Sony Corp.'s decision to pull a motion picture release in response to retaliatory terror threats represents an alarming development in the seemingly unstoppable cybercrimewave that has engulfed the world, security experts say.
The Sony situation "is a new and very devastating breach type," said Ray Boisvert, former assistant director of intelligence with the Canadian Security Intelligence Service. He said the threat shows the widespread impact cybercriminals can have. "We need to think about this: Have we moved from the age of the breach to the age of obliteration?"
U.S. officials reportedly believe North Korea is behind the attacks on Sony Pictures Entertainment, which started last month when a group calling itself Guardians of Peace released embarrassing e-mails, unreleased scripts, salary details and other corporate information hacked from Sony's computer systems. That escalated to threats of violence and destruction at theatres that screened The Interview, a fictional comedy about the attempted assassination of North Korean leader Kim Jong-un. After several cinema chains said they wouldn't screen the film, Sony pulled the movie a week before its Dec. 25 release date, a costly decision that has drawn criticism from prominent Hollywood and Washington figures. Pyongyang has denied any involvement in what amounts to a cross between cyberterrorism and economic sabotage.
John Proctor, vice-president of global cybersecurity with Montreal information technology services firm CGI Group Inc., said this is "more of a terror-type event" that runs "completely against the norm of what we see in cyberspace."
Cybercrime typically involves the stealthy infiltration of malicious software into corporate or government computer systems, followed weeks, months or even years later by the electronic extraction of data. These data breaches, including the theft of millions of credit-card numbers from Target and Home Depot, have become pervasive and costly nuisances for companies and government agencies alike, and a source of continual annoyance for individuals who have to constantly change their passwords and sometimes cancel exposed credit cards.
Inadequately prepared data keepers have spent tens of billions of dollars on cyberdefences to counteract increasingly sophisticated cybercriminals. Data raiders have perpetrated more serious breaches, including the theft of health-care and social-security information, state-sponsored cyberespionage and, in some cases, using malware to lock down computers until the owners pay "ransoms" to have them unlocked. But they typically target items of value they can sell illicitly on the black cybermarket, such as batches of credit-card numbers and exploitable bugs in popular computer programs. At the same time, "hactivists," such as those associated with Anonymous, have also been wreaking havoc online.
But the Sony situation and other recent attacks on large corporations are a different breed of attack, allegedly backed by governments in sanctioned states such as Russia, Syria and Iran and seen as a malevolent form of diplomatic payback, said Avivah Litan, a Washington-based cybersecurity analyst with technology research firm Gartner. "This is a whole new form of warfare that wasn't possible a few years ago that makes every private sector company a soldier in this army," she said. "They're not equipped to take on that role."
Some have criticized Sony for being poorly prepared for a cyber attack despite past breaches, and for overreacting after police questioned how credible the violence threat was. But Ms. Litan said the cyberattacks coupled with threats of actual physical violence "takes it to a new level we've never seen before … Every corporation has to be really nervous right now. It's not the last attack we'll see like this."
Steve Weisman, author of Identity Theft Alert and a senior lecturer at Bentley University in Waltham, Mass., said what happened to Sony "is pretty bad but it's not as bad as having the power grid or water systems go down, or the financial system affected. All these things are possible targets of cyberwarfare. This should be a wake-up call for government agencies and private companies."