Why the Sony hack changes everything
In 2009, back before Edward Snowden showed the world how the National Security Agency had conquered cyberspace, its former director, and his then-boss, retired Adm. Mike McConnell, appeared on 60 Minutes to urge Americans to prepare for a massive wave of increasingly damaging cyber-attacks by foreign governments and well-funded terrorist groups.
McConnell, an executive at Booz Allen, a major contractor for the intelligence community, laid out a scenario in which China (or some other country) attacked the supervisory and control systems of a major public utility. He predicted deaths and injuries. He called for more money to be directed to fighting cyber-attacks (certainly pleasing the Booz folks), but he also wanted Congress to give the government extra powers to help prepare private industry for the inevitable. McConnell was a bit of a cyber scaremonger, to be sure, but he was prescient, too.
The Sony hack hasn't killed anyone. But it has knee-capped the American subsidiary of a global conglomerate and potentially paralyzed an economically potent American industry. If it was orchestrated by, or ordered by, a foreign government, then it's an act of terrorism. Its effects are greater than the sum of Sony's leaked emails. The Obama administration reserves the right to use law enforcement, intelligence, and military assets to despond to cyber-attacks like these, according to its own presidential directive.
The chief intelligence officers of companies need offices next to the presidents of companies. They need to gain power and leverage over general counsels, who view risks differently. They need to be brought into the supply chain; they need to be involved in the selection and marketing of products.
Big companies that get hacked ought to disclose the attacks as soon as they happen, or as soon as it is reasonable to do so without impeding the effort to catch the cyber-saboteurs. Right now, a company's lawyers tend to have more sway because they're judging risks in the context of what might reduce profits or cause stock prices to drop. Executives need to take off their blinders. The Sony attack effects every major company in Hollywood. Temporarily, other companies might benefit. In the long term, if they don't look out for each other's interests, they'll all be at risk.
The cyber-community has preached about shared risk for years, and the Sony hack is not novel. China has been exfiltrating secrets from American companies for more than a decade. No — what makes the Sony hack special is the story.
Americans cannot help but gawk at it. It's Hollywood, after all. Seth Rogen, James Franco. Dirty laundry, tawdry affairs, leaked emails. Privacy — not financial privacy, but personal, intimate details — revealed because a foreign country got mad.
The aura of cyber-invincibility has been irreparably cracked.
If your credit card number is stolen from a Target database, you can get a new card or keep track of your charges to see if anyone uses it. That's pretty easy; after a while, you'll forget about it. You're not going to forget about the drama playing out right now in Hollywood, Washington, and Pyongyang.
I wondered online if Sony could argue somehow that it is too big to fail — that if the attack is tied to a country, then perhaps the company can be indemnified from lawsuits arising from its own alleged neglect. The answer is no.
Going forward, Congress might consider some sort of risk pool for companies that meet strict standards and still find themselves the victim of state-sponsored hacking. Sony does not seem to have met those standards. It was low-hanging fruit. Sony will have to eat its losses, because saving Sony from embarrassment is not in our national interest. But securing open access to the internet for American companies is now considered to be a critical national security issue.
The U.S. has four options. It can respond with political measures — shaming, sanctions, and the like. It can respond with "kinetic" measures — i.e., some sort of physical attack. It can respond with cyber-measures — some sort of reciprocal hack. Or it can do nothing.
By the way: the NSA would not have been able to save Sony, even if the agency had somehow been granted supreme power to "monitor" the internet.
At the same time, Sony should have figured out fairly easily that someone was exfiltrating 11 terabytes of data from its server.