Sony’s action will invite copycats: security expert


Caved in: Sony cancelled “The Interview” after cyber threats.

The decision by Sony Pictures Entertainment to concede to hacker demands and dump Seth Rogen’s film The Interview from its Christmas release schedule will invite copycat acts, according to a leading cyber security expert.

Sony last week canned The Interview, a comedy starring Rogen and James Franco that portrays the fictitious assassination of North Korean leader Kim Jong-un, after receiving threats of possible 9-11 styled attacks if cinemas screened the film.

High level concern: US President Barack Obama condemned the attack in a CNN interview.
High level concern: US President Barack Obama condemned the attack in a CNN interview.

On Friday, the FBI formally attributed the sophisticated and damaging cyber attack on Sony to North Korea’s government for which a group calling itself The Guardians of Peace claimed responsibility.

“Every criminal group, hacker group, and nation state watching this episode very carefully has just learned that here is a blue print to emulate if you want to force another organisation to your will,” said Dmitri Alperovitch, co-founder and chief technology officer of Crowdstrike, a leading cybersecurity consultancy.

“This is not unlike the debate we have about whether we should pay ransoms for terrorist kidnappings. It is the same dilemma here. I understand why Sony felt that it was appropriate to pull the movie but at the same time it just encouraged these groups to do more of the same activity.”

Mr Alperovitch led investigations into 2009’s Operation Aurora attack on Google, Yahoo, Adobe and other major companies, which was attributed to groups linked with China’s People’s Liberation Army, as well as a subsequent similar Chinese hack on multinational oil and gas companies.

Sony staff have reported they are now working with fax machines and have no email or voicemail networks but Alperovitch told Fairfax Media the attack on the company was not significant until The Interview was withdrawn from distribution.

“For the first time ever, a nation state changed the will of the victim and got them to take an action against their will through a cyber attack. I can’t ever remember that happening before.

“Through all the attacks we have seen from some really sophisticated actors like Russia, China, and Iran, this is the first time in my memory that we have had a physical world impact where the victim took an action that the adversary ultimately wanted them to take.”

The FBI, in statement released to media on Friday, outlined its case against North Korea and claimed: “North Korea’s attack on [Sony] reaffirms that cyber threats pose one of the gravest national security dangers to the United States. Though the FBI has seen a wide variety and increasing number of cyber intrusions, the destructive nature of this attack, coupled with its coercive nature, sets it apart.”

The North Korean government has denied any involvement in the mega hack and demanded a joint investigation.

Mr Alperovitch said breaches were inevitable but what happens once a network is compromised is crucial. The Sony hack, he added, may prove to be a needed wake-up call for cybersecurity.

“I liken this to the White House,” he said. “Anyone can climb over the fence at the White House. It is a small fence, you can go right up to it, and it would take you a couple of seconds to get over it. That doesn’t mean you will be able to get to the Oval Office. The reason is the Secret Service will deploy and will take action very quickly before you are even able to get to the front door and you will be stopped and prevented from coming in. People can get in but that doesn’t mean that they will accomplish that objective.

“But if you leave [a hacker] in [your network] for weeks or months or even years then you have no chance. By that point they will know your network better than you do and they will be able to bury themselves deep into it and do anything they want.”

He added one reason hackers persisted in their efforts was high return for little relative effort and little chance for recriminations.

“The adversaries can try again and again until they ultimately succeed,” Alperovitch said. “There is no penalty for them except for their effort and time and money. To defend against it is expensive, it requires cutting-edge scholarship, it requires trained people who can do constant analysis.

“If you are dealing with a much more capable or well-funded adversary you are at a disadvantage.”