“A growing chorus of national-security experts describes the cyber realm as the battlefield of the future,” wrote 9/11 Commission Co-Chairs Tom Kean and Lee Hamilton in the The Wall Street Journal in September. Attacks against the United States, both by terrorist networks and state actors, have shifted online.
The cyber attack on Sony Pictures Entertainment—widely attributed to North Korea over the film The Interview—is the latest in a series of major network intrusions that have received wide media coverage. On January 12, ISIS-affiliated hackers calling themselves the “Cyber Caliphate” took over the United States Central Command’s Twitter and YouTube accounts.
On January 15, the BPC hosted a discussion on cybersecurity, Lights – Camera… Hack! Strategic Implications of the Sony Cyber Attack, with panelists Rep. Mike Rogers (R-MI), former chairman of the House Permanent Select Committee on Intelligence; General (Ret.) Michael Hayden, former director of the Central Intelligence Agency and the National Security Agency; and Dr. Paul Stockton, former assistant secretary of defense for homeland defense and America’s security affairs. Highlights from their discussion are below.
On November 24, Michael Lynton, president of Sony Pictures Entertainment Group, was informed that the company’s computer system had been compromised. With the help of the F.B.I., it was discovered that the security breach had come from a group calling itself #GOP—Guardians of Peace—using IP addresses from North Korea. Hackers instructed Sony to “stop immediately showing the movie of terrorism which can break the regional peace and cause the War,” in response to the film The Interview, a satirical depiction of North Korea.
The Sony hack illustrates a new reality for corporations: economic security is intertwined with cybersecurity. From an intellectual property perspective, the hack resulted in the release of over 250 GB of Sony’s private files, including a number of unreleased films. Furthermore, from a productivity standpoint, the deletion of a number of Sony’s files—up to 70 percent—forces Sony to spend working hours redoing projects. In short, failing to secure files undermines Sony’s operational abilities. Another economic consideration deals with the release of personal data (such as Social Security numbers and salaries) of employees. Failing to secure this information causes financial risk to employees and undermines the potential ability of Sony to maintain current and build future relationships with both clients and employees.
In response to threatening messages from the hackers, Sony cancelled the release of The Interview. After facing criticism, Sony reversed its decision and released the film.
Panelists stressed the fact that this attack was unprecedented. Unlike the Target and Home Depot hacks last year, Sony’s was tied directly to a state actor. If North Korea was able to use coding that was previously available to attack a U.S. company, panelists said, it is clear that measures must be taken to protect against more technologically advanced threats.
Chairman Rogers raised the point that although this may seem like an isolated instance, it is a wakeup call that a future attack could target our power grid and cause much larger problems of national security. “We need to ready to restore the functionality of critical infrastructure,” said Dr. Stockton, advocating for contingency plans for cyberattacks in line with those for natural disasters.
The three panelists agreed that they were surprised by the lack of action taken by the White House, even after they had named North Korea as the perpetrator. “The United States will have to show that they will not tolerate it because everyone is watching,” said Chairman Rogers. “Iran is watching. Russia is watching. Every criminal organization is watching.”
Moving Forward on Cybersecurity
On January 12, President Obama asked Congress to pass legislation to strengthen cybersecurity in U.S. public and private sectors. The president’s proposed legislation encourages private companies to share cyber threat information with the Department of Homeland Security’s National Cybersecurity and Communications Integration Center. This information would then be shared with relevant federal agencies and private information sharing and analysis organizations. Those who comply would receive targeted liability protection for doing so. The legislation also called for stricter law enforcement to combat cybercrimes. This would prosecute the sale of botnets, deter the sale of spyware, criminalize the overseas sale of stolen financial information and give courts the power to shut down botnets that are engaged in criminal activity.
However, Chairman Rogers warned, “we are still in an uphill battle” on passing substantive cybersecurity legislation. Stockton, however, was more optimistic: “[n]ot only has North Korea given us more impetus to pass legislation, I think it is a very strong legislative proposal.”
Because of the Sony attack and the terrorist attacks in Paris, General Hayden added, debates on important cybersecurity and information sharing legislation that “were flash frozen are beginning to thaw.”
Chloe Barz and William Spach contributed to this post.