Five years ago this week, Sony Pictures Entertainment was hit with the most brazen cyberattack against a U.S. target to date. It riveted public attention, assaulted the First Amendment and prompted President Barack Obama to threaten retaliation for the first time against a cyberspace adversary.
And it was all over a gross-out buddy comedy starring Seth Rogen and James Franco.
The Sony breach, which intelligence officials confidently attributed to North Korea, hit the cybersecurity world like Jaws hit movie theaters in an earlier era. It changed how the entire game was played and was a harbinger of a far more complicated and turbulent future. It sparked an era of increasingly muscular responses to major hacks — including financial sanctions and criminal indictments that have targeted not just North Korea but also Russia, China and Iran.
“Sony was a turning point in that it crystallized the need to name names as a precursor to imposing accountability and consequences,” Frank Cilluffo, a former White House cybersecurity official during the George W. Bush administration and director of Auburn University's McCrary Institute for Cyber and Critical Infrastructure Security, told me.
It also prompted the Obama administration to create a special sanctions program just for cyberattacks and a new center to integrate information about cyberspace threats flowing from different intelligence agencies.
And it sent a warning to private companies that they could be targeted by sophisticated nation-state hackers — no matter how far their work seemed from the traditional realms of geopolitics.
Indeed, Pyongyang allegedly targeted Sony because leader Kim Jong Un was offended by Rogen’s film “The Interview,” which portrayed him as a petty dictator and hedonist and played his death for laughs. In response Kim’s hackers stole and published troves of embarrassing emails and unreleased films from the studio, rendered computer servers useless and threatened physical attacks on movie theaters that showed the picture.
“This really highlighted the fact that private companies were going to be targets for nation-state hackers and that would have strategic and political outcomes we never expected,” Adam Segal, a cybersecurity expert at the Council on Foreign Relations, told me. “I don’t think anyone would have thought of a movie studio being critical … but it became important for free-speech issues.”
Sony also foreshadowed Russia’s 2016 hacking and leaking campaign against the Democratic National Committee and the Hillary Clinton campaign, which similarly focused on undermining democracy rather than stealing money or information. Like Russia, the North Korean hackers also tried to disguise their actions as the work of a hacktivist group, which they dubbed Guardians of Peace.
“This was the first time a foreign government used a cyber operation to really attack the integrity of American society,” Jon Bateman, a former Pentagon cybersecurity official who is now a Cyber Policy Initiative fellow at the Carnegie Endowment for International Peace, told me. “The idea of a totalitarian regime using cyberspace to reach inside America to censor First Amendment-protected free speech was incredibly troubling and it previewed our conversations post-2016.”
And that's just the beginning of the thorny cybersecurity problems surfaced by Sony that have continued to bedevil U.S. officials.
The response to the breach also showed how hard it is to really stop adversaries from hacking the United States — especially North Korea, which is highly isolated from the world and largely immune to financial and diplomatic pressure.
Obama imposed severe sanctions on the Hermit Kingdom and signaled more retaliation could come — perhaps in the form of covert hacks or intelligence actions. But North Korea has launched a spate of damaging cyberattacks since then, including the 2017 WannaCry ransomware attack, which affected more than 230,000 computers in more than 150 countries and caused billions of dollars in damage.
Chris Painter, who was the State Department’s top cybersecurity official at the time, called Sony a reminder that the United States needs to impose serious consequences for cyber misbehavior.
Well, for one thing, it marked a turn to high level public attribution of a nation state cyber attack. A good trend now but must also be coupled with consequences because you can’t “name & shame NK & some other actors. https://t.co/m6IacdUydL— Chris Painter (@C_Painter) November 26, 2019
Sony also showed for the first time the huge amount of skepticism U.S. officials are likely to face when they accuse adversaries of cyberattacks — especially because officials are often unwilling to share the classified basis for those claims.
The North Korea attribution initially sparked widespread doubts among cybersecurity researchers who suspected an inside job and demanded more evidence than the FBI was willing to give. Those researchers almost uniformly accepted the FBI conclusion after more evidence emerged — including a 179-page indictment the Justice Department filed against the hackers in 2018.
But many people outside the cybersecurity community remain skeptical — including much of Hollywood, according to a retrospective published this week by the Hollywood Reporter.
That’s a chilling echo of Russia’s 2016 DNC hack, which naysayers including President Trump and some of his GOP allies are still saying might have actually been the work of Ukraine — a debunked conspiracy theory that contradicts the unanimous conclusion of intelligence agencies and the Mueller report and that intelligence officials say the Kremlin is actively propagating.
