Sony, U.S. Agencies Fumbled After Cyber Attack

So did the POTUS and his ‘National Security Team’

Sony, U.S. Agencies Fumbled After Cyber Attack

Lack of information and consultation led to flip-flops, added to confusion sony-u-s-agencies-fumbled- after-cyberattack-1424641424? mod=WSJ_hp_LEFTTopStories

Some theaters, like the Sun-Ray Cinema in Jacksonville, Fla., went ahead and showed ‘The Interview’ despite anonymous threats, but government guidance was muddled.ENLARGE
Some theaters, like the Sun-Ray Cinema in Jacksonville, Fla., went ahead and showed ‘The Interview’ despite anonymous threats, but government guidance was muddled.PHOTO: BRUCE LIPSKY/FLORIDA TIMES-UNION/ASSOCIATED PRESS

Feb. 22, 2015 4:43 p.m. ET 0 COMMENTS

PALO ALTO, Calif.-Corporations and the government must be “true partners” in fighting computer hackers, or breaches like the one at Sony Pictures Entertainment last year will grow more common, President Barack Obama said earlier this month.

A detailed look at the attack on the Sony Corp. unit shows that could be a tall order.

The cyber attack, which occurred in November, laid bare not just weaknesses in corporate Internet security but major shortcomings in how the government and companies work together to respond to attacks. Federal officials have cited the Sony hack as the reason they are changing how the government responds to computer breaches.

Those efforts include creating a Cyber Threat Intelligence Integration Center to better sort and share intelligence about attacks, and Mr. Obama on Feb. 13 signed an executive order authorizing more intelligence-sharing with companies. The signing was timed to his appearance at a Stanford University gathering meant to improve the relationship between Silicon Valley and Washington on a range of issues.

A review of the Sony hack, based on interviews with executives, U.S. officials and people briefed on their conversations, shows that the companies and agencies fighting the hackers hewed so closely to their own interests that some decisions were made based on little information or consultation.

When Sony discovered on Nov. 24 it had been penetrated, it called the Federal Bureau of Investigation within hours. But while corporate executives were alarmed, the initial government response was more measured, in part because there was no indication large volumes of customer data or sensitive national-security information were at risk.

Within days, the unusual nature of the attack-a multi-pronged effort to damage, shame and coerce an international company-grew apparent both to government officials and to the company. Then on Dec. 16 came an anonymous threat of Sept. 11-style attacks on theaters if they screened Sony’s “The Interview,” a comedy about a plot to assassinate North Korean ruler Kim Jong Un, which was scheduled to open across the U.S. on Christmas.

Officials with the National Organization of Theater Owners called the Department of Homeland Security but were told officials there hadn’t heard of the threat, and couldn’t advise them what to do. That response contributed to big theater chains refusing to show the film.

The FBI was the lead investigative agency on the matter. The bureau withheld from Sony much of what it was learning about the source of the attacks, confidentiality that is standard for security-breach investigations. FBI agents aren’t trained to tell companies what to do if hacked. So as Sony considered whether it should pull the film, the FBI, too, offered no advice on the issue, according to people familiar with the discussions.

The FBI and Homeland Security issued a law-enforcement bulletin saying there was no credible evidence of a plot to attack theaters. But federal officials also told theater owners they simply didn’t know whether the hackers were capable of attacking theaters.

Within hours of theater chains declining to show “The Interview,” Sony Corp.’s studio unit said it was canceling the film’s release.

To veterans of government hacking investigations, it was the latest example of problems stemming from the diffuse nature of computer-security responsibilities in Washington. The FBI, Homeland Security, the Secret Service and various intelligence agencies all have roles to play, which change based on the particulars of a case. Those issues were compounded by the unusual way this breach unfolded in public view.

After Sony said it was canceling the film’s theater release, White House officials were aghast that a corporate-security and public-relations problem had mushroomed into an issue of national security and free speech. The White House had been late to fully engage on the subject, according to several current and former officials. That changed quickly once Sony made its decision.

At that point, “there was enormous pressure within the government to do something,” said a person familiar with the discussions. At a White House meeting, officials agreed the government would say North Korea was behind the hacking, which Pyongyang has denied. On Dec. 19, the FBI issued an uncharacteristically long statement describing some of the evidence pointing to North Korea.

Hours later, Mr. Obama weighed in directly, saying at a news conference that Sony had made the wrong choice and he wished it had asked him.

At Sony, officials found the government actions frustrating. If the U.S. was going to publicly blame North Korea, company officials would rather it had done so days earlier, to make clearer Sony was a victim of a foreign government’s action before it canceled the film’s release.

Before the FBI statement, there was intense debate within the government on just what the federal government should say, according to people familiar with the discussion. White House officials urged talking about some of the evidence of North Korean involvement. Within the FBI, many cyber security veterans were opposed, saying this would reveal too much about an investigation that was at an early stage.

‘I worry that malicious attacks like the one at Sony Entertainment could become the norm.’
-Lisa Monaco, an assistant to the president for counterterrorism and homeland security
The debate extended to which part of the government should publicly blame North Korea, before it was decided this should be the FBI.

The bureau often holds its cards close, partly to protect any evidence it might someday have to present in court. In this case, it was thought unlikely the case would ever see the inside of a courtroom.

Once the FBI publicly laid out a case blaming North Korea, some cyber security firms challenged it, suggesting the agency had erred in ruling out hackers from Russia, China or elsewhere. FBI Director James Comey said at an appearance early in 2015 he was certain of North Korea’s culpability.

Less than a week after Sony decided to pull “The Interview,” and a few days after the president’s criticism, Sony reversed course and said it would release the film in several hundred independently owned theaters and make it available to rent or buy online.

Officials still are debating what lessons to learn from the attack and its aftermath. The administration seems to acknowledge more information needs to flow both ways. Otherwise, “I worry that malicious attacks like the one at Sony Entertainment could become the norm,” said Lisa Monaco, an assistant to the president for counterterrorism and homeland security.

Some within federal agencies that handle cyber security say having the FBI speak publicly backfired because it led to public debate about the accuracy of the bureau’s work.

Some think the U.S. revealed too much about its cyber capabilities. Another camp thinks the Sony response shows why government needs to say more about major computer breaches, to avoid leaving the public in the dark.

But many who disagree on how much the government should say about incidents are in agreement on one thing-that this case showed a need for a single lead agency on hacking investigations, as the White House now is planning.

The question is whether a new agency is enough. “Would it have made it easier to manage the Sony incident? Probably,” said James Lewis, a cyber security adviser at the Center for Strategic and International Studies. “Would it have changed what they share with the companies? Probably not.”

Jacob Olcott of BitSight Technologies, which rates firms’ vulnerability to hacking, said adding another agency to the mix might distract from the core problem, which in his view is that companies must do more to lock down their computer systems. “The government doesn’t control Sony’s network,” he said.

Most of those who discussed the incident agree on one other matter. They expect other hackers to draw lessons from what happened to Sony, becoming more aggressive in how they target companies and the demands they make.

-Ben Fritz and Erich Schwartzel contributed to this article.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: