To get a taste for the havoc possible in today’s digital world, consider the recent cyberattack on Sony Pictures Entertainment. Intruders calling themselves “Guardians of Peace” claim to have broken into Sony’s networks and stolen around 100 terabytes — that’s 100,000 gigabytes — of financial information, budgets, payroll data, internal e-mails and feature films, and they have been slowly leaking excerpts to the public through file-sharing services. The materials have caused a sensation — revealing embarrassing details about executive salaries and secret movie negotiations — but the hack is also a worrisome moment in cybersecurity.
According to the tech news site Re/code, Kevin Mandia, a cybersecurity specialist investigating the attack, told Sony the assault was “unprecedented” and the malware “undetectable by industry standard antivirus software.” It was so severe, he said, that the FBI issued a flash alert to warn others of a “critical threat.” He added, “In fact, the scope of this attack differs from any we have responded to in the past, as its purpose was to both destroy property and release confidential information to the public.” There has been some speculation that North Korea is behind the onslaught in retaliation for a new Sony film titled “The Interview,” which depicts the assassination of North Korean leader Kim Jong Un. The film is scheduled to open Dec. 25.
Now, Re/code reports, Sony has begun to strike back. The perpetrator of the attack is not known. But citing sources, Re/code says that Sony is firing off countermeasures aimed at disrupting the file-sharing sites distributing the stolen materials. The counterattack involves a crude method known as denial-of-service attacks to gum up and slow down the computers carrying the illicit materials. Sony hasn’t commented on the report.
This state of affairs ought to be alarming. First, a cyberattack on a major corporation was so successful that thieves made off with an enormous amount of confidential business information. Second, the attack may well have been the work of a sophisticated state or organized group that surmounted industrial-strength protections. Third, a private company may have taken matters into its own hands and gone on the offensive.
This is more dangerous fallout from the political paralysis in the United States over cyberthreats — the inability of Congress and the president to provide stronger protection for the private-sector networks that are at the heart of U.S. society in the digital age. If the private sector and government cannot reach agreement on cooperating against this threat, does it portend an era in which companies like Sony will feel the need to defend themselves with their own cyberarmies? It wouldn’t be hard to imagine private contractors, including those who have long aided the military, rushing into the breach, too.
It is now a fact that many of the world’s most powerful nations are building cyberforces, either directly or with mercenary proxies. This is creating a cyberspace with plenty of risks. It can only be more dangerous when private companies decide they, too, must roam the cyberbattlefields.