This has been an important week for cyber security. As one colleague suggested to me, we may look back on this week as the time when our government finally started to take the constant cyber threat seriously as a national security issue. It might have taken the cancellation of a movie to convince us, but we may finally see these events as the acts of war they are.
It appears now that North Korea was indeed behind the attacks against Sony that disclosed thousands of internal documents and exposed Sony’s employees’ private data. This state-sponsored attack was apparently waged to protest the upcoming release of The Interview, a “buddy comedy” in which unlikely bounty hunters are persuaded to attempt to assassinate North Korean leader Kim Jong Un. As large theater companies announced that they would not carry the movie as scheduled on Christmas day, and as threats of physical violence and terrorism started to emerge, Sony decided to cancel the release of the film. They made this decision even though no evidence of an actual coordinated plot to carry out acts of physical violence was found. Just the threat of violence, combined with the financial implications of what would now be a very limited release of the film, were enough to change Sony’s plans.
This event is significant primarily because it demonstrates how unprepared we are to respond reasonably to a cyber attack. In what is certainly the most dramatic example yet of the relationship between cyber and physical threats, we, as a country, blinked. An act of aggression was carried out, and we cowered. We gave the aggressor precisely what they wanted, because we didn’t know how to deal with this kind of attack with the same level of preparedness our physical military and law enforcement agencies show every day. We should have been able to predict that cyber attack would be used as a lever to threaten and perhaps perform physical acts of violence, Unfortunately, it appears we weren’t able to see that coming.
At least we have been able to figure out the perpetrators reasonably well. An important component of a healthy cyber defense is the ability to identify the cause of breaches after they happen so that we can then fortify our defenses to prevent the same kind of attack in the future. As the FCW article details rather well, some sophisticated but simple-to-explain digital forensics techniques have helped us confirm suspicions that North Korea was involved. Forensics studies revealed that some of the same computers were involved in the Sony breach that were used in attacks against South Korean financial institutions a few years ago, and some of the same lines of computer code were executed to attack Sony as were used in previous attacks attributed to North Korea. Thanks to investigations of previous attacks, cyber security experts have been able to compile a database of attack signatures they can use to identify similarities between what was done before and what they are investigating now. Working from these similarities, digital investigators can attribute criminal cyber activity to particular organizations somewhat confidently. As an industry, we have become reasonably good at this after-the-event whodunnit analysis.
The problem, however, is that we need to be able to do this reconnaissance in real time, as the events transpire, rather than after the damage has been done. In my view, that is going to require improvements on two distinct fronts. For one, we are going to have to integrate data science techniques more centrally into our work as cyber security investigators. Our intrusion detection and prevention systems collect an immense amount of data, but we can’t act on these data quickly if we lack the tools to analyze and draw actionable conclusions from them as they appear. More research must be done at the intersection of cyber security and data science to improve our ability to act swiftly and appropriately as events unfold.
The other important change that must happen for us not to respond so flatfootedly when attacks like this occur has more to do with legislative will than technical innovation. We must figure out how to get organizations to share data about cyber security breaches in real time. The national laboratories have taken this federated approach to collecting and reporting cyber intrusion data for years, and other work has been proposed that applies the same model to other industries like electric utilities. However, a more coordinated, uniform, cross-industry, and international system must be established to share these data in real time, one that requires organizations to report the same kind of data in a standard way, unfiltered, and at an enforceable reporting frequency. This is not a case of Big Brother wanting more complete visibility into our Facebook posts. Rather, this is about trying to achieve the same level of readiness that helps us thwart threats of physical attack. Without complete and dependable information, we risk continuing to operate blindly, which means we will continue to respond awkwardly and inappropriately to what really are acts of war.
The Sony breach might be the tipping point for how we regard cyber attacks, but only if we learn from it. The first step to recovery is to recognize the problem. That part is simple: if you regard this as an act of war, we lost this particular battle, and we can’t afford to lose more. Our strength appears to be our ability to identify the perpetrator after the fact. We can become even better sleuths if we can gather and interpret the data needed to perform such investigations consistently, comprehensively, and in real time. That requires the help of data scientists and legislators. Let’s get to know those two groups of people better.