Here’s John Hultquist, director of intelligence analysis at the cybersecurity firm FireEye, which helped respond to the Sony breach:
I think a tin pot dictator forced us to abandon our democratic principles and proved that a paper thin persona was enough to cast doubt on their involvement. We are knee deep in the legacy of that incident.— John Hultquist (@JohnHultquist) November 26, 2019
And New York Times cybersecurity reporter Nicole Perlroth:
Controversial 2 cents: Sony offered Putin the perfect playbook for 2016: Hack/ dump emails from a high value target, let the media do the rest. It also proved even when attribution is as good as it gets, the industry would rather chase its tail than accept the conclusions the IC. https://t.co/lGt4mSif8Z— Nicole Perlroth (@nicoleperlroth) November 26, 2019
Since Sony, the government has generally become more transparent in its attributions and done a better job at convincing cybersecurity researchers — if not the general public. Here’s Richard Bejtlich, principal security strategist at the cybersecurity firm Corelight:
I think it was an inflection point. DPRK hackers really inflicted pain on an organization in the US, and the US IC moved quickly and definitively to attribute the attack. The IC also learned how to better communicate attribution following the criticism from the truther crowd.— Richard Bejtlich (@taosecurity) November 26, 2019
Finally, here’s a thread from Arik Hesseldahl about covering the early phases of the North Korea attribution when he was a reporter for Recode:
THREAD: I haven't thought about this story for quite awhile, but since @thr has done a take-out on the five-year anniversary of the Sony Hack by North Korea, I'll offer a few thoughts.— Arik Hesseldahl (@ahess247) November 26, 2019
The Cybersecurity 202 will be off the rest of the week and return to its regular schedule on Dec. 2. Enjoy the holiday!
PINGED, PATCHED, PWNED
PINGED: Employees from the Israeli spyware firm NSO Group filed a lawsuit against Facebook yesterday, alleging the company unfairly blocked their personal accounts, Steven Scheer at Reuters reports. Facebook blocked the accounts last month when it sued NSO for allegedly exploiting a bug in its WhatsApp messaging service to help governments break into the phones of about 1,400 users across 20 countries including numerous journalists and activists.
The employees are asking a Tel Aviv court to order Facebook to unblock both their Facebook and Instagram accounts. But Facebook told Reuters that disabling the accounts was “necessary for security reasons, including preventing additional attacks." Some of the accounts had already been restored through an appeals process, the company added.
The employees -- somewhat tone deafly -- criticized Facebook for invading their privacy to shutter the accounts, saying "The idea that personal data was searched for and used is very disturbing to us." They also pledged to continue to “help governments around the world prevent crime and terrorism through the technology we are developing.”
NSO has denied any direct involvement in its clients' hacking.
PATCHED: Sen. John Neely Kennedy (R-La.) reversed himself after saying Ukraine may have been responsible for the 2016 hack of the Democratic National Committee -- a statement that seemed to support a baseless conspiracy theory pushed by President Trump. Kennedy told CNN host Chris Cuomo the comments were the result of a misunderstanding after he misheard a question from Fox News host Chris Wallace.
“I’ve seen no indication that Ukraine tried to do it,” he told Cuomo on Sunday. Kennedy earlier said that there was “a lot of evidence Ukraine tried to meddle in the election in 2016."
U.S. intelligence and national security officials including former Trump National Security Council member Fiona Hill have warned that Russia promoted the Ukraine conspiracy theory to undermine its responsibility for the hack.
PWNED The Commerce Department released its formal plan to ban companies including Huawei and ZTE that pose national security risks to America's telecommunications supply chain, David Shepardson at Reuters reports.
The rule was drafted in response to concerns the equipment could serve as a tool for Chinese espionage, though it doesn't mention Huawei or ZTE by name. The rule would give the Commerce Department broad power to decide which companies to ban on a case-by-case basis. The department would also notify companies to give them a chance to address national security concerns first.
The rule was prompted by a White House executive order in May that barred U.S. companies from using telecommunications equipment made by firms posing national security risks. The White House added Huawei to a trade blacklist that same month but later issued some licenses to allow companies to sell parts to the Chinese telecom that don't pose a security risk.
The department plans to finalize and implement the new rule in 30 days after seeking industry comment.
— Cybersecurity news from the public sector:
— Cybersecurity news from the private sector:
THE NEW WILD WEST
— Cybersecurity news from abroad:
— Coming up:
- The Senate Committee on Foreign Relations will examine the future of United State policy towards Russia at 9:45 a.m. on December 3.