August 20, 2017

On the Sony Pictures Security Breach

The recent security breach at Sony Pictures is one of the most embarrassing breaches ever, though not the most technically sophisticated. The incident raises lots of interesting questions about the current state of security and public policy.

There is an active discussion in the tech community about who is responsible for the attack. The FBI blames the North Korean government, but the evidence cited by the FBI seems thin, and many in the tech community suspect that confirmation bias led the FBI to a conclusion that seems convenient for many in the cyber-industrial complex, not to mention Sony itself. (It’s less embarrassing to get breached by a state-sponsored adversary, as opposed to a gang of punks.) Perhaps there is secret intelligence information confirming North Korean involvement, but nobody has even hinted that this is the case. The DC echo chamber may have decided the North Koreans are responsible, but the tech echo chamber isn’t so sure.

A related question is whether the information security breaches at Sony are related to the threats of terrorism against theaters that led Sony to withdraw the film The Interview. Press coverage often assumes that the two come from the same source, but here again the evidence of a link is thin. Careful observers point out that the network attackers’ initial demands didn’t mention the film, focusing instead on Sony’s treatment of its employees—which would point to a disgruntled employee (or ex-employee) rather than the North Koreans. Similarly, the attackers have shown a level of media and online savvy that one doesn’t associate with the North Korean propaganda organs. After the attacks, there may have been multiple parties claiming to speak for the network intruders, and we can’t be sure who is connected to whom and how.

It seems clear that Sony had weak security defenses. Reports say Sony Pictures had trouble attracting and recruiting security talent, which isn’t too surprising for a company known for its disdainful attitude toward technology. Being on the wrong side of issues like SOPA/PIPA couldn’t have helped—what technologist would want to work for a company that is trying to break the Internet? In the case of SOPA/PIPA, the company and its trade association, the MPAA, explicitly backed a proposal that would have undermined the feasibility of DNSSEC, a security technology backed by many experts and by the U.S. government. Sony Pictures gave off an anti-technology and anti-security vibe, and it’s likely that the same attitude operated internally.

The biggest open question is how this will affect national policy. Thus far national policy has taken an eye-in-the-sky approach that protects a perimeter encompassing government and some big companies, and focuses on surveillance, monitoring, and response rather than broad deployment of protective technologies. Whether the Sony breach is a failure of government policy is debatable—it’s not clear if Sony Pictures is inside the perimeter, and anyway current policy doesn’t emphasize deploying the types of measures that might have protected Sony or reduced the damage—but it will be seen as a failure regardless. The likely response will be to double down on the current strategy.

Best-case, 2015 will be the year we finally get serious about addressing information security and privacy vulnerabilities. More likely, we’ll just do a bit more of what we were already doing—and the breaches will continue.

Comments

  1. Another major incident with Sony was the DRM rootkit: https://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootkit_scandal

    I think this killed Sony’s reputation among hackers long before SOPA came around.

  2. What if…the FBI and Obama’s announcement was a knowing indirection, cat and mouse? Just saying, as it’s as good as any Hollywood plot-line.