Fortune magazine, in a detailed examination of the cyber-hack that crippled Sony Pictures, is asserting that the studio was poorly prepared for the attack and should have seen it coming.
The studio has told the magazine that the assertions are untrue.
The magazine released on Thursday the first installment of a three-part story on the Nov. 24 hack. Fortune’s Peter Elkind spent six months reporting on the story and interviewed more than 50 current and former Sony executives, cyber-security experts and law enforcement officials for the article, “Inside the Hack of the Century: What Really Happened. Why Sony Should Have Seen It Coming. And Why It Should Terrify Corporate America.”
“Looking back, it’s hard to understand how Sony Pictures could have been so ill-prepared for an electronic invasion,” Elkind wrote. “It was part of a tech company that sells digital products — films, TV shows, videogames, and music — readily subject to online theft. Angered by Sony Corp.’s heavy-handed tactics to protect intellectual property, hackers have long targeted the company’s various divisions.”
The article also asserted that the Sony Information Security Department was not secure at the time of the attack. Fortune spoke with Tommy Stiansen, chief technology officer of threat-intelligence firm Norse Corp., which met with Sony three weeks prior to the attack to pitch their services. “Their Info Sec (information security department) was empty, and all their screens were logged in. Basically the janitor can walk straight into their Info Sec department,” he told the magazine.
Elkind also wrote, “While there is no way to know whether Sony’s attackers would have prevailed over even impeccable cyberdefenses, it’s clear that Sony, which failed to employ several basic safeguards, didn’t put up much of a fight. The company had ample reason to have bolstered its defenses: For years, culminating with its release of ‘The Interview,’ Sony Corp.’s business decisions have made it a virtual piñata for cyberassailants. And North Korea had been blamed for high-profile devastating electronic attacks in the past. Despite that, the company’s leadership failed repeatedly to take greater precautions.”
Sony spokesperson Robert Lawson told the magazine that such assertions are untrue, citing findings by the FBI and by the studio’s security consultant, Kevin Mandia.
“Any suggestion Sony Pictures Entertainment should have been able to defend itself against this attack is deeply flawed and ignores essential findings and comments made by the FBI and Kevin Mandia — the two parties most knowledgeable of the nation state threat and the evidence in this investigation.”
“Joseph Demarest, then assistant director of the FBI’s cyber-division, could not have been clearer when he told a U.S. Senate hearing that ‘the malware that was used would have slipped, probably would have gotten past 90% of the net defenses that are out there today in private industry, and I would challenge to even say government,’” Lawson wrote.
The article noted that Sony Pictures CEO Michael Lynton has insisted the studio was well prepared for a conventional cyber-attack and has repeatedly characterized the hack as “highly sophisticated.”
In a written statement on behalf of Lynton, Sony spokesman Lawson insists that the “extremely knowledgeable” experts who consulted with Lynton “gave no hint or warning of the possibility of a cyberattack.”
The article noted that Lynton spoke with Daniel Russel, assistant secretary of state for East Asian and Pacific affairs, and that conversation included no mention of hacking risk, according to a note Lynton prepared. But it also noted that Bruce Bennett, a North Korea specialist with the Rand Corp. — where Lynton serves on the board— warned Lynton of the “possibility” of a cyber-attack.
After watching “The Interview,” Bennett sent Lynton a three-page memo assessing the situation even before the Koreans began protesting the film, then had several follow-up exchanges with Lynton. Bennett advised Lynton that the North Koreans frequently made empty threats, and there probably wasn’t much to fear, but he also noted that North Korea would probe Sony’s computer systems.
“Even if North Korea doesn’t know about the film yet, as soon as they do find out about it, they will likely explore Sony’s computer systems to see if Sony is ready to deal with North Korean criticism,” according to passage that Bennett read to Fortune.
Bennett also told the magazine that he also told Lynton the Kim Jong-un regime employed hackers “who could potentially cause damage,” described the 2013 DarkSeoul hacking episode in South Korea and warned, “You need to realize something could happen in that area.”
Lawson denied that Bennett had warned Lynton: “If (Lynton) had received any kind of warning, his next call would have been to a cyberexpert to ask about it … In their many phone conversations, Bennett never mentioned the possibility of a cyberattack on the studio.”
The article also said that “The Interview” star Seth Rogen and director Evan Goldberg also received warnings of a possible cyber-attack, according to their spokesman, Matt Labov.
Even before they began shooting the film, Rogen and Goldberg sought the advice of Rich Klein of the consulting firm McLarty. Klein told Fortune that after reading their script, he advised the filmmakers to expect North Korean “blowback,” possibly in the form of an electronic assault, urged them to change their banking and email passwords and closely monitor their Internet accounts, and passed on the name of a cyber-security adviser.
Klein also said he feared that North Korea might unleash a cyber-assault on the studio to try to block the release of “The Interview” and that Rogen and Goldberg relayed that message to Sony executives.
“We felt that everybody involved in this had to protect themselves – the studio and the filmmakers,” Klein said. “The North Koreans are pretty aggressive cyberwarriors … It’s just surprising to me that there wasn’t a more robust sense of alarm and caution.”
Elkind concluded the segment by asserting that the events at Sony should be a warning for the rest of corporate America.
“What happened at Sony stands as a landmark event,” he wrote. “It struck terror in boardrooms throughout corporate America, and for all the unique elements in Sony’s situation, the lessons apply to every company… The peril for corporate America seems to be growing even faster than the immense resources now mobilized to combat electronic crime. This one hit home because it showed how attackers could steal even executives’ most precious secrets – and bring a company to its knees.”