Forget the Gossip, These Are the Lessons of the Sony Hack – Businessweek
When considering the Sony Pictures (SNE) mega-hack, try to focus not on movie producer Scott Rudin’s disdain for Angelina Jolie or studio head Amy Pascal’s racially offensive banter about President Barack Obama’s imagined taste in movies. Instead, focus on the uncanny prescience of George Clooney, who on Sept. 5, 2014, typed into the subject line of a message to Pascal: “Knowing this e-mail is being hacked.” Sure enough, it was.
Discussing in salty language his plans to direct a film about the 2011 Rupert Murdoch-News of the World (FOXA) phone hacking scandal, Clooney alluded to the grim state of digital insecurity. His acute awareness of the issue brings to mind the IT department gallows humor that there are two kinds of corporations: those that have been hacked and those that don’t know yet they’ve been hacked.
In the past year alone, the list of victims include retailers Target (TGT) and Home Depot (HD), giant hospital operator Community Health Systems (CYH), and JPMorgan Chase (JPM), the nation’s largest bank. On the governmental side, the White House, State Department, Postal Service, and National Oceanic and Atmospheric Administration have all been hit just since October. Going back to 2013, a slender young man named Edward Snowden did some serious damage at the normally security-conscious National Security Agency.
Will the Sony debacle provide the alarm we need to rethink computer security from scratch? Alas, the guilty pleasures of Hollywood schadenfreude—ooh, did you see how they dissed Adam Sandler and paid Jennifer Lawrence less than her male co-stars?—may prove too distracting. Sony itself is oscillating between repentance and recalcitrance. Still, let’s try to find some lasting meaning in the mayhem.
By late November, miscreants calling themselves Guardians of Peace penetrated the servers of the Culver City (Calif.)-based movie arm of Japan’s Sony. The intruders demanded that Sony cancel the Christmas release of The Interview, a comedy starring Seth Rogen and James Franco as tabloid TV goofballs dispatched by the Central Intelligence Agency to assassinate North Korean dictator Kim Jong Un. Pyongyang applauded the attack while denying involvement. Investigators have identified software similarities between the Korean-language malware used in the Sony hack and a presumed North Korean digital assault on South Korean banks and broadcasters last year. As of this writing, though, the FBI hasn’t ruled out additional suspects, including the proverbial disgruntled former employees.
Whoever they’re working for, Guardians of Peace have dumped scores of gigabytes of data containing juicy movie-star e-mails, still-secret deals, payroll information, released and unreleased films, employee medical records, Social Security numbers, and even the aliases some actors use when checking into hotels.
The lessons go well beyond Tom Hanks’s aka, “Johnny Madrid,” which he presumably has retired. First, despite the proliferation of red-flashing warning signals, some companies, including Sony, seem to be asking for digital abuse. For several years, hackers have repeatedly disrupted Sony’s popular PlayStation gaming network, with a group reportedly based in Russia and calling itself Lizard Squad taking credit as recently as early December.
“What this shows you is that the IT guys tell the board and top management they’ve got the problem under control, and everybody goes back to business as usual,” says Adam Epstein, a corporate consultant with Third Creek Advisors in Danville, Calif. “The weaknesses you see at Sony and other companies, large and small, can’t be fixed by installing one more firewall or some new antivirus software. By the time the good guys zig, the bad guys are already zagging.”
The malware used against Sony Pictures “would have gotten past 90 percent of the net defenses out there today in private industry,” Joseph Demarest, assistant director of the FBI’s cyber division, told the Senate Banking Committee on Dec. 10. Sony nevertheless made itself especially vulnerable to suffering damage once the intruders got in. Those celebrity aliases and additional personal data are said to have been stored in a folder titled “publicity bibles.” Computer passwords were compiled in a document invitingly called “passwords,” and so forth.
Assuming that hostile outsiders will get across the moat and penetrate the castle walls, companies have to do a better job of concealing the crown jewels. Some of this requires technology. When Snowden revealed that the NSA might be snooping on search engine data flows, Google (GOOG) and Yahoo! (YHOO) added layers of encryption to protect internal traffic from prying eyes. Equally important, though, are strategic choices that don’t require a computer science Ph.D.
Sony’s most valuable material—contracts with actors, directors, and investors and such intellectual property as unreleased films and scripts—ought to have been isolated from central data-storage systems connected to the Internet , making it much harder to find, Epstein says. This would require essentially non-technical decisions to invest manpower and money that could transform the castle keep into more of a labyrinth.
