Sony Pictures Postmortem Reveals Death by Stupid
We already knew Sony Pictures Entertainment’s (SPE) hack was bad. We knew that the parent, Sony Group, had been exposed to cyber attacks of all kinds for years across its subsidiaries, and slow to effect real changes to prevent future attacks.
And we knew both Sony Group and SPE shot themselves in the feet, literally asking for trouble by way of bad decisions. Sony Electronics’ 2005 copy protection rootkit scandal and SPE’s utter lack of disregard for geopolitics opened the businesses to risk.
But FORTUNE magazine’s expose about the hacking of SPE — of which only two of three parts have yet been published — reveals a floundering conglomerate unable to do anything but flail ineffectively.
It’s impossible to imagine any Fortune 500 corporation willing to tolerate working with 1990s technology for any length of time, let alone one which had no fail-over redundancies or backup strategies, no emergency business continuity plan to which they could revert in the event of a catastrophe. But FORTUNE reports SPE had been reduced to using fax machines to distribute information, in large part because many of its computers had been completely wiped by malware used in the attack.
Pause here and imagine what you would do (or perhaps, have done) if your computer was completely wiped, taking even the BIOS. What would you do to get back in business? You’ve given more thought about this continuity challenge than it appears most of SPE’s management invested prior to last November’s hack, based on reporting to date.
A mind-boggling part of FORTUNE’s expose is the U.S. government’s reaction to SPE’s hack. The graphic above offers the biggest guffaw, a quote by the FBI’s then-assistant director of its cyber division. Knowing what we know now about the Office of Personnel Management hack, the U.S. government is a less-than-credible expert on hacking prevention. While the U.S. government maintains North Korea was responsible, it’s hard to take them seriously when they’ve failed so egregiously to protect their own turf.
A fast read of Part 1 of the expose validates previous concerns about SPE’s and Sony Group’s approach to security. At a minimum, each of the following issues would have been addressed by a savvy business, substantially reducing risk:
• Adequate physical site security
• Secured hardware, cordoned off by its function, by way of physical location, firewalls, other services
• Adequate security software from mobile devices to servers
• Monitoring of all content transmissions for size, frequency, pattern, authorization
• 2-step authentication across organization, with frequent mandatory resets
• Catastrophic business continuity planning (especially important in an earthquake-prone area)
• Security screening of all new hire personnel and contractors
• Personnel trained on IP security practices, appropriate to job level, refreshed regularly
• Appropriate response time to security threats and breaches
• Geopolitical risk assessment on all content production
• Ethics reporting mechanism allowing employees to notify management of suspect behavior
• Process improvement mechanism through which employees can suggest improvements and receive rewards for same
• Accountability throughout management chain
• Management aware of risks inherent to digitized intellectual property
The FORTUNE expose, nor any previous reporting by any other outlet, indicates that these issues were addressed before the November hack as part of corporate policy and practices.
It’s clear there is a serious problem at SPE from FORTUNE’s opening grafs. It’s hard to imagine any Fortune 100 business allowing un-vetted visitors to sit unattended with ready access to unsecured. computers and network. The rest of the article is equally disturbing, casting the U.S. State Department and the FBI in equally unflattering light.
Why didn’t the State Department and the FBI come right out and tell SPE it was at serious risk of cyber attack, given what they already knew about North Korea’s alleged attacks on other U.S. systems and businesses?
Why didn’t the State Department spell out just how big a risk Seth Rogen’s ego-inflating boy flick The Interview was, even if it meant giving SPE executives and Rogen a basic history lesson in Japanese-North Korean/U.S.-Korean history?
We know there’s a relationship between the Department of Defense and Hollywood — why wasn’t the DOD likewise involved to provide assistance with shaping message and providing cyber defense?
Given the tepid efforts offered by the U.S. government, one can only wonder if SPE and Sony Group weren’t a sacrificial offering in cyber warfare.
Bait, as it were. Or a propaganda opportunity.
“Why didn’t the State Department and the FBI … Why didn’t the State Department … why wasn’t the DOD likewise involved … ?” I’ll tell you why: Because they don’t see “helping people” as being part of their job. The FBI is there to help the government, not the country or its people. State is there, again, to further the aims of the government – good or bad for the country be damned. DOD is so huge and unwieldy that it can’t do something simple like cybersecurity for a corporation and so won’t even try (the relationship with Hollywood is for Offensive purposes, not Defensive – witness Zero Dark Thirty). And would you want DOD involved in this stuff? I sure don’t. This really is a clarion call for a specific bureaucracy dedicated to this task (I know, I know). It’s a DHS job, and unfortunately, we know that they can’t do crap — even providing livable trailers for hurricane victims. The Feds should limit their “help” to essential infrastructure. Sony sure isn’t that; leave them to rot in a grave of their own making.
