Sony and the New Normal in Cybersecurity
For Sony Pictures, the gift of litigation came early this year.
On the week before Christmas, the entertainment company was struck by no fewer than six class-action lawsuits from ex-employees, all seeking damages for the harms suffered as a result of the company’s data leak, in which the Social Security numbers of tens of thousands were made public on the web.
They argue that Sony could have avoided being hacked if it had adequately invested in security, and reports emerged of Sony’s gross incompetence in securing its data. Unnamed Sony employees told Fusion.net that Sony’s information security team was a “complete joke,” and a Sony executive said in 2007 that it was a “valid business decision” to accept certain security risks.
But while the Sony hackers’ decision to upload their loot to public file-sharing hubs was unusual, and the scale of the attack unprecedented, the hacking of major corporations is a routine affair in the 21st century, a consequence of the economy’s digital makeover.
A survey of 59 U.S. corporations with more than 1,000 employees found that the average cost of cyberattacks per year was $12.6 million in 2014, according to the Ponemon Institute. Every one was hit with at least a minor attack, with the minimum cost incurred by a company totaling over $1.5 million.
Mega-breaches, defined as an attack where over 1 million records are lost, are ten times more frequent in 2014 than in 2005, and the rate of major attacks is only accelerating, according to Larry Ponemon, founder of the eponymous security think tank.
“Mega-breaches were very rare in 2005, now it seems to be every day,” Ponemon said. “Many of these attacks aren’t even reported anymore, Staples was attacked [in December and lost 1.2 million credit card numbers], it wasn’t even on the front page of the Wall Street Journal.”
Breaches became better known after a landmark 2003 California law required businesses to notify customers of attacks that resulted in the loss of their private information. As of 2014, similar laws have been adopted in 46 other states.
With the new data, Ponemon has been trying to develop a cybersecurity equivalent to Moore’s Law that can map the growing risk of cyberattacks, but the project has stalled because the ever-changing nature of cybersecurity makes even cautious estimates difficult to obtain.
Still, Ponemon is certain that at the moment, cybersecurity is on a downward slope.
“There’s no question” the rate of major cyberattacks is accelerating, Ponemon said. “If we can come up with a metric, it would be pretty high.”
The Perils of a Cyber-World
At first blush, our increasing vulnerability to cyberattacks may be a sign of progress, an inevitable consequence of the economy becoming more digital, or as venture capitalist Marc Andreessen puts it, “software is eating the world.”
More than a few of the companies—Amazon, Netflix, Spotify—lauded in Andreeseen’s 2011 essay have suffered serious data breaches since then. Traditional retail companies transitioning into the digital space have been hit even harder; 2014 saw chains like Target, Neiman Marcus, Michaels, and Home Depot lose the financial information of tens of millions of shoppers to hackers.
“Everything is going digital. Because there’s so much attack surface, every time you add a new system to your enterprise, it becomes a ticking time bomb” said Adam Meyers, VP of Intelligence at CrowdStrike, a security technology company.
The number of vulnerabilities in everyday software are so numerous that hackers always find new exploits when old one are secured. When Microsoft in 2008 patched vulnerabilities in Word used by Chinese hackers, they moved onto Adobe PDFs, and after that was patched, Adobe Flash.
“They’re like water, they’ll flow down to the lowest point, the easiest path,” Meyers said. Generic writing and design processes “are all components of the attack surface, even if they patch every piece of software, there’s always one machine that didn’t get patched, or was powered off.”
The vulnerabilities are so expansive that a company shouldn’t think of trying to buy total security, Meyers said, only enough security for select key items.
“It’s really about an intelligent approach to protecting things, I don’t think you can put a dollar figure on how much a company should spend on security, they should figure out what’s their crown jewel and figure out how to protect that.”
The digital transition isn’t the only source of the rise in cybercrimes. Meyers said that high-profile attacks encourage copycats, whether they’re “hacktivists or nation-states” conducting espionage.
Through a Touch-Screen, Darkly
The combative nature of cybersecurity makes industry practices opaque as a rule, so as to not give hackers a guide on what to circumvent. This, in turn, makes it difficult for stakeholders to determine the optimal investment a company should make in its network security.
The problem is compounded by the short life cycle of security services, which are constantly evolving as a result of an arms race between security companies and hackers.
“The use of returns-on-investment is very difficult in security,” Ponemon said. “I can invest in tech today, and within two seconds it can become obsolete.”
In the 2014 survey, the three-year return on investment in extensive data loss prevention tools was only 9 percent, and even that figure could be inflated, Ponemon says, because often the employees answering the survey only took into account the cost of the product, and not the resources the company takes to implement it.
The exact point-of-entry for a cyberattack can be hard to pin down, and digital post-mortems can last years. In the 2014 survey, half of the companies said they were uncertain about the exact cause of the security breach, making it difficult to know what additional security measures were needed.
The hacking of Sony is an illustrative example of that uncertainty. Despite the extraordinary transparency resulting from the data leak, including emails between employees in the IT department, a consensus has yet to be reached about how the attack happened or the identity of the culprit.
In the case of Sony, Ponemon said that it was quixotic to say with certainty that the attack could have prevented if the company had just taken a few extra steps to secure its data, such as the encryption of key customer password files.
“Encryption does help, but if you’re a system admin, you might have access to the encryption key, or you might be required by your job to see the data in clear text,” Ponemon said. “You can’t say exactly; if they did X, there would be zero opportunity for cybercrime.”
Ponemon’s survey found that 11 percent of cyberattacks could be traced to someone who worked from the inside, such as a disgruntled former employee, and one theory suggests that the Sony attack fell under that category.
The security firm Norse conducted its own analysis of the leaked Sony data and speculates that a system administrator named Lena, who Sony fired in its spring 2014 layoffs, worked with other hackers to orchestrate a retaliatory attack on Sony.
The FBI maintains the attackers were of North Korean origin, a claim Meyers supports. CrowdStrike has been tracking a North Korean actor since 2006 they dubbed the Silent Chollima, a pegasus of the Far East and the national animal of North Korea. CrowdStrike has a “high degree of confidence” that the Silent Chollima hacked Sony.
One of the structural problems in cybersecurity is that the damages of attacks are not always borne by the companies that pay for it, skewing incentives to under-spend on security. Plaintiffs in the class-action lawsuits against Sony all detail the time and money they’ve spent searching for and purchasing identity-theft protection services, which Sony has offered to free to current, but not former, employees.
“There people who are rushing things are the first to market, their mission is to capture the market … if it means they go with a product early, without commitment that you’re secure at a high level, someone else down the line will pay for it, be it consumers or other companies,” said Ponemon.
Ponemon isn’t optimistic about the government stepping in to enforce security standards because of the way the industry differs from food or medicine.
“Security operates in stealth, you don’t want to give the bad guys the formula for security,” Ponemon said, and added that the global nature of technology means that an international regulatory body, which he deemed unrealistic, would be needed to create real traction.
Still, Ponemon’s pessimism has limits. Many interpretations of Moore’s Law predict the culmination of computational progress in some sort of Singularity, but Ponemon isn’t too worried about its cyberattack equivalent, where hackers shut down power lines and other utilities to usher in a return to the dark ages.
“I’m not saying we should buy a 20 year supply of food rations,” he said.