Why the Sony attack is a wake-up call

Subimal Bhattacharjee | Updated on December 30, 2014 Published on December 29, 2014

Disarming tactics: A midnight viewing of the film. Reuters

We don’t have a comprehensive and stringent security regime to deal with cyber attacks, nor even the appropriate laws

One of the major cyber attacks this year happened on the network of Sony Pictures Entertainment (SPE) which began on November 24 this year and led to confidential information and sensitive internal emails from senior executives of the company being compromised and leaked.

The hacking activity was carried out ostensibly to thwart and threaten the Christmas Day release of the SPE-produced film, The Interview, a comedy around the supposed assassination attempt on North Korean leader Kim Jong-un.

A group calling itself ‘Guardians of Peace’ claimed responsibility for the attack and issued threats against SPE, its employees and the movie theatres that distribute its films. SPE took the call to cancel the release due to the reluctance of theatre owners to show the film.

Then came the FBI announcement that blamed the North Korean government of being directly involved in the attacks, with the US government approaching China to reign in North Korean cyber pursuits.

Finally the US president, Barack Obama, stepped in with a stern message of proportionate response but stopped short of calling the attacks an act of war; he called them ‘cyber vandalism’. At the same time he expressed displeasure at SPE for being hasty in stopping the release of the film.

Now, SPE has announced it will release the film through some theatres that have had second thoughts and have come forward to show the film, and also simultaneously through video on demand streaming services.

This sequence of events marks some significant milestones as far as the future of cyberspace is concerned.

Significant markers

Firstly, the attack was more than cyber vandalism — it targeted a fairly secure network with a clearly defined agenda. According to the FBI, the intrusion into SPE’s network consisted of the deployment of destructive malware and the theft of proprietary information, apart from personally identifiable information and confidential communications of SPE employees. The attacks incapacitated thousands of SPE’s computers and disrupted its network and forced SPE to take its network offline.

Secondly, State involvement is much more proximal than was the case during the Stuxnet computer worm attack in June 2010. The data deletion malware used in the SPE attack was similar in pattern to other malware that North Korean entities used in the past and several internet protocol (IP) addresses associated with known North Korean infrastructure communicated with IP addresses that were hardcoded into the data deletion malware.

Thirdly, the competence of defensive tools and network security measures to prevent such attacks is under question. Finally, the hackers had the last laugh when SPE wanted to stop the release of the movie: they had successfully broke into a sensitive network, generated the necessary fear and carried out their mission without firing a single shot or even holding a gun.

Greater vulnerability

Over the last few years, cyber attacks have grown in frequency and sophistication and both State and non-State actors have been getting involved.

Despite the increase in awareness among corporates and individual users and the resulting focus on more secure networks, many networks are being compromised and targeted. The whole ecosystem of critical information infrastructure protection across power and telecom networks, air and rail traffic networks, and banking and financial systems are getting more vulnerable with times and the time.

Just in November this year, the US’ National Security Agency had warned of some major cyber attacks on critical infrastructure. But despite awareness and alertness, not all of these can be plugged by providing software patches and upgrades or even with hardened networks.

Even in India there are questions on the readiness of the networks to deal with such attacks and despite a national cyber security policy being announced in May 2013, nothing significant has been done in terms of resources and institutionalisation to be ready to deal with cyber attacks.

While many nations and corporations have suffered serious attacks either in the form of malwares, distributed denial of services attacks, or even targeted hacking pursuits, and have raised them with law enforcement agencies and governments, the international community has not been able to offer any stringency to deal with them.

Big hurdles

Today, attribution remains the biggest hurdle in pinpointing the actual source of any form of cyber attack. Many references have been drawn to Chinese cyber attacks over the past few years and some nations such as North Korea and Iran have openly expressed their proclivity to them. Yet, little has been done to take them head on. So the question that arises is how long will deliberations like the Internet Governance Forum and the UN-sponsored Group of Governmental Experts continue before an action-oriented working model is arrived at.

The Sony incident is a classic instance for policymakers to understand that while a larger internet governance mechanism can be devised, the need of the hour is a comprehensive stringent global cyber security regime where cyber attacks are dealt with sternly under current international laws of armed conflict. As cyber attacks defy geography, it is more prudent for action before a more serious catastrophe actually takes place on some network. Many nations have individually endorsed a premise that cyber attacks on critical infrastructures would be counted as an act of war as also envisioned in the US International Strategy for Cyberspace which Obama signed in May 2011. But much remains for a binding working arrangement in place among nations. The SPE hack attack is a definite wake-up call to pull up our socks on the overall global cyber security ecosystem.

The writer is a former India head of General Dynamics and a consultant on defence and cyber issues

Published on December 29, 2014
This article is closed for comments.
Please Email the Editor
This article is closed for comments.
Please Email the Editor