Sony's Action Called 'Dangerous Precedent'Cancellation of Release of 'The Interview' a 'Shocking' Move
Many security experts say Sony Pictures Entertainment's decision to cancel the release of the film "The Interview" following a "terror" threat made by hackers against movie theaters and theatergoers sets a dangerous precedent.
See Also: Dynamic Detection for Dynamic Threats
"This is indeed shocking," says Anton Chuvakin, research vice president for security and risk management at the consultancy Gartner. "To me, this sends a message that a small group of people can do anything to a major corporation."
On Dec. 17, Sony Pictures, in a statement to news outlets, confirmed it was canceling the film's release. "In light of the decision by the majority of our exhibitors not to show the film, we have decided not to move forward with the planned Dec. 25 theatrical release," Sony said. "We respect and understand our partners' decision and, of course, completely share their paramount interest in the safety of employees and theater-goers."
The Guardians of Peace - which has claimed credit for stealing and leaking Sony data, as well as waging a wiper malware attack that deleted an unknown number of Sony hard drives - issued a "terror" threat Dec. 16 against theater operators who opted to show "The Interview." The comedy, which centers around a tabloid TV reporting team who land an interview with Kim Jong-Un and are approached by the CIA to instead assassinate him, was scheduled to debut December 25 (see: Sony Hack: Is North Korea Really to Blame?).
The Department of Homeland Security reported that it saw "no credible intelligence" of an actual Sony-related "terror" plot, as did President Obama. "Well, the cyber-attack is very serious. We're investigating, we're taking it seriously," Obama said in an interview with ABC News. "We'll be vigilant, if we see something that we think is serious and credible, then we'll alert the public. But for now, my recommendation would be that people go to the movies."
Management consultant and information assurance trainer William Hugh Murray, who worked at IBM for more than 25 years, says Sony made the wrong move in canceling the release of the film. "Once more the terrorists have won," he says. "Once more the American people have proven to be fearful and feckless. Those who have sacrificed life and limb to defend our freedoms have been betrayed. We have all been shamed."
Others, from politicians to Hollywood celebrities, have also criticized the move by Sony Pictures not to release the film.
Actor Rob Lowe tweeted: "Saw @Sethrogen at JFK. Both of us have never seen or heard of anything like this."
Security experts are shaking their heads over the fact that hackers have been able to get Sony to halt the release of a multi-million dollar film.
Al Pascual, director of fraud and security at Javelin Strategy and Research, tells Information Security Media Group: "If Sony is honestly going to cancel this movie in reaction to the demands of the [Guardians of Peace], it is both naÃ¯ve and sets an incredibly dangerous precedent."
Others, including former presidential candidate Newt Gingrich, shared similar sentiments on Twitter.
No one should kid themselves. With the Sony collapse America has lost its first cyberwar. This is a very very dangerous precedent.ï¿½ Newt Gingrich (@newtgingrich) December 17, 2014
Yet, this wouldn't be the first time that a cyber-attack has dealt such a significant blow to a company. The DDoS attack against source code hosting firm Code Spaces earlier this summer is another example of the type of damage hackers can now cause, says Rick Holland, security analyst at Forrester Research (see: DDoS + Breach = End of Business).
"Code Spaces was put out of business for not conceding to hackers demand," Holland says. "The Code Spaces incident started out as a DDoS extortion scheme and then went horribly wrong. The company was put out of business once the attackers got access to their Amazon infrastructure."
Sony's Concerns Not Over
And giving into hackers' demands to stop the release of the film doesn't mean Sony is off the hook, experts warn.
"I suspect that this [was] a move designed to buy Sony time, with the hope that they can triage the fallout from the breach from a business perspective and continue the investigation to identify those responsible," Pascual says. "[But] Sony can never be sure that the G.O.P. would hold up any end of a bargain to not release additional information if they cancelled 'The Interview' permanently, and further still the G.O.P. could release additional information at a later date to pressure the company on another initiative."
Now that Sony has given in to hackers, similar types of extortion could continue at other organizations, Forrester's Holland says. "When you pay off Tony Soprano, he is just going to keep coming back to collect his money."
Takeaways for Organizations
The Sony hack shows that the script for attacks on major U.S. media and other possible entities, such as national critical infrastructure, has been written and materialized into a new reality, says JD Sherry, vice president of technology and solutions at Trend Micro. "This goes to show the importance of investing in sound cybersecurity strategies and proper risk management" to reduce the likelihood of massive collateral damage when a cyber-attack occurs, he says.
In addition, organizations need to have a plan for dealing with extortionists, Holland says. "They need to balance the losses of not giving into demands vs. the losses of standing firm," he says. "Having an extremely immature security program that enables the attackers to control almost all of your infrastructure obviously only exacerbates the problem."
While the incident may not destroy Sony Pictures, the damage is significant, says Gartner's Chuvakin. "Other organizations should improve their defenses so that they can detect the breach early enough and prevent the damage," he says. "It is pretty obvious that focus on stopping [the attack] won't work" (see: Speeding Up Breach Detection).
Another step that organizations should take is to ensure that they have an experienced chief information security officer who has direct access to the board of directors for recommending investments to protect the entities' intellectual capital and brand, Sherry advises.
In addition, organizations need to look at their networks, processes and defense capabilities with an unbiased eye, operating under the assumption that they are already compromised and working backwards from there, Sherry says. "This is what I would refer to as a 'zero-based thinking' risk model. The ultimate outcome of this approach is to envision that you are already breached and what failure modes are present that would have allowed for said breach. This allows a clean slate for how and where investments should be made to strengthen corporate and government defenses."