By Robert J. Samelson
The Washington Post Writers Group
“In light of the decision by the majority of our exhibitors not to show the film ‘The Interview,’ we have decided not to move forward with the planned Dec. 25 theatrical release.”
— Sony Pictures Entertainment, Dec. 17
WASHINGTON — We have just witnessed the first major incident of cyberblackmail or cyberterrorism. Sony capitulated. This cannot be good, but it obscures a more unsettling message: Our digital dependence exposes us to catastrophic failures of basic services.
Before Sony’s surrender, the media had generally treated the massive breach of its computer networks as an entertaining yarn. Tens of thousands of emails released. Embarrassing comments made by studio executives (Angelina Jolie a “spoiled brat”). Sensitive pay data dumped. All this fed the public appetite for celebrity gossip.
No more. This is no joke.
It seems a landmark event. Other aggrieved groups may imitate the attack — which the FBI blames on North Korea. They will invade their adversaries’ computers and, if successful, use the resulting torrent of documents to cripple, extort or embarrass their opponents.
But this is only the first-order consequence. Sony’s hacking also alerts us to the ultimate cybersecurity horror: the breakdown of vital electronic systems — power plants, financial networks, water supplies — that creates anarchy.
Imagine a major city without power for an extended period. We don’t know the odds of this, but they are far greater than zero because so much of daily life depends on vulnerable digital networks.
Sony is simply the latest big organization to be hacked. The list includes JPMorgan Chase, Home Depot, Target, the U.S. Postal Service and the National Oceanic and Atmospheric Administration, reports James A. Lewis of the Center for Strategic and International Studies (CSIS). If these major institutions couldn’t protect their computers, why should we believe that power plants and other essential systems can completely protect theirs?
Until now, the motives for hacking have mostly been criminal and commercial. Thieves steal credit card data or a whole range of personal information to construct false identities. Companies pilfer the trade secrets, business plans and technologies of rivals. The Chinese are widely accused of this sort of heist, which has been characterized — rightly or wrongly — as the greatest theft of intellectual property in human history.
Business is booming. A CSIS study puts the worldwide cost of cybersecurity between $375 billion and $575 billion annually, covering everything from stolen credit cards to the expense of protecting systems. The bill is rising. Symantec Corp., a security firm, says the number of significant breaches rose 62 percent in 2013 to 253.
But cybercrime and cyberwarfare are different animals. To its victims, cybercrime can be tragic personally or fatal commercially. But it’s not a social breakdown. That’s what cyberwarfare threatens. The motives are political. The Sony hacking was of this sort. It may be a harbinger.
There are other signs. In October, the Department of Homeland Security warned that some industrial control systems — software used to run power plants and factories — are being attacked by “malware” (software that corrupts the network) associated with Russian users. “This campaign has been ongoing since at least 2011,” DHS noted dryly. The fear: that hostile actors are planting destructive software in crucial U.S. systems that could be activated at will.
The Russians, Chinese, Iranians and many rogue groups have reason to hack U.S. computers. We may not spot all the incoming malware (Sony didn’t) and, even if we did, the damage done to the network may take weeks or months to discover and remove.
What’s emerging is a new form of warfare with its own weapons. The advantage lies with the cyberattackers for three reasons.
First, they need to find only one entry point into a computer system, while the defenders must guard all possible entry points. In the face of a determined attack, the defense must be almost perfect, not just superior.
Second, it’s often hard to determine who is the attacker. This frustrates retaliation, enhancing the appeal of attacking. Although intelligence assessments quickly connected North Korea to the Sony hacking, some observers initially found the hard evidence thin.
Third, companies may underinvest in cybersecurity, says Allan Friedman of George Washington University. The reason: If it succeeds, it doesn’t show any return on investment. It doesn’t generate revenues or profits. There’s a tendency to skimp. Of course, without it, companies could suffer huge losses.
Are we staring down a cyberabyss? If you talk to security experts, many are relatively optimistic. They say that our systems have ample redundancy and backup. There may be failures, but rebounds will occur rapidly. The United States is also developing its own cyberattack capabilities that would surely deter some possible adversaries. Still, to have any redeeming value, the Sony debacle needs to awaken us to our growing digital vulnerability.