In reviewing the events of the past few weeks regarding the major cybersecurity breech at Sony Pictures a number of lessons can be learned and perhaps some new precedents have been set.
First the lessons:
1. Hack me once, shame on you. Hack me twice, means you really didn’t learn anything the last time you were hacked. While a different corporate entity, Sony Group’s oversight of the risk management and business continuity plans of subordinate business units was obviously not effective. Your overall IT infrastructure is only as secure as the weakest element linked to it.
2. Determined hackers can get inside your perimeter and once there they can do a lot of damage. While there is only limited public information available, the penetration of Sony seems to be quite extensive. Internal networks cannot be trusted and the great advances in business brought about by automation and the information revolution cannot be used. Imaging trying to run a global business on a fax machine or note paper.
3. Unencrypted emails and files are easy to read and distribute. Once you hit send, especially on an unencrypted email, you have lost control. Not everyone will respect your privacy and what you wrote can end up in the Washington Post.
4. Cyber insecurity is expensive. With production cost of more than $40 million, Sony Pictures has significant sunk cost that with the cancellation will be almost impossible to recover. Lost revenue from ticket sales, DVD sales, etc. will only magnify the effect on the bottom line. These are the simple losses and exclude the results of any losses from theft of intellectual property, lawsuits related to the disclosures, and loss of goodwill.
5. Proving who did what in cyberspace is still difficult.
1. A poorly written message from a previously unknown group has caused enough fear to cancel a movie and effectively repress free speech.
2. This hack was not motivated by traditional factors of money or espionage. While the public has become used to hearing about cybercrime events like the hacking at Target or reports of government and economic espionage, there is as yet no evidence of traditional cybercrime efforts to capitalize on the information stolen from Sony. It seems purely political in nature. While hacktivists have caused embarrassment to individuals and companies before, the Sony hack seems different.
The challenges for governments, businesses, and individuals in responding to cyber-attacks remain. The attribution problem, limited international legal frameworks, and the difficulty in determining proportional responses curtail the options. The hack has caused real losses for Sony and its stockholders. It will be interesting to watch what transpires on the legal and diplomatic fronts as the story continues to play out.