Sony Pictures executives appear to be resisting hard realities. While Pascal has apologized repeatedly for her faux pas, especially her tasteless joking about Obama’s supposed affection for black-themed movies, she’s still showing a certain obtuseness about culpability. “I don’t think that anybody thinks that this was anyone’s fault who works here, and I think continuity and support and going forward is what’s important now,” she told Bloomberg News last week.
The reality is pretty much the opposite of Pascal’s assertion: There’s plenty of fault to be found within Sony, the blame ought to be shared at the highest levels, and what’s needed is not continuity but dramatic change. The firing of IT personnel, while inevitable, would be only a first step, according to Laura Martin, a media analyst with Needham & Co. Target’s chief executive officer, Gregg Steinhafel, resigned in May after that company’s devastating data breach.
For the moment, Sony seems consumed with damage control. The tech websites Re/Code and Ars Technica reported that the studio is distributing fake versions of pilfered files to try to frustrate potential consumers of the Guardians of Peace booty. Sony also hired prominent attorney David Boies to send stern letters to news outlets, including Bloomberg News, requesting the destruction of material heisted by the hackers. In a letter dated Dec. 14, Boies warned that if media companies fail to comply and continue to publish “stolen information,” Sony “will have no choice but to hold you responsible for any damage or loss.”
In court, Sony would face an uphill battle to stop dissemination of material of “public concern,” but it might have a better chance at trying to limit the verbatim publication of content covered by copyright law. “Does Sony have a legal leg to stand on? Probably not, at least as to most of the information that media outlets would want to publish,” Eugene Volokh, a First Amendment scholar at UCLA School of Law, wrote on his blog. The screenwriter Aaron Sorkin, who does business with Sony, followed up with a Dec. 15 op-ed in the New York Times bemoaning how “awfully quiet” most of the rest of Hollywood has been and condemning dissemination of the studio’s secrets as “morally treasonous and spectacularly dishonorable.”
Liability could cut in several directions, and if Sony executives don’t come to grips with their past errors, plaintiffs’ lawyers will happily remind them. Stuart Karle, a New York media lawyer and former chief operating officer of Reuters News (TRI), identifies several potential legal hazards. Over the summer, Sony settled a consumer-privacy class action related to one of the PlayStation breaches. In the movie studio episode, hackers grabbed detailed and identifiable health information for some Sony employees: names, diagnoses, insurance disputes, and the like. That Sony’s human resources department didn’t do a better job of disguising this data “seems troubling,” Karle notes. “This stuff will haunt all those people the rest of their lives,” agreed Deborah Peel, director of Patient Privacy Rights, a nonprofit.
Lawyers organizing prospective shareholder class actions against Sony management have received a trove of documents about all manner of confidential business decisions: what executives knew about the company’s financial condition and when they knew it. Normally, plaintiffs’ attorneys would have to fight for years in pretrial “discovery” proceedings to get the sort of information freely disseminated by Guardians of Peace.
Corporations view securities-fraud suits as legalized shakedowns. Some knowledgeable observers fear that Sony’s ordeal could be a prelude to a protection racket. On its blog, F-Secure, a Finnish consultancy, speculates that the point of Sony’s public “execution” might be “to warn other companies that may already be hacked that the extortionists aren’t bluffing.”
The simplest takeaway from the Sony debacle pertains to e-mail hygiene. “Apart from the gossipy stuff, which won’t matter in the long run, a lot of the sensitive information that was hacked [from Sony] was in e-mail or attached to e-mail,” notes Karle, who now works as general counsel of the investment firm North Base Media. Company employees, from CEO on down, he says, have to undergo radical reeducation to restrict e-mail content to what wouldn’t be damaging if it were splashed around the Internet.
Sony apparently knew it was unwisely hoarding internal communication. According to the website Gizmodo, Leah Weil, the studio’s general counsel, said in one message: “While undoubtedly there will be emails that need to be retained and/or stored electronically in a system other an email, many can be deleted, and I am informed by our IT colleagues that our current use of the email system for virtually everything is not the best way to do this.”
The dangerous combination of awareness dulled by apathy goes far beyond Sony Pictures. In a speech in October 2012, then-Defense Secretary Leon Panetta predicted it would take a “cyber-Pearl Harbor”—a power-grid collapse, poisoned municipal water supply, loss of lives—to make Americans appreciate computer vulnerability. We’re not there yet, but Sony ought to move us closer.