribution channels with terroristic threats of mass violence, and ultimately costing Amy Pascal, Sony Pictures Co-Chairman, her job. Throw in the nation-state component and how the attack played out in a very public way, and I see the Sony Pictures hack as a seminal security event that will forever change the way we view cybersecurity.
Aside from spending the better part of the holidays responding to concerned parties on the topic, after reflecting on the situation, I feel even more strongly that the Sony hack changes everything. Here’s why:
1. Company survival is now a central concern for companies dealing with cybersecurity risk. The nature of attacks has evolved immensely from the earliest days when attackers would compromise a company’s web server and deface its website. That type of attack was the equivalent of a graffiti artist tagging the corporate sign outside its headquarters – embarrassing, not terribly disruptive, and not impactful. Then companies began to experience full-blown data breaches where attackers would steal sensitive customer data in order to clone credit cards or steal identities. Many, if not most, of the current breach stories focus on that scenario.
In contrast, the Sony attack was much more serious. Sony Pictures’ systems were knocked offline for several weeks during the holiday season. Embarrassing emails and pre-release feature films were dumped online, but the most serious part of this attack was that Sony Pictures didn’t have email, control or confidence in its systems, and for days didn’t have a true understanding of how far-reaching the break-in was, nor how long it would take to recover. Like the 2012 Saudi Aramco attack, computers throughout the company were unusable and the company was not operating as a going concern for several days. This attack hit their bottom line in a major way, arguably having a material impact on their financial numbers and confidence in their ability to operate. That may have ultimately cost executives their jobs.
2. Cybersecurity risk is squarely a board and CEO issue. As a result of this pervasive and devastating attack, combined with other breaches, cybersecurity is no longer a CIO problem, but now a CEO and board level problem, given potential for business disruption. Boards and executives are going to have to deal with cybersecurity risk like they do with legal, regulatory, geopolitical, or labor risk. It has to be central to the way business leaders think, and a planning consideration for those keeping sensitive information or transacting commerce online. For example, when energy companies consider capital intensive exploration projects in less-than-friendly countries like Venezuela or Russia, they factor in geopolitical risk and the “friction” of interacting with that country, as well as how they intend to get their product and profits safely out of country. CEOs must have the same view of the digital realm, working with the CIO and Chief Information Security Officer, to better understand the risk.
3. Sophisticated cyber attacks combined with a credible terrorism threat is a new hybrid.
The sophisticated attack against Sony Pictures combined with the direct threat of violence to any of the movie theaters that showed the movie was a seminal event. This led directly to two outcomes. First, the four major theater chains, no doubt on advice of counsel, decided not to show the movie on Christmas Day, effectively banning the movie from nearly 20,000 movie screens in North America. Second, Sony followed suit by dropping the film themselves, hustling behind the scenes to distribute the movie via streaming sites and other non-theater based channels.
Evoking 9/11, the attackers caused a major studio and its distributors to stop a release midstream after a vague threat. This lowers the bar for similar hybrid attacks. Sony Pictures was a sophisticated attack, but the ability of the North Koreans or whoever was actually responsible to follow through on threats of physical violence, was questionable. However, if a more credible threat, say ISIS, began a Distributed Denial of Service (DDoS) attack against US targets (which is arguably much easier to initiate than the type of attack launched against Sony)- and then tweeted they were going to conduct terrorist attacks in the physical realm against those same targets, one can only imagine the impact. Are we as a society prepared for such a threat? How would we deal with it?
4. We are more susceptible to this attack, and have few options to respond. Do an image search for “North Korea at night” to see that there are few options for the United States to retaliate in kind if, in fact, North Korea was the source of the Sony Picture attacks. There is no Sony Pictures equivalent in North Korea to shut down -- no Viacom, no NBC Universal, no Walt Disney Corporation -- just the Korean Central News Agency, whose prolific propaganda publishing is entertaining but not economically important. By the way, the film industry has a disproportionate effect on how the US is perceived internationally. “The Interview” notwithstanding, Hollywood has huge influence around the globe, so any effort to disrupt US entertainment and media industries has leveraged effect.
5. Cybersecurity insurance and its coverage just got more expensive. To date, cybersecurity insurance has focused on covering the risk of data loss, including the cost to notify clients whose data was lost during a breach. The focus has been on that facet of cybersecurity risk, not total business interruption or full-blown disaster recovery. Sony Pictures probably changed the expected loss number, which will likely have a ripple affect across the industry, driving up cybersecurity insurance premiums.
6. Business executives are now much more aware of cybersecurity risks. Sony Pictures ups the ante even further making cybersecurity a CEO concern -- not something buried in the bowels of information technology departments. Savvy CEOs and concerned outside board members are well-suited to ask tougher questions about cybersecurity risk more frequently, which will make their organizations more resilient to the risk of sophisticated attackers, or at least be more prepared when they experience a full-blown cybersecurity failure.