Forget the Gossip, These Are the Lessons of the Sony Hack
When considering the Sony Pictures megahack, try to focus not on producer Scott Rudin’s disdain for Angelina Jolie or studio head Amy Pascal’s racially offensive banter about President Obama’s imagined taste in movies. Instead, focus on the prescience of George Clooney, who on Sept. 5, 2014, typed into the subject line of a message to Pascal: “Knowing this e-mail is being hacked.” Sure enough, it was.
Discussing in salty language his plans to direct a film about the 2011 Rupert Murdoch-News of the World phone hacking scandal, Clooney alluded to the state of digital insecurity. His awareness of the issue brings to mind the IT department gallows humor that there are two kinds of corporations: those that have been hacked and those that don’t yet know they’ve been hacked.
In the past year alone, the list of victims includes retailers Target and Home Depot, giant hospital operator Community Health Systems, and JPMorgan Chase, the nation’s largest bank. On the governmental side, the White House, State Department, Postal Service, and National Oceanic and Atmospheric Administration have been hit since October. Going back to 2013, a slender young man named Edward Snowden did some serious damage at the normally security-conscious National Security Agency.
Will the Sony debacle provide the alarm the U.S. needs to rethink computer security from scratch? Alas, the guilty pleasures of Hollywood schadenfreude—ooh, did you see how they dissed Adam Sandler and paid Jennifer Lawrence less than her male co-stars?—may prove too distracting. Sony itself is oscillating between repentance and recalcitrance. Still, some lasting meaning can be found in the mayhem.
By late November, miscreants calling themselves Guardians of Peace penetrated the servers of Sony Corp.’s Culver City (Calif.)-based movie arm. The intruders demanded that Sony cancel the Christmas release of The Interview, a comedy starring Seth Rogen and James Franco as tabloid TV goofballs dispatched by the CIA to assassinate North Korean dictator Kim Jong Un. The perpetrators also warned moviegoers on the website Pastebin.com to “keep yourself distant” from The Interview. “Remember the 11th of September.” On Dec. 17, Sony pulled the movie from theaters.
Pyongyang applauded the cyber attack while denying involvement. Investigators have identified software similarities between the Korean-language malware used in the hack and a presumed North Korean digital assault on South Korean banks and broadcasters last year. The New York Times and NBC News reported that U.S. officials say North Korea was behind the hack.
Guardians of Peace have dumped scores of gigabytes of data containing movie-star e-mails, still-secret deals, payroll information, released and unreleased films, employee medical records, Social Security numbers, and even aliases actors use when checking into hotels.
The lessons go well beyond Tom Hanks’s aka, “Johnny Madrid,” which he presumably has retired. Despite the proliferation of red-flashing warning signals, some companies, including Sony, seem to be asking for digital abuse. For several years, hackers have repeatedly disrupted Sony’s popular PlayStation gaming network, with a reportedly Russian-based group calling itself Lizard Squad taking credit as recently as early December.
“What this shows you is that the IT guys tell the board and top management they’ve got the problem under control, and everybody goes back to business as usual,” says Adam Epstein, a corporate consultant with Third Creek Advisors in Danville, Calif. “The weaknesses you see at Sony and other companies, large and small, can’t be fixed by installing one more fire wall or some new antivirus software. By the time the good guys zig, the bad guys are already zagging.”
The malware used against Sony Pictures “would have gotten past 90 percent of the net defenses out there today in private industry,” Joseph Demarest, assistant director of the FBI’s cyber division, told the Senate Banking Committee on Dec. 10. Sony nevertheless made itself especially vulnerable once the intruders got in. The website Fusion reported that those celebrity aliases and other personal data were stored in a folder titled “publicity bibles.” Computer passwords were compiled in a document invitingly called “passwords,” and so forth. (Bloomberg News reported that in late 2013, unidentified hackers also broke into the company’s network, taking information and covering their tracks on a regular schedule.)
Assuming that hostile outsiders will get across the moat and penetrate the castle walls, companies have to do a better job of concealing the crown jewels. Some of this requires technology. When Snowden revealed that the NSA might be snooping on search engine data flows, Google and Yahoo! added layers of encryption to protect internal traffic from prying eyes. Equally important are strategies that don’t require a computer science Ph.D.
