The hack of Sony Pictures Entertainment—apparently by North Korea, according to the FBI, though the country denies it—is such a big deal it’s hard to know where to start. It’s not just the embarrassing info that came out or the unhappy precedent involved in forcing a high-profile company into a very public capitulation. It’s not even the fact that President Obama thought it was serious enough to threaten retaliation against North Korea, though that’s definitely related.
Countries vs. companies: Not a fair fight
If North Korea is indeed behind it, the real issue here is that this cyberattack was orchestrated by a nation-state against a private company for purely political and ideological reasons. There don’t seem to be any national security or economic or competitive issues at play here. It’s not like North Korea wanted to steal Sony’s movie-making mojo so could come out with a better, cheaper, more popular version of The Interview.
Instead, it was simply a case of a country taking direct cyber action against a company because it didn’t like what the company was doing. And that action clearly, simply, and permanently obliterates the line between economic hacking and direct government action—if not actual terrorism. It’s not just governments vs. governments and companies vs. companies anymore; it’s governments vs. companies, non-state actors vs. almost anyone.
The Stuxnet worm, often attributed to the U.S. and Israel, was a step in this direction, but it appeared to be aimed primarily at Iranian government facilities, although private operations were also affected. More importantly, perhaps, Stuxnet was created by the U.S., not targeting it, which may have soothed Americans while inspiring others. North Korea was also implicated in a cyberattack on South Korean banks and media outlets last year, which apparently carried similarities to the recent Sony hack. But if we’re looking at a world where a major company can be brought low by a sovereign nation just because its government officials were offended, we are now living in a world where it’s basically every entity for itself.
The importance of that transformation cannot be overstated.
As the many breaches of 2014 attest, its not like companies were doing so great protecting themselves against the common criminals and script kiddies. When you raise the potential threats to include entire nations, it’s hard to see how any merely commercial entity can possibly protect itself.
See also: Everything you know about cyberwar is wrong
To be clear, this isn’t cyber terrorism or cyber war. It doesn’t really play into the larger issues of all-out cyberwar or terrorism among nations, where companies might not be prime targets but could certainly end up as collateral damage.
Instead, it demonstrates that companies are now on the front lines of more limited cyber engagements against governmental forces that vastly outgun them, with the resources to easily overwhelm the kind of defenses sufficient to keep out run-of-the-mill attacks.
See also: 10 deadliest differences of state-sponsored attacks
The solution is far from obvious. As the New York Times reported:
"The cyberattack against Sony Pictures Entertainment was not just an attack against a company and its employees," Jeh C. Johnson, the secretary of the Department of Homeland Security, said in a statement. "It was also an attack on our freedom of expression and way of life."
The “way of life” part may be hyperbole, but it’s hard to argue with the “freedom of expression” issue. We’re now living in a world where the internet enables and encourages everyone from individuals to nations who don’t like what someone else does or says to reach out and punish them. And there doesn’t seem to be much anyone can do about it.
Who can fix this?
This is no longer an issue solvable by clever security white hats, sober study groups, or even huge industry consortia. In fact, it may not be solvable at all. The Sony hack may have announced a prolonged era of global cyber insecurity, the consequences of which we cannot yet see.
I don’t think state-sponsored hacking of private enterprises is enough to stall the Internet’s ongoing march to dominate more and more aspects of world commerce and culture. But frankly, it’s starting to get me worried.