Sony hack may illustrate the downside of picking a fight with a skilled cyber adversary.
The website Urban Dictionary defines the expression “don’t poke the bear” as follows:
A phrase of warning used to prevent oneself or others from asking or doing something that might provoke a negative response from someone or something else.
In literal terms, if you poke a bear for fun it may respond by mauling you. Within cybersecurity, however, “don’t poke the bear” is also a useful rule of thumb. If you antagonize a skilled cyber-adversary, you may quickly find that your organization has been hacked, your website defaced, and your sensitive data stolen. Oh, and if any of these things occur, they will likely result in weeks of unflattering news stories broadcast across the media.
Full disclosure: I am quite aware that I’m not telling security professionals anything new here. There are countless examples where a person or organization decided to poke the old bear and received the equivalent of a cybersecurity mauling.
Here are a few classic examples:
Anonymous vs. HB Gary Federal. The CEO of HB Gary Federal, Aaron Barr, tried to sell others on a project by claiming that he could out Anonymous members. The company even planned to take its Anonymous-baiting story public at the B-Sides Conference and sell a list of Anonymous members. In early April 2011, Anonymous fired back by hacking into the HB Gary Federal network, stealing numerous documents and posting thousands of internal emails. I’d say that Aaron Barr remains the poster child for this poking the cybersecurity bear discussion.
LulzSec vs. the world. When fox.com described a rapper as “vile,” LulzSec struck back by exposing the names of 73k X Factor contestants in the U.S. LulzSec also hacked PBS, the Sony PlayStation Network, and a host of other organizations.
The Syrian Electronic Army (SEA). The SEA is a group of hackers who support the regime of Bashar al-Assad. The SEA has hacked into lots of organizations including Harvard University, UCLA, and others. In April 2013, SEA hacked into the Associated Press’s Twitter account and posted a faux story about an attack on the White House injuring President Obama. Before the smoke cleared, the NYSE dropped 150 points, approximately $136 billion in value.
After these and numerous other incidents, you’d think that organizations would understand the cybersecurity ramifications of poking the bear. Nope. Case in point, Sony Pictures announced a series of data breaches exposing a treasure trove of data including Sony employee PII, HR spreadsheets, salaries, layoff plans, etc. The bad guys also stole a bunch of movies, including Brad Pitt’s Fury and the remake of Annie, and posted copies to various websites. These movies have now been downloaded and viewed for free by millions of people.
There is some evidence suggesting that Sony may have poked the bear, in this case North Korea. Some security researchers report that the code used to break into Sony was written in Korean and was also utilized in a series of March 2013 cyber-attacks on various South Korean organizations. Apparently, North Korean cyber warriors hacked into Sony Pictures as an act of vengeance in response to the upcoming film The Interview, a comedy about a CIA plot to assassinate North Korean leader Kim Jong-un. Clearly, North Korea didn’t think this story line was funny. Remember too that Sony is a Japanese company and relations between Japan and North Korea aren’t exactly cordial. As of now, there are a whole bunch of Sony business, IT, and security executives who aren’t laughing.
I’m not suggesting that we give up our first amendment rights, shy away from strong positions, or disengage from political debate. This is and will always be important. On the other hand, we need to think long and hard before picking a fight with the wrong cyber-adversary, as there are new risks to consider.
My guess is that management at Sony Pictures never considered the possibility that a farcical Seth Rogen movie would result in massive cyber-attacks and data breaches. In my humble opinion, this was pretty naïve on Sony’s part. Unfortunately for Sony Pictures, it poked the wrong bear. It now seems possible that Sony didn’t even realize it was doing so.