Therein is the conflict, though: post-hack,White House and DOJ implied that Sony (and Hollywood) are critical infrastructure, must be protected using all our government resources.
And yet these same government resources did jackshit to prevent the attack.
And THEN we find out the government did jackshit to prevent an attack on actual critical infrastructure.
What the fuck is really going on?
Stupid – or connected? Thru 2014, Sony’s Chief IT Security Officer was Philip Reitinger, who held “key cyber security positions in the U.S. Department of Homeland Security, Microsoft Corporation, the U.S. Department of Defense, and the U.S. Department of Justice.” He was followed by John Scimone, who has “held a number of leadership positions at the U.S. Department of Defense, including Director of Security Operations for the Secretary of Defense’s communications office.”
http://www.sony.net/SonyInfo/News/Press/201109/11-109E/
https://www.linkedin.com/pub/john-scimone/a1/41/b2
Mm-hmm. *- nodding vigorously -*
One interesting question — how to know what is ‘critical infrastructure’. Because if you don’t know something exists, you can’t tell whether it’s critical or not. For example, the OMB database(s) — how many, outside that limited area of government, even knew that those databases existed? Sure, we know that the government collects lots of information, but where is it stored? When you get a background check, how many different places is your data kept? When you give information for one purpose (SSI #), it may end up being kept in a dozen separate places (think of data sharing within DHS). You think any government bureaucracy will gladly tell some “cybersecurity overseer” everything it does, in all forms? Hah. So you’re left with each agency handling its own work, no oversight. That’ll work out well.
Any database containing information about government employees is critical infrastructure. Period. Only matters left open for debate are just how much of the critical infrastructure was compromised, and the method. Probably doesn’t matter at this late date who did it since the data could have been sold many times over.
Just boggles the mind: the government simply went about its business with its barn door wide open. And they’d been warned, in writing, in a paper ca. 1999 written by PRC military officers, there would be asymmetric warfare including attacks on computers and networks.
You gotta remember that the Feebs were late to the desktop computer game. Louis Freeh flatly refused to allow them, even as many other Federal agencies were already heavily into laptops.
But were the FBI rank-and-file employees late to computers? Maybe management, but not the younger new hires. They’d have been familiar with them at home and school. Hate to think the younger generation was so careless they couldn’t tell management there’s a persistent threat.
They are all to busy suiciding Aaron Swartz and faking up charges against Barrett Brown to do anything constructive. Sucks to be a government employee.
Agreed. Their job is not to help the American people, it is to help the Government. No time for that other stuff.
A cyber goat tied to a tree? Or does it show what happens when the govt encourages companies to be open to their snooping, and impliedly to everyone else’s? And where does Sony Corp in Japan, SPE’s parent, fit into this narrative?
One would think a shareholders’ derivative suit should be forthcoming promptly, especially with these revelations. That’s notwithstanding the legions of Harvard Law professors and their peers defending corporate management’s right to screw up without consequence (aka, the business “judgment” rule). True, courts don’t like snoopy shareholder challengers to the vaunted rights of management. The burden here would be greater because SPE is a subsidiary of a publicly traded Japanese company. A suit would have to maintain that Sony’s managers and board violated the business judgment rule by allowing such a sad state of affairs to exist at such an important subsidiary. And subsidiary managers themselves would have to be found to have violated the business judgment rule. Perhaps they were just following orders from their parent. Harder still, applicable rules may impose a Japanese forum and Japanese law on such suits.
The odds may be similar to winning a four horse accumulator, but the archaic cyber protections for SPE’s crown jewels should be reason for a valiant try. It might be worth it to scare out from behind the woodshed other companies with similarly archaic “protections” for the few assets they still prize owning, or to encourage them to cut executive bonuses just once and to spend the money on protecting those assets with better virtual and physical protections for their data.
There’s an interesting article tonight on the US harvesting bugs in software systems to launch offensive attacks on foreign government installations.
http://www.wired.com/2015/06/turns-us-launched-zero-day-policy-feb-2010/