WASHINGTON – We have just witnessed the first major incident of cyberblackmail or cyberterrorism.
Sony capitulated, saying “In light of the decision by the majority of our exhibitors not to show the film ‘The Interview,’ we have decided not to move forward with the planned Dec. 25 theatrical release.” This cannot be good, but it obscures a more unsettling message: Our digital dependence exposes us to catastrophic failures of basic services.
Before Sony’s surrender, the media had generally treated the massive breach of its computer networks as an entertaining yarn. Tens of thousands of emails released. Embarrassing comments made by studio executives (Angelina Jolie a “spoiled brat”). Sensitive pay data dumped. All this fed the public appetite for celebrity gossip.
No more. This is no joke.
It seems a landmark event. Other aggrieved groups may imitate the attack – which the FBI blames on North Korea. They will invade their adversaries’ computers and, if successful, use the resulting torrent of documents to cripple, extort or embarrass their opponents.
But this is only the first-order consequence. Sony’s hacking also alerts us to the ultimate cybersecurity horror: the breakdown of vital electronic systems – power plants, financial networks, water supplies – that creates anarchy.
Imagine a major city without power for an extended period. We don’t know the odds of this, but they are far greater than zero because so much of daily life depends on vulnerable digital networks.
Until now, the motives for hacking have mostly been criminal and commercial. Thieves steal credit-card data or a whole range of personal information to construct false identities. Companies pilfer the trade secrets, business plans and technologies of rivals.
Business is booming. A CSIS study puts the worldwide cost of cybersecurity between $375 billion and $575 billion annually, covering everything from stolen credit cards to the expense of protecting systems.
But cybercrime and cyberwarfare are different animals. To its victims, cybercrime can be tragic personally or fatal commercially. But it’s not a social breakdown. That’s what cyberwarfare threatens. The motives are political. The Sony hacking was of this sort. It may be a harbinger.
The Russians, Chinese, Iranians and many rogue groups have reason to hack U.S. computers. We may not spot all the incoming malware (Sony didn’t) and, even if we did, the damage done to the network may take weeks or months to discover and remove.
What’s emerging is a new form of warfare with its own weapons. The advantage lies with the cyberattackers for three reasons.
First, they need to find only one entry point into a computer system, while the defenders must guard all possible entry points. In the face of a determined attack, the defense must be almost perfect, not just superior.
Second, it’s often hard to determine who’s the attacker. This frustrates retaliation, enhancing the appeal of attacking. Although intelligence assessments quickly connected North Korea to the Sony hacking, some observers initially found the hard evidence thin.
Third, companies may underinvest in cybersecurity, says Allan Friedman of George Washington University. The reason: If it succeeds, it doesn’t show any return on investment. It doesn’t generate revenues or profits. There’s a tendency to skimp. Of course, without it, companies could suffer huge losses.
Are we staring down a cyberabyss? If you talk to security experts, many are relatively optimistic. They say that our systems have ample redundancy and backup. There may be failures, but rebounds will occur rapidly. The United States is also developing its own cyberattack capabilities that would surely deter some possible adversaries. Still, to have any redeeming value, the Sony debacle needs to awaken us to our growing digital vulnerability.
Robert Samuelson is a columnist for The Washington Post. © 2014 The Washington Post Writers Group.