Thoughts on the Sony Hack

And The Interview


I wasn’t really planning on watching The Interview today because honestly, it didn’t look very good, but the Sony hack and the subsequent response to the hack (pulling of the movie by theaters and Sony and then showing it online and at limited theaters) were good motivating factors. On the original release date of The Interview, I thought it timely to write about my thoughts on the Sony hack. (Thanks for giving me additional work on Christmas, you evil Guardians of Peace.)

Whenever a hack happens, I’m asked about my thoughts on it. How did it happen? Who did it? What are the consequences? Why weren’t they protected? Should my company be more protected? Recently, thanks to the Home Depot, Staples, and Target attacks to name a few, the volume of these questions has been higher than usual. However, the Sony hack really summarizes my thoughts on what’s wrong with the current state of information and data security.

I’ve been doing security for only about 5 years, but the landscape of security challenges has changed drastically in this period. Web security has come into greater focus. Hackers have been becoming more aggressive. The media coverage of hacks has been more prevalent. It has been an immense learning process for me. Even as a PhD student, it’s hard to predict the evolution of the security industry. If you were to ask me the biggest security issue in the next 5 years, I couldn’t give you a good answer. One thing for sure is that security will always be a growing concern.

Here’s a summary about what we know regarding the Sony hack so far, which was enabled by stolen credentials, and here are some of my thoughts on the whole situation.

Sony was totally unprepared. The amount of information that the hackers were able to gather before being detected was truly ridiculous, especially the number of sensitive files accessed like the password files in a folder called Passwords. Fundamentally, there is nothing wrong with calling a folder “Passwords,” but the contents should have been encrypted and carefully monitored. This is security 101. This lax security surprised me because Sony was really hacked in 2011, and consequently, they should have completely overhauled their security system with the help of outside consultants. If they had tried to do this, they did a terrible job.

Hacked Sony screen

I don’t think North Korea did it. By that, I mean I don’t think that North Korea has an elite team of hackers that attacked Sony’s servers. It is possible that North Korea contracted these hackers, which is really easy on the Internet black market. Another possibility is that a disgruntled ex-employee did this and tried to blame North Korea. This attack was too sophisticated for an isolated country, not known for its technological advances. It even lacks the military technology that US has, so it’s hard for me to believe it has the technological ability to do a targeted cyber attack. (Okay, let’s not give the hackers too much credit. It wasn’t even that hard of a hack, but it was too much for North Korea.) Similarly, hackers are really good at hiding their tracks, but the evidence pointing to North Korea is almost too clear. I don’t buy it, but that’s my opinion. It seems that security experts are also split on the issue.

Companies should care about their users’ security and privacy. This might seem like an obvious statement, but I don’t know how many times I talk to startups and companies, who say that users don’t care about their privacy or that security is unnecessary at this point in the company. This attitude is the real problem, and it’s what really frustrates me. Of course, by the time a company realizes it needs security, it’s too late. Companies like Target and Sony will always be remembered for that ONE time they were hacked, not all those times they weren’t. I understand that companies think that security is expensive, and its impact is hard to quantify or see. However, this hack is costing Sony way more (recovering from the attack, bad PR, bad branding) than if they had initially invested in good security. Finally, users care about their security. I’m pretty sure if a company were to advertise the following feature: “Weak Security: your information might be leaked,” that company will have a small user base. If any company questions whether users care about their security or privacy, they should ask their users directly like how they ask about features instead of speculating (I’m pretty sure it’ll show that users care about how their data is used and protected). Although Sony will recover from this attack because they are a publicly traded company with substantial amounts of cash, for a startup or a smaller company, this would be game over.

Companies should consider security from the very beginning. I’m not saying that the startup should have a Google, Facebook, or Twitter size security team. Startups should have security in mind when developing their product. Obviously, as a smaller company, there is less risk of attack compared to a bigger company, which is also a bigger target. However, there is still risk, so they should evaluate these risks and make informed decisions on secure data management for their situation. Sometimes, this will require some outside help, but as I described above, it’s totally worth the investment. Moreover, it will also cost the company way more money in the future to fix their security problems once it’s accumulated “security debt.” Here are some numbers on the potential return on investment in data security for your company. Attacks will inevitably happen as a company grows, so the question becomes whether they can thwart these attacks and mitigate their effects.

Cybersecurity is a national security issue. It is one of the most underrecognized issues. Obama has already made progress in this front with this executive orders. However, we have a long way to go before many of these orders are even implemented. The problem is that security evolves fast, and if fundamental changes are not implemented soon, it’s hard to catch up, and we will continue to fall farther and farther behind. To place things in perspective, when Facebook went down for 20 minutes, they lost $500,000 in revenue. Just imagine the amount of productivity lost if the Internet went down for 1 minute, or if all computers were broken for 1 minute. The economic impact is unimaginable. An important first step is for companies to recognize the issue and take it seriously. I hope the Sony hack is a wake up call to everyone.

The Interview was an okay movie, but it was hilarious. Yes, I watched The Interview on Youtube before I wrote this blog post. It’s become almost the signature movie for the security community even though it has nothing to do with cybersecurity. Anyway, Seth Rogen and James Franco are a hilarious duo, but the movie itself was predictable and not way too exciting or well-crafted. Oh well. It was a good laugh on Christmas Day.

These are my thoughts on the issue. The Interview has unintentionally sparked a huge national conversation about cybersecurity that I hope will continue.

Show your support

Clapping shows how much you appreciated Frank Wang’s story.