Sony’s most valuable material—contracts with actors, directors, and investors; intellectual property such as unreleased films and scripts—ought to have been isolated from central data-storage systems connected to the Internet, making it harder to find, Epstein says. This requires essentially nontechnical decisions to invest manpower and money to transform the castle into more of a labyrinth.
Sony executives appear to be resisting hard realities. Pascal has apologized repeatedly for her faux pas, but she’s still showing a certain obtuseness about culpability. “I don’t think that anybody thinks that this was anyone’s fault who works here, and I think continuity and support and going forward is what’s important now,” she said on Dec. 12.
The reality is pretty much the opposite: There’s plenty of fault to be found within Sony, the blame ought to be shared at the highest levels, and what’s needed is not continuity but dramatic change. The firing of IT personnel, while maybe inevitable, would be only a first step, says Laura Martin, a media analyst with Needham. Target’s chief executive officer, Gregg Steinhafel, resigned in May after Target’s devastating data breach.
For the moment, Sony seems consumed with damage control. The tech websites Re/code and Ars Technica reported that the studio is distributing fake versions of pilfered files to try to frustrate potential consumers of the hackers’ booty. Sony also hired the prominent attorney David Boies to send stern letters to news outlets, including Bloomberg News, requesting the destruction of the hacked material. In the Dec. 14 letter, Boies warned that if media companies failed to comply and continued to publish “stolen information,” Sony “will have no choice but to hold you responsible for any damage or loss.”
“Does Sony have a legal leg to stand on? Probably not, at least as to most of the information that media outlets would want to publish,” Eugene Volokh, a First Amendment scholar at UCLA School of Law, wrote on his blog.
Liability could cut in several directions. Plaintiffs’ lawyers are already happily reminding Sony that it will have to come to grips with its errors. On Dec. 16 two former employees sued the company, claiming it did not sufficiently secure their personal information. Stuart Karle, a media lawyer in New York and former chief operating officer of Reuters News, identifies several potential legal hazards. Just last summer, Sony settled a consumer-privacy class action related to a PlayStation breach. In the movie studio episode, hackers grabbed detailed and identifiable health information for some Sony employees: names, diagnoses, insurance disputes, and the like. That Sony’s human resources department didn’t do a better job of disguising this data “seems troubling,” Karle says.
Lawyers organizing prospective shareholder class actions against Sony management have received a trove of documents about all manner of confidential business decisions: what executives knew about the company’s financial condition and when they knew it. Normally, plaintiffs’ attorneys would have to fight for years in pretrial discovery proceedings to get the information unearthed by Guardians of Peace.
Corporations view securities-fraud suits as legalized shakedowns. Some observers fear the Sony hack could be a prelude to a protection racket. On its blog, F-Secure, a Finnish consulting firm, speculates that the point of Sony’s public “execution” might have been “to warn other companies that may already be hacked that the extortionists aren’t bluffing.”
The simplest takeaway from the debacle pertains to e-mail hygiene. “Apart from the gossipy stuff, which won’t matter in the long run, a lot of the sensitive information that was hacked was in e-mail or attached to e-mail,” says Karle, who is now general counsel of the investment firm North Base Media. Employees, from the CEO on down, he says, have to undergo radical reeducation to restrict e-mail content to what wouldn’t be damaging if it were splashed around the Internet.
Sony apparently knew it was unwisely hoarding internal communications. According to the website Gizmodo, Leah Weil, the studio’s general counsel, said in one message: “While undoubtedly there will be e-mails that need to be retained and/or stored electronically in a system other than e-mail, many can be deleted, and I am informed by our IT colleagues that our current use of the e-mail system for virtually everything is not the best way to do this.”
The dangerous combination of awareness dulled by apathy goes far beyond Sony Pictures. In a speech in October 2012, then-Defense Secretary Leon Panetta predicted it would take a “cyber Pearl Harbor”—a power-grid collapse, poisoned municipal water supply, loss of lives—to make Americans appreciate computer vulnerability. The U.S. isn’t there yet, but Sony moves it closer.