The attack on the entertainment conglomerate illustrates the cold reality of the cybersecurity landscape today: It’s likely to get worse before it gets better.
The Sony hack copied a multinational company’s financial documents, its employees’ personally identifiable information and years’ worth of embarrassing – and poorly written, it must be said – emails from high-level executives and released them all for the world to see.
But for many cybersecurity observers, the real eye opener was how the hack illustrates today's cyber landscape: It’s likely to get worse before it gets better.
A growing collection of high-level computer security experts believe evidence points to an insider-orchestrated attack, while the U.S. government quickly blamed and sanctioned North Korea, whose leader, Kim Jong-un, is portrayed in an unflattering fashion in the Sony-backed film, The Interview.
Meanwhile, as Sony’s image continues to tarnish with each leaked, scandalous revelation, the company experienced an added layer of suffering other data-breached companies -- Target, Neiman Marcus and Home Depot -- had avoided.
In the hacked retailer cases, the bad guys wanted credit card numbers or personal identifiable information to sell. In the Sony case, the attackers inflicted reputational damage in a way that’s tougher to quantify but may be more malicious.
Sure, the company’s stock fell 10 percent in the wake of the breach, but how much more will that dinged reputation cost it in future revenue?
“This is the new normal,” said Rob Roy, federal chief technology officer for HP Enterprise Security. “I don’t think we’ll see attacks like this slow down. Defenders are getting better, but attackers are getting more numerous and also getting better.”
Data breaches of a financial nature are now so common that people barely blink at the news reports, unless they are victims, Roy said. But a steady trickling of leaked emails and tabloid fodder keeps the public’s attention in the same way reality television and Kim Kardashian do.
“A lot of people look at almost every breach, and they’re almost becoming numb to them,” Roy said. “But the boundaries of cybercrime and cyberespionage, whether it’s for a profit motive or a reputational motive, are changing.”
If you believe the U.S. government’s assumption that North Korean hacked Sony, then a foreign entity essentially used stolen data as ransom. Given the plethora of cyberattacks on federal systems in 2014 and the fact that most federal agencies lack rudimentary data-loss contingency plans, many hackers surely look at U.S. government systems the same way a perpetrator looked at Sony.
“We’re now trending into something I hope the government is taking more seriously,” Roy said.
If not, it’s easy to imagine a scenario where the disparaging or scandalous leaked emails are authored by heads of agencies, diplomats or members of Congress, not Hollywood executives.