In a year of unprecedented cybersecurity attacks that targeted industries ranging from retail and financial services to health care and government, the catastrophic hack of Sony Pictures Entertainment has been the most eye-opening.
The attack on Sony is a watershed moment in cybersecurity, marking a change in attackers’ motives.
This was not a “go in low and slow” hack, siphoning off valuable information over time and profiting off of Sony’s data and intellectual property. There was nothing clandestine about this attack — the perpetrators wanted their work to be known. Hackers didn’t want to gain from this attack. They wanted Sony to lose. They wanted to cause damage to the company’s reputation, brand and ability to function, modifying its behavior as a result.
Allegations by the FBI that the attack was perpetrated (or at least sponsored) by North Korea add additional complexity and nuance to the issue.
The public sector contends with advanced persistent threats from nation states on a daily basis. As may be the case with Sony, many successful malware attacks on government agencies involve phishing — a targeted technique using email with phony requests that trick someone inside the network into letting a bad actor in.
Attributing such attacks to a single actor is often extremely difficult. Regardless of the perpetrator, the right cybersecurity infrastructure and best practices must be in place so attacks like these can be defended against and the playing field can be leveled.
There are several lessons that can be learned from this attack, which apply directly to the public sector.
First, while software is designed to allow people to perform functions from within or outside of an agency network, it should not be put in production with known vulnerabilities, essentially open doors and windows to the core information assets of the organization. When vulnerabilities are found in software, hackers and other malicious actors suddenly have the keys to the kingdom and are able to access the information they want, regardless of where it resides or where they are coming from.
In many cases, advanced hackers infiltrate an agency’s network in a matter of minutes and escape undetected with sensitive information in less than 24 hours. Meanwhile, agencies can go months without knowing a breach has occurred, giving assailants all the time they need to sift through the data. This gap is where real damage can be done to U.S. national security, allowing an enemy the time it needs to exploit valuable information.
In the event of a breach, agencies can best secure their data in two ways.
The first is end-to-end data protection and encryption across all storage units, making the data worthless to attackers and unauthorized employees.
Agencies also need to embrace near real-time monitoring solutions that afford security managers a comprehensive picture of their network environment, so threats can be detected and mitigated before they cause harm.
The second lesson is that while in most cybersecurity breaches focus is placed on the financial impact to the organization, the attack on Sony has shown that there is more at risk than just dollars and cents. As is often the case in the public sector, Sony was allegedly attacked for political and reputational reasons.
Each year, attackers steal billions of dollars of intellectual property from the United States by lifting data from inadequately protected networks. In government, how can a cost truly be placed on the loss of information like the plans for the F-35 Joint Strike Fighter that could one day put American lives at risk?
To make a lasting impact on an organization’s security posture, an agency or company must pivot its focus from preventing all breaches — an unfeasible task — to detecting and mitigating breaches as they occur. While no amount of investment can completely protect against highly sophisticated cyber attacks, improving and prioritizing an organization’s ability to disrupt the adversary with actionable intelligence across the entire attack lifecycle can significantly improve attack containment and reduce the overall impact.
Finally, as disconcerting and humiliating as the Sony hack has been, it is important to remember that this breach is mild in comparison to a potential attack on critical infrastructure. The 2012 hack of Saudi Aramco and the recent attacks on a German steel mill, South Korean nuclear plant and the International Corporation for Assigned Names and Numbers (ICANN) are just a few reminders of this grave risk. Officials from the Department of Homeland Security, Department of Defense and National Security Agency have recently remarked on the vulnerability of the United States’ critical infrastructure to cyber attacks.
In order to adequately prepare for and respond to attacks in this new age of information systems dependence, industry needs to embrace best practices, such as those outlined in the National Institute of Standards and Technology (NIST) Cybersecurity Framework and the Council on Cybersecurity’s Critical Security Controls.
Meanwhile, government must implement a comprehensive set of protocols that outline appropriate responses to future cyber events (e.g. legislation that supports cyber threat information sharing).
Attacks like the one on Sony go beyond the boundaries of a corporate response and even local law enforcement, requiring action at the federal level. In this instance, Sony was actively attacking back by trying to stop downloads and conducting damage control in the public sphere of influence. It is a slippery slope when corporations begin to fight back for themselves and unilaterally respond to terrorist demands.
The Sony attack was a brutal show of force. It must serve as a wake up call for the United States and its institutions that we live in a new age of cyber threats — an age in which borders no longer matter and attackers no longer need to be on American soil to do America harm. It is the time for industry leaders to invest in both the technology and the workforce needed to fully protect their organizations from these risks. And, it is the time for elected officials to pass effective, comprehensive cybersecurity legislation that establishes a clear policy and response plan for inevitable future cyber threats.