Massive cyberattacks on companies like Target and Home Depot have grabbed public attention in the past year, but cybersecurity experts say the Sony hack was designed to cause “utter devastation” on an unprecedented scale.
There’s no question, they say, that there will be more large-scale cyber assaults. And whether it’s on another entertainment company, a multi-national bank, a major retailer or a government agency, the hack on Sony has changed the goal from mischief, profit, or spying to simple destruction.
"Regardless of who did it, this breach feels much different than anything I've seen before," said David Kennedy, founder of the information-security firm TrustedSec. "This attack was designed to go after a company on multiple fronts and try to tank it. It's a precedent-setting breach in that this was done to try to destroy Sony."
Hacker groups usually seek money, the chance to show off their skills or the sheer adrenaline thrill of embarrassing a well-known company, Kennedy said. This attack was a broadside launched against Sony, and “went well beyond embarrassment,” in scale and fallout, he said.
Hackers calling themselves Guardians of Peace infiltrated Sony's network, extracted terabytes of internal data including executives' embarrassing emails, and successfully got the company's movie "The Interview" pulled from theaters after threatening violence.
On Wednesday, U.S. officials said they had concluded that the North Korean government was behind the hack, with one official telling NBC News the U.S. “can’t let this go unanswered.” Some cybersecurity experts say they are skeptical of that conclusion.
"The only motivation behind [the Sony hack] is utter devastation," said Chris Hadnagy, another security industry veteran who founded the consultant group Social-Engineer, Inc.
The Sony saga has proven to companies — and the hackers who aspire to attack them — that a new level of slash-and-burn harm is possible. But the experts said that, without solid confirmation of who the hackers are and what their motivation may be, no one can predict with certainty who will earn the dubious distinction of being "the next Sony."
"It's a hard question, because if you said six months ago, 'Who will be the next Target?" I wouldn't have said an entertainment company," Hadnagy said. "I would’ve said gas and oil, or financial — something that would devastate millions of people at one time."
Kennedy agreed the target of any given attack depends on the motivation of that specific hacker or group.
"Objectively, it would be more devastating to go [after] things that are critical to infrastructure, like energy or the financial sector," Kennedy said. "But the other hackers will go after what gets them attention. Like in this case — Sony was a perfect storm to have a high impact in the news. I think we'll see a lot more of this to come."
In that respect, the "basic-level lesson here is that anyone can be a target," said Dave Chronister, the managing partner of Parameter Security, which is hired to hack into companies' systems and test their security.
"This has opened Pandora's Box in a way," Chronister said. "I know there are companies this big, if not bigger, with lax security practices."
But Kennedy is optimistic that companies, however grudgingly, are beginning to take seriously the threat to their business and employee data.
Earlier this week Kennedy met with a manufacturing company, and he said "they were terrified about what had happened to Sony. You get headlines like this and now the board is asking, the executives are asking. Nobody wants this to happen on their watch."
How can they avoid it? Kennedy identified three major takeaways from Sony's situation: First, “fortifying the perimeter” may make it tougher for hackers to get in. Then, if someone is able to get in, companies should have a system that detects unusual activity on the network. Even with both of those in place, however, human beings who click on links in suspicious emails might still leave the metaphorical front door wide open.
"We in the sector have been saying for years, 'OK, guys, you really need to lock this down ...' 'OK, we’re getting to that point where we can't ignore this any more ...' and now it's happened," Kennedy said.
It can be tough for people in the security industry to strike that balance, said Hadnagy, the Social-Engineer founder. Fear can overwhelm companies and people, and cause them to stick their heads in the sand.
In Kennedy's view, the burden shouldn't be solely on companies who may become victims. He hopes the security industry, which he said sprung up only about 15 years ago, will focus on "fixing the core architecture of these [companies'] systems. We can't just bolt things onto foundations that are already flawed."
Hadnagy hopes companies across all sectors see Sony’s situation and decide to invest in having their own systems tested.
"But if history repeats itself, as it often does, companies will take the gamble," he said. "They think, if I don't pay for this now and I don’t get hacked for five years, that works out for me. But truly intelligent companies don’t think that way. They don't wait to become a target."