The cyber attack that hit Sony Pictures two weeks ago was a sophisticated operation — so sophisticated, officials say, that the same attack could have made it through the defenses of almost any large organization, including the ones currently deployed by federal agencies.
The FBI has not yet disclosed any suspicions it might have about who was behind the targeted operation against Sony’s film division in which attackers planted destructive malware and stole vast amounts of proprietary information. Considerable media speculation has centered on North Korea, and while the FBI’s top cyber official declined to validate those suspicions on Wednesday, he strongly suggested that the perpetrator was a likely a nation-state.
“The level of sophistication is extremely high, and it was organized and persistent,” said Joseph Demarest, the assistant director in charge of the FBI’s cyber division. “It’s a concern, because in speaking with Sony and their managed cybersecurity provider, the malware that was used would have probably gotten past about 90 percent of the defenses that are out there today both in industry and in government.”
Given the sensitivity of the ongoing investigation, Demarest didn’t discuss the technical characteristics that made the Sony attack special.
But even if no one was able to prevent the attack, he and other federal law enforcement officials say its severity has made for a nearly unprecedented level of cooperation between the government and a corporate hacking victim.
“It’s been a model of cooperation in how it’s unfolded so far,” he said. “The event occurred, and within hours we had teams from the FBI and the interagency working with Sony and their cybersecurity provider.”
At a hearing of the Senate banking committee Wednesday, witnesses from the FBI, the Homeland Security Department, the Treasury Department and the Secret Service unanimously agreed that companies’ willingness to share information with the government and to cooperate in investigations has increased significantly from a few years ago, and that firms are beginning to get over the idea that disclosing attacks would only serve to lower their share prices and damage their reputations.
“We’ve seen a large change within industry when it comes to their willingness to become more forthcoming with the government,” said Brian Peretti, the director for critical infrastructure protection and compliance policy at Treasury. “They understand that the key to this is to share information not just with the government, but with other parties. This really started with the denial of service attacks back in 2012. Financial firms saw they were being attacked, and for the first time, instead of keeping it to themselves, they actively started to share it with each other.”
For the agencies that operate in the cyber realm, that evolution is an extremely positive development, both from the perspective of defending against future attacks and investigating those that have already happened.
From a law enforcement and international relations point of view, the Justice Department says it wants to send a strong signal to U.S. companies that the government doesn’t expect individual firms to fend off attacks by other nation states all on their own, and that it’s here to help.
“We’ll follow the facts of the Sony case wherever they lead, but I think the government’s gotten much, much better at doing the intelligence work we need to do to figure out who’s doing what, and with that, we’ve learned that a whole lot of people are doing a whole lot,” John Carlin, the assistant attorney general for national security told a Bloomberg Government conference Tuesday. “But we’ve also realized that it’s not sufficient to just watch that occur. At the end of the day, we need to do more, because it’s not the responsibility of any company to figure out how they’re supposed to react when they’re under attack by a country. That is fundamentally the responsibility of us in government, and we need to do more. Part of that is publicly saying when we figure out that a nation state is responsible, and using every tool in the government arsenal to increase the costs of these attacks until they stop. We’re starting to show that you are not anonymous behind a keyboard — we can and will find out who you are, and when we do, the United States government can and will take steps to hold you responsible for your actions.”
From a defensive point of view, the Department of Homeland Security is also determined to change the cost-benefit calculus behind cyber attacks by fostering programs that enable government agencies and private companies to share threat information instantaneously, bolstering their defenses to a degree that future adversaries will hopefully come to the conclusion that what’s now low-hanging fruit for a cyber attack won’t be worth the trouble in the future.
But Phyllis Schneck, the DHS deputy undersecretary for cybersecurity and communications, said Wednesday that changing the behavior of attackers will also require businesses to change their risk calculus, especially small and medium firms that tend not to direct many of their limited resources and attention toward cybersecurity.
“We’re trying to change that through some massive outreach programs over the past year,” Schneck said. “I’ve gone out west and talked to the venture capitalists who are starting the smallest companies with the best technologies, and I ask them how they can possibly be investing tens of millions of dollars in creating new intellectual property without thinking about how to protect it. We’re also trying to incentivize cybersecurity by trying to develop a market for cyber insurance, something we’re working on with Treasury. But we need to make cybersecurity part of the culture in a way that it’s good to share information about a breach because your experience is very common, and could protect a lot of others. That’s the kind of galvanization that we as a country and a community need to achieve so that we can tackle this and change the profit model for the criminals.”