If North Korea was behind the extraordinary cyberattack on Sony Pictures could this be the first confirmed example of an individual business being singled out for a crippling cyberattack by an entire country?
A few years ago at a security conference I heard on speaker predict precisely this kind of attack would one day come to pass and at the time it was hard to think of what such a world would be like to inhabit. But here we are in this world, or something approaching it. Reportedly, large amounts of employee data has been leaked and an unknown amount of damage has been wrought on Sony by destructive malware.
This is now looking less like an embarrassing sneak attack than an all-out assault designed to destroy Sony Pictures.
Whoever carried out this attack, this is economic warfare in an extreme form that goes far beyond the slow-motion damage of espionage campaigns. The evidence so far is conjecture – and the fact that no other credible group has claimed responsibility – but some have convinced themselves that North Korea’s name should be in the frame.
There’s the small matter that North Korea is refusing to either confirm or deny its involvement although it would be a mistake to draw too many conclusions from that. Thin-skinned, North Korea is reportedly annoyed at Sony’s portrayal of its leaders in a forthcoming movie, which the hack has now ensured will probably we viewed by fifty times its expected audience.
But North Korea might naively think it has little to lose from being associated with an attack that has humbled one of the world’s foremost entertainment organisations.
To friendless and powerless countries or groups, a successful hack is asymmetric warfare at its most extreme. A few people in a room can reveal the secrets of large rich corporations, individuals and even governments to the world.
Beyond the headlines about Sony and its apparent entanglement with North Korea’s odd regime it could be that an important line has just been crossed. Companies have come under attack by governments before, but always as part of industrial espionage campaigns against whole sectors, designed to further economic and geo-political interests.
A North Korean attack on Sony would be a very different event, one in which a state would have focused its destructive might on a single business. That raises the stakes massively because defending against the misbehaviour of other states is normally seen as something governments look after.
What action might the US Government deem appropriate to a state-sponsored cyberattack on a leading US firm, one designed possibly to seriously damage its economically? It’s not something we should look forward to finding out the answer to but response there will be.