It will be a long time, if ever, before the public sees Sony Pictures Entertainment’s movie “The Interview.” Instead, we’ve seen a preview of a new kind of warfare. Hackers allegedly backed by the impoverished, backward nation of North Korea have terrorized one of the world’s richest corporations into halting the release of the film, a comedy about a fictional plot to assassinate North Korean dictator Kim Jong-Un.
In a tweet, former US House speaker Newt Gingrich said, “With the Sony collapse America has lost its first cyberwar.”
If so, it’s a war that US corporations are woefully unprepared to fight.
The kind of data breach that exposed Sony to attack happens on corporate computer networks around the world every day of the year. And while there are tools to reduce the risk or minimize the effects of break-ins, far too few companies make use of them.
“Over 90 percent of the breaches last year could have been prevented if simple policies and procedures were put in place,” said Craig Spiezle, a former data security executive at Microsoft Corp. who now heads the Online Trust Alliance, a security consortium in Seattle.
Most online criminals are simply out for money, either stealing credit cards or holding sensitive corporate data for ransom. Political “hacktivists” like the online group Anonymous might leak sensitive information stolen from corporate or government computers, but they don’t spill blood.
But Sony fell prey to a bizarre hybrid of digital extortion and real-world terrorism, possibly financed by the world’s most insular and paranoid dictatorship. A group calling itself Guardians of Peace began by leaking embarrassing data stolen from Sony’s computers. This included gossip about movie stars like George Clooney, Angelina Jolie, and Denzel Washington, ensuring the leaks would end up on front pages worldwide.
Then came the group’s dramatic follow-up: a threat to carry out attacks on movie theaters that showed “The Interview.”
By itself, the hack might not have led Sony to cancel the “The Interview.” But when the group threatened mass murder, Sony took it more seriously, especially when large theater chains began refusing to show the film.
“The threat of the risk of harm, of physical injury, clearly took it to a whole new level,” Spiezle said.
The US government on Friday blamed North Korea for the threats and cyberattacks, and President Obama vowed the United States would retaliate.
Richard Kelsey, an assistant dean at George Mason University School of Law, called the Sony hack “an act of war,” requiring an aggressive response from the United States, probably in the form of severe economic sanctions.
“This is a new battlefield, and the North Koreans have just fired the first flare,” Kelsey said.
But Andy Sellars, a First Amendment fellow at the Berkman Center for Internet & Society at Harvard University, doubts we’ll see a similar incident anytime soon.
“To me, it feels much more like a one-off,” Sellars said. “To me, I think it’s an exceptional case under exceptional circumstances.”
The United States might already have gone to cyberwar in 2010 by allegedly using Stuxnet, an attack program that damages computer-controlled industrial machinery. The government of Iran said Stuxnet infected hundreds of centrifuges that were being used to enrich uranium for use in nuclear reactors. Cybersecurity analysts believe Stuxnet was developed jointly by the United States and Israel to cripple the Iranian nuclear program, but neither government has acknowledged any involvement.
Another case involved the conflict between Russia and Georgia. Before Russia invaded the former Soviet republic in 2008, banks and government agencies in Georgia were knocked offline by cyberattacks that were linked to Russian mobsters, according to news accounts at the time. The government of Georgia accused Russia of engaging in cyberwarfare, which Russia denied.
But if true, it would have been the first military invasion in history to feature an attack on the targeted country’s Internet services and perhaps was a harbinger of future armed conflicts.
Internet-connected companies remain highly vulnerable to attack, whether from criminals or angry despots. Indeed, experts say that any corporate network that plugs into the Internet is bound to be compromised.
“There are only two kinds of organizations in the world,” said Stuart Madnick, professor of information technologies at the MIT Sloan School of Management in Cambridge. “Those that have been hacked and those who don’t know they have been hacked.”
Security companies said the Sony hack has alarmed corporate customers.
“We’ve been flooded, inundated from businesses of every size,” said Nathan Hecht, founder of Dstrux, a New York-based company that offers secure e-mails. “Just since the Sony hack, we’ve seen a dramatic increase in users signing up.”