Is Sony Hack Really 'The Worst' In U.S. History, As CEO Claims? | KERA News

Is Sony Hack Really 'The Worst' In U.S. History, As CEO Claims?

Dec 23, 2014
Originally published on December 23, 2014 5:54 pm

The CEO of Sony Pictures has been saying that the cyberattack against his company is "the worst cyberattack in U.S. history." And you can see where he's coming from. An entire feature film got canned — at least for now. And his corporate networks were so damaged, Sony workers had to revert to using fax machines to communicate. That said, "the worst" is a big claim.

A lot of people feel for Sony Pictures and CEO Michael Lynton in particular. No one wants their inbox flung all over the Internet for the world to see. Many say the Sony hack is by far the most embarrassing hack. But the worst?

"Clearly this is the first time a movie has been prevented from being released," says Ron Gula of Tenable Network Security. "In raw numbers, the Slammer virus infected 75,000 computers almost instantly. Code Red infected almost half a million computers. And Conficker infected millions of computers."

Gula listed attacks that are large-scale, such as the ones against the entire operating system Windows.

"Yes, some files were stolen, some files were leaked and destroyed," says Steve Sin, a researcher at the University of Maryland. "But if you look at things like JPMorgan, [a] lot more files were actually stolen that contained the personal data of just normal people like you and me."

Robert Rodriguez with SINET, an industry association that brings together government and private-sector security experts, says, "It's hard to say if it's the worst attack because we don't know — some things have happened in terms of attack on critical infrastructure."

And by "critical infrastructure," Rodriguez is referring to things like dams and electricity grids. These attacks go largely unreported to the public. There are 16 categories of critical infrastructure:

"But media doesn't fall under that," Rodriguez says.

Rank it as you will, the Sony hack is clearly getting insiders to think about how to slice and dice and size up the damage.

The president has called the Sony hack an act of cyber-vandalism. Rodriguez thinks that's too soft — it was far worse than a bad graffiti job. But he would not call it an act of war, as some politicians have.

Instead, Rodriguez introduces a new label: "In terms of known attacks, I would call it transformational."

What we call it and who the perpetrators are — these have real-life financial implications.

Like many major companies, Sony has insurance to cover damages in the case of cyberattack. While the terms of each contract are different, insurance expert Mary Beth Borgwing with Advisen Ltd. says if North Korea really did do it, the insurance probably won't kick in.

"It depends on how you manuscripted the policy with the underwriters, with the insurance company," Borgwing says. "I would say that an act of war would be something most likely, in high probability, would not be covered."

But if North Korea is the perpetrator, there could be a financial upside for Sony. If the victims of the Sony hack sue in court, the CEO can use national security as a defense or turn to the government for help with damages.

Copyright 2014 NPR. To see more, visit http://www.npr.org/.

Transcript

DAVID GREENE, HOST:

The CEO of Sony Pictures says his company was hit by, quote, "the worst cyberattack in U.S. history." And you can see where he's coming from. An entire feature film got canned - at least for now - and corporate networks were so damaged, Sony workers had to revert to using fax machines to communicate. That said, the worst is a pretty big claim. NPR's Aarti Shahani takes a closer look.

AARTI SHAHANI, BYLINE: A lot of people feel for Sony Pictures and CEO Michael Lynton in particular. No one wants their inbox flung all over the Internet for the world see. And many say the Sony hack is by far the most embarrassing hack, but the worst?

RON GULA: Clearly this the first time a movie has prevented from being released. But in raw numbers, you know, The Slammer infected 75,000 computers, you know, almost instantly. Code Red infected almost half a million computers. And Conficker infected millions of computers.

SHAHANI: That's Ron Gula with Tenable Network Security, and he's listing off attacks that are large-scale, like against the entire operating system Windows. He is not alone in this assessment. Here's Steve Sin with the University of Maryland.

STEVE SIN: Yes, some files were stolen, some files were leaked and destroyed and things like that. But if you look at things like JPMorgan, a lot more files were actually stolen that contain the personal data of normal people like you and me.

SHAHANI: And here's Robert Rodriguez with SINET, an industry association that brings together government and private sector security experts.

ROBERT RODRIGUEZ: It's hard to say if it's the worst attack because we don't know what - some things have happened in terms of attacks on our critical infrastructure.

SHAHANI: And by critical infrastructure, Rodriguez is referring to things like dams and electricity grids. These attacks go largely unreported to the public. There are 16 categories of critical infrastructure.

RODRIGUEZ: But media doesn't fall under that.

SHAHANI: Rank it as you will, the Sony hack is clearly getting insiders to think about how to slice and dice and size up the damage. The president has called the Sony hack an act of cybervandalism. Rodriguez thinks that's too soft. It was far worse than a bad graffiti job. But he would not call it an act of war, as some politicians have. He introduces a new term.

RODRIGUEZ: In terms of known attacks, I would call it transformational.

SHAHANI: What we call it and who the perpetrators are - these have real-life financial implications. Like many major companies, Sony has insurance to cover damages in the case of cyberattacks. While the terms of each attack are different, insurance expert Mary Beth Borgwing with Advisen Ltd. says if North Korea really did do it, the insurance probably won't kick in.

MARY BETH BORGWING: It depends on how you manuscripted the policy with the underwriters, with the insurance company. I would say that an act of war would be something that most likely, in high probability, would not be covered.

SHAHANI: But if North Korea is the perpetrator, there could be a financial upside for Sony. If and when the victims of the Sony hack sue in court, the CEO can use national security as a defense or turn to the government for help with damages. Aarti Shahani, NPR News. Transcript provided by NPR, Copyright NPR.