The leak of SONY movie actor’s e-mails to the public has stirred huge amounts of attention. Some of it was salacious, which provided for days of commentary on the news shows. Much of the discussion centered on the question what was the source of the hack. Was it North Korea? The President and the FBI entered into the conversations although they could offer only conjectures but no hard facts. Hundred of on-line pundits kept on line with opinions, though all of it could be classified only as educated guesstimates.
Missing were facts that could illuminate what happened. It was clear that the SONY hack was result of a distributed bot attack that accessed SONY by circuitous routs from several countries. The bot-master was too many Internet-connections (e.g. “hops”) removed so that it could not be traced. In the SONY breach names, addresses, identifying numbers and the full text of messages were stolen other than embarrassment, no damage occurred. The entire hack could turn out to be an extremely profitable event and be seen as a clever joke.
Cyber crime researchers cannot dismiss the SONY happening as a joke. Its widespread attention has highlighted that cyber attacks happen. Cyber criminality is now a global business. With all of the attention of the public as well as government agencies devoted to guessing whether North Koreans were the culprits, the ease with which SONY servers yielded their data was not questioned. In my view that is a mistake, which characterizes the current cyber deterrence efforts.
The SONY compromise was a low-grade cyber heist for which the attack software is available for a laughable small sum of BitCoins. The heist can be launched from thousands of readily available Information Services Providers. The total SONY attack could have been executive in a matter of minutes. Traces leading to sources would then disappear without trace.
Meanwhile, defense software and operating countermeasures are readily available and affordable. They should be applied, but that would require executive commitments, which in most cases have not been forthcoming. IT, that until now has been allowed to operate as a largely self-contained function, has now become subject that warrants attention at the most senior levels. I do not believe that legacy IT shops, largely without Board of Director interventions have as yet been able to mature into a framework where security dictates how IT architecture is implemented.
My concern is not the geographic origin of the attackers, but the capabilities of the local defenders. There has been no accountability for any flaws or bugs in the SONY e-mail servers. The defenses were not adequate.
There is no way of avoiding every conceivable cyber attack. However, the full force of what is now available as cyber defenses must be put in place as a deterrent. Network systems must be from now on designed with security as a primary requirement even at the price of economy and convenience.