Why the Sony hack should scare feds

As the fallout from the unprecedented electronic attack on Sony Pictures Entertainment continues, cybersecurity experts said federal IT managers -- while likely facing no immediate threat from the group that attacked Sony -- should be paying close attention.

The Sony Pictures attack -- which has left tens of thousands of the company's employees without computers or network access and scattered terabytes of sensitive data in the wind -- marks a new milestone for cyber "bad actors," according to Greg Bell, U.S. leader for cyber services and information protection at KPMG.

The attack by a group that calls itself "Guardians of Peace" marks a shift by cyber attackers to a more destructive path, Bell told FCW. Traditionally, attackers have focused primarily on monetizing stolen credit card and personal information purloined from U.S. companies. Lower-profile, but more concerning, exfiltration of intellectual property data and competitive business information tied to corporate or national interests have also been part of past attackers' modi operandi.

The attack on Sony marks the first time in the U.S. when an attacker has so blatantly damaged a corporate network and targeted and destroyed data in that system, Bell said. The group didn't ask for money, but demanded Sony block the release of "The Interview," a comedy parodying a CIA assassination attempt on North Korean dictator Kim Jong-un. North Korea is a prime suspect and has praised the attack while denying direct responsibility.

Similar incidents, although rare, have cropped up overseas in the last two years. An attack on Middle East energy company Saudi Aramco in 2012 and cyberattacks in 2013 on South Korean television stations and a bank had similar destructive characteristics, Bell said.

Aramco is said to have replaced tens of thousands of PCs at its headquarters after the existing fleet of machines was rendered useless by the attackers' code. Then-Defense Secretary Leon Panetta remarked at the time that a similar attack on critical U.S. infrastructure, including water and electrical facilities, would cause unparalleled destruction and upheaval.

"This is a relatively new shift," said Bell. "It should be in the minds of federal agencies" that are increasingly amassing vast stores of critical data, as well as critical infrastructure providers who guard crucial assets like electric grids and water supplies. Given the high visibility of the attack on Sony Pictures, he said, "copycats are inevitable" in the coming months.

Rick Dakin, CEO, co-founder and chief security strategist for IT governance, risk and compliance firm Coalfire, said Sony got a cyber wake up call in 2011 when its PlayStation network was crippled by hackers.

90 percent vulnerability

After that assault, Sony hired Phil Reitinger, a former deputy undersecretary for the National Protection and Programs Directorate at the Department of Homeland Security and director of the National Cyber Security Center, as its first chief information security officer.

Before his stint at DHS began in 2009, Reitinger was chief trustworthy infrastructure strategist at Microsoft and executive director of the Department of Defense Cyber Crime Center. He left Sony earlier this year to found his own consultancy, VisionSpear LLC. According to news reports, Sony just moved John Scimone, its former director of security engineering, into the chief information security officer position in September.

Reitinger helped Sony put in place substantial cyber defenses during his tenure, Dakin said, but given the quickly shifting nature of technology and online threats, security can be a fleeting thing. The tactics that breached Sony's IT facilities and data, he added, probably could have pierced a host of other companies' current IT operations.

FBI cybercrime experts have also said the malware in the Sony attack could menace federal agencies.

"The level of sophistication is extremely high, and it was organized and persistent," Joseph Demarest, the assistant director in charge of the FBI's cyber division, said at a Dec. 10 cybercrime hearing before the Senate Banking, Housing and Urban Affairs Committee. "It's a concern, because in speaking with Sony and their managed cybersecurity provider, the malware that was used would have probably gotten past about 90 percent of the defenses that are out there today both in industry and in government."

According to Dakin, mobile capabilities have been a particular catalyst for recent attacks, as the rapid introduction and evolution of mobile phones, tablets and other devices has meant a return to unpredictable security. "With mobile phones, tablets and mobile applications, it's back to the Wild West for security. ... The tech revolution has hit the reset button."

It's unclear if mobile devices were involved with the Sony attack, though. Dakin said the wiper malware used against Sony dives deep into a computer system's coding. It could be used to profoundly alter IT systems, allowing attackers to potentially insert their own communications or data and make it look official -- a capability that could give federal agencies fits. That kind of access can have significant impact on government and critical infrastructure networks, even if the attack is subtle.

"What if an email got sent out by an agency telling workers not to come to work or not to read their email?" asked Dakin. "How would an agency deal with 50 to 70 percent of their laptops being unavailable for 72 hours?" asked Bell. "Agencies have to think about that. Continuity-of-operations plans are critical."

Safety in the cloud?

Bell and Dakin both said, however, that federal IT managers should take some solace in the federal government's emphasis on cyber defenses and, in some instances, its push to the cloud.

Efforts like continuous diagnostics and mitigation and associated FedRAMP cloud-security efforts are a step ahead of many commercial cybersecurity efforts, said Dakin.

CDM and FedRAMP have led to a higher standard for security technology for a large pool of federal users, Dakin said. Such standardization among commercial entities is not as easily accomplished, though Bell said "it's hard to say if federal IT protections are ahead of the commercial side."

Not surprisingly, intelligence and defense agencies are among the best protected, but some civilian agencies might be more vulnerable, according to Bell.

Reports from the tech news site Re/code said Sony is using FedRAMP-certified cloud provider Amazon Web Services for cloud services. AWS is helping Sony carry out an electronic counterattack using denial-of-service techniques to block sites distributing stolen Sony data. Sony and other entertainment content providers have used DDoS attacks before to stop pirated content from being distributed.

Bell said cloud providers could offer a stronger defense against a Sony-type attack, by offering dedicated security teams and potentially more up-to-date platforms than some civilian agencies can manage on their own.

And if the attack marks an escalation in the cyber wars, it might also be the dawning of escalated defenses. According to Demarest, Sony is enthusiastically cooperating with federal agencies with its investigation. Such cooperation, Sen. Charles Schumer (D-N.Y.) said at the Banking Committee hearing, was not the norm even a few years ago.

"Industry didn't want to share information about breaches," said Schumer. "It was sort of like when Churchill asked people to turn off their lights during the Blitz. Some said they didn't want to. I think those days are over."