As the story of the Sony hack unfolds, it becomes more and more dramatic. The impact of the events on CIOs is profound.
To recap events:
On June 11, 2014, the North Korean government denounced the Hollywood film “The Interview” as “undisguised sponsoring of terrorism, as well as an act of war” and promised a “decisive and merciless countermeasure if the U.S. administration tacitly approves or supports” the movie.
On November 21, “God’sApstls” emailed Sony demanding money and threatening to hack the company. They said “we’ve got great damage by Sony Pictures. The compensation for it, monetary compensation we want. Pay the damage, or Sony Pictures will be bombarded as a whole. You know us very well. We never wait long. You’d better behave wisely.”
On November 24 all employees at Sony Pictures headquarters in Culver City, California were welcomed to work with a skeleton image at login with the message: “This is just the beginning… [W]e’ve obtained all your internal data”. They were warned that Sony’s secrets would be released unless it agreed to “obey” the demands. The hackers identified themselves as “Guardians of Peace.” Since they say, “We’ve already warned you, and this is just the beginning”, they are likely the same group/person as “God’sApstls.” At that point, security experts believed that it was an inside job.
Sony staff were shaken. It appeared that all documents were inaccessible, so work came to a standstill. Employees were offered a service to help to monitor credit, as it was almost certain that their personal information was breached.
A week later, reports began to appear that North Korea may be responsible. North Korea denied any involvement. Associated Press reports some cyber-security experts saying there are “striking similarities between the code used in the hack of Sony Pictures Entertainment and attacks blamed on North Korea which targeted South Korean companies and government agencies last year.”
On December 5, a message from hackers claiming to be Guardians of Peace emailed an ominous message to Sony employees: “Many things beyond imagination will happen at many places of the world. Our agents find themselves act in necessary places. Please sign your name to object the false of the company at the e-mail address below if you don’t want to suffer damage. If you don’t, not only you but your family will be in danger.”
North Korea denies involvement calling the charge “a wild rumor.” But it calls the hacking a “righteous deed.”
On December 8, the Guardians of Peace warned Sony to “Stop immediately showing the movie of terrorism which can break regional peace and cause the War!” This is the first time the hackers implicitly reference to “The Interview”. The first direct reference came on December 16 via an email to reporters stating: “We will clearly show it to you at the very time and places The Interview be shown, including the premiere, how bitter fate those who seek fun in terror should be doomed to. Soon all the world will see what an awful movie Sony Pictures Entertainment has made. The world will be full of fear. Remember the 11th of September 2001. We recommend you to keep yourself distant from the places at that time.”
Although the FBI indicated they were aware of the threat, Sony announced that they will NOT release “The Interview” on Christmas Day as planned. They later announce that they will not release the movie at all.
On December 19, the FBI publicly accused the government of North Korea of the hack and threats towards moviegoers. “The FBI now has enough information to conclude that the North Korean government is responsible for these actions…. North Korea’s actions were intended to inflict significant harm on a U.S. business and suppress the right of American citizens to express themselves.”
At his year-end press conference President Obama repeats the FBI’s allegation and publicly disagreed with Sony’s decision not to release the movie.
Although North Korea continued to deny their involvement, a State Department spokeswoman tells reporters: “The government of North Korea has a long history of denying responsibility for its destructive and provocative actions, and if they want to help here, they can admit their culpability and compensate Sony for the damage they caused.”
Shortly after, the North Korean internet is shut down for 9 hours. U.S. does not comment.
On December 23, Sony announced it would release the film. Obama praised the decision. The movie released to a few hundred theatres, and was streamed to over 2M viewers.
This raises grave concerns for IT departments on two fronts.
As the source of the hack is still questionable (was it really North Korea, was it Russian or American hackers, or was it an inside job), you can be sure that the hack involved some sort of social engineering or a leak by a disgruntled sysadmin.
Never in the history of organizations has so much information been entrusted to just a few people. Think about the information that your sysadmins could gather if they really wanted to. A disgruntled email administrator could cull all emails from a certain person. If they are good, they could do this undetected. A knowledgeable database administrator could gather information from your ERP’s. And a sloppy sysadmin could forget security patches, or improperly secure networks and servers.
The impact of any of these could, now, be enormous. In the past, data breaches were largely a public relations concern. Damages could be managed. The Sony incident, however, raises the stakes. Not only are your employees or your clients impacted, the impact could be much, much greater.
It is critical for all CIOs to evaluate the level of access sysadmins have. Further, it is imperative that any performance or attitude issues with sysadmins be dealt with immediately, before they escalate. And finally it is critical to ensure any irregularities be dealt with immediately.
With this incident, we are witnessing the first major public international blackmail case using the internet. When employees of a company can be threatened with the use of the data they have provided their employer (perhaps inadvertently by using their employer’s computers for personal business), they are now exposed at higher level than ever before.
This means that IT departments have an even greater responsibility to ensure the safety and security of employee data. The stakes have been raised.
Although the US may not have been involved, this appears to be the first time cutting off internet access was used as a punishment for an action. You can be sure that all national defense departments are watching these events with great interest. Although cutting off the internet is much more difficult than, say, attacking a radio station, in a connected world, the results would be much more effective.
As CIOs, it is important to recognize the enhanced risks and impacts of breaches, and to do everything in our power to protect our company and its employees.
P.S. Thank you for reading my post. If you have comments or observations, I’d be grateful if you included them in the comment section below.