I’ve read a lot of commentary on the Sony hack and even penned a bit of my own on it. Ironically, what I ended up releasing was just fluff due to wild speculation at the time. I had actually written a piece decrying the fact private companies are being forced into a position where they are fighting political and military level battles against nation state armies- and the U.S. government sits by while spouting worthless commentary about threat and information sharing (for years). Maybe I’ll share that post some day…
All of this commentary aside, I was really inspired by Anup Ghosh’s piece Game Change: Three Reasons Why #SonyHack Will Change Security. Having been on the forefront of the evolution over the years, specifically in the IR space where I’ve seen more than my fair share, I disagreed with his high level statement. Let me explain why.
Things Haven’t Changed
Anup mentions that the landscape started to shift due to both the RSA hack happening in 2011, let alone the follow-up report on APT1 in 2013; publicly, that may be true, but it was actually changing well before this- and I’m sure before I was even brought into the fold. I was brought into the fold ~2008/9, as the C-suites across some of the largest defense contractors/Fortune 500 were being handed security clearances to be briefed on what was actually going on with regards to Chinese hackers (e.g. [the real] APT) siphoning off their intellectual property. This said, I believe I entered this arena as one of the first 26 companies invited. Interestingly enough roughly only half of the companies showed up at the recurring meetings we held to address the problem together. This is after the C-suite was explicitly told what was happening to their data and networks. Put another way, only half cared.
So did anything really change in 2011-2013, other than more publicity to the topic? Nothing dramatic- the companies who invested continued to invest and those that didn’t kept doing more of the same or incrementally invested. As an example, this year I asked one of the largest defense contractors (that was invited to those meetings in ’09) how they had dealt with APT1 in their network, as I had intel stating they were in there recently- they had blank looks on their face. Incidentally, I came to find out months later they were now writing a $1M check for Incident Response. Five years later, they were still bleeding IP and had not built out a true capability to properly deal with the issue. The reality is that we’ve been dealing with Nation State attackers for years and relatively few companies have identified it as a true business imperative and have properly invested to deal with them- most others continue to struggle.
On the criminal side of the house, the 2007 TJ Maxx hack did little to influence change across the broader landscape. Fast-forward to 2011 and the Information Security community thought the $170M+ tab for the Sony PSN hack would finally change the game as well. Now jump ahead to 2013 and the Information Security community thought that the Target breach would finally change the game as well. Considering the CEO was let go, InfoSec was now a board level issue! There are indications that it did become a larger issue, as retailers invested more in security in 2014- though they seemingly moved at a snails pace thinking business as usual, “this won’t happen to us”, and “we sell hammers”, but we can see the results as Home Depot, Staples, Bebe, Dairy Queen, Jimmy Johns, and more continued to fall victim. Speaking of Anup’s post, I think he hit the nail on the head on this side of the house.
Two Other Key Considerations
1. The Board generally has more important things to worry about. For example, in the U.S., we are motivated by short-term returns…
While security may be an important topic, it may only get 5-15 minutes (1-3%) of an all-day Board meeting- with other Risk areas seeing more time, let alone the content that actually drives the business. As an aside, it astounds me how many InfoSec pros openly question why a company continues to do business in China even though they are continually hacked by Chinese APT. It’s a business- US Business Leaders would generally rather make $1 versus $0, and try and find an answer to that problem later.
2. The vast majority of CISO candidates are ill prepared for the job.
I once said that CISO’s should be required to have a background in Incident Response, and I still believe that to be true today. My favorite CISO quote of the year was, “I have no need for Incident Response- if I get hacked, I’ll deal with it then.” Simply put, if you are a CISO in today’s world, you are on point to fight foreign military units and organized criminal enterprises… you probably didn’t see that coming while you were working on your IT and/or MBA degrees.
While there is a growing community of #IDR (Intel-Detect-Respond) folks, it is still rather niche considering the number of years it has been around, and Prevention continues to be “the answer” chosen the most- many times due to lack of headcount. While I think great leaders can grow into a CISO role and will understand they need to overweight in the #IDR space, I believe the pool of folks that understand this and/or knowledgable people that CISO’s can reach out to and hire is rather limited.
So why do we think the Sony hack of 2014 will change anything? Due to the destructive nature of the attack? Due to bad press? Due to the convergence of attack types and fallout? I don’t buy it. Factually speaking:
1. Sony’s stock is right off a 52-week high- it has not crashed during or due to this attack.
2. “Annie”, which was leaked and had less than stellar reviews, opened to a bigger weekend than anticipated.
3. Sony is still in business.
4. Other companies notice this.
Will Sony take a financial hit? Absolutely. Perhaps nearing $500M-1B when it is all said and done. I also believe they will swing the security pendulum completely the other way- similar to Target- to show everyone they take information security seriously. I doubt other companies will follow suit with swinging that pendulum very far though- simply put, relatively few invested quickly and properly to combat nation state APT and cyber criminals, so why would they consider this even more remote possibility of a country destroying their network in their company risk equation?
I’d love to hear feedback on Twitter, so please reach-out @SeanAMason.