Following the FBI’s conclusion Friday that North Korea was behind a cyber attack against Sony Pictures Entertainment (SPE) last month, Homeland Security Secretary Jeh Johnson said the incident demonstrates that every company needs to implement best practices for cyber security.
“Every CEO should take this opportunity to assess their company’s cyber security,” Johnson said in a statement. “Every business in this country should seek to employ best practices in cyber security.”
President Barack Obama said in his year-end press conference on Friday that more work needs to be done with Congress to pass legislation to strengthen information sharing across the private sector and between the government and private sector “so that we are incorporating best practices and preventing these attacks from happening in the first place.” He added that “We’re not even close to where we need to be” in terms of strengthening the nation’s cyber security posture.
If the right “architecture” isn’t set up to prevent cyber attacks, “this is just not going to be affecting movies, this is going to be affecting our entire economy in ways that are extraordinarily significant.”
House Homeland Security Chairman Michael McCaul (R-Texas) said in a statement that cyber security will be a top focus of his committee in the next Congress that begin in January, adding that he’ll continue working to build on cyber legislation that Congress passed last week and Obama signed this week.
The four cyber bills Obama signed this week include provisions to boost the sharing of threat data between the public and private sectors.
Obama said that his administration is developing a “range of options” that he will examine to make response that is “proportional and appropriate to the nature of this crime.” He said “They caused a lot of damage, and we will respond, and we will respond proportionately, and we’ll respond in a place and time and manner that we choose.”
In February the Obama administration released the Cybersecurity Framework, which provides standards and best practices that can be voluntarily adopted by the private sector. The framework was crafted with the help of owners and operators of the nation’s critical infrastructure, most of which is based in private hands.
The attack against SPE is unprecedented in the United States. The FBI said “the destructive nature of this attack, coupled with its coercive nature, sets it apart.”
The FBI stated the Sony hack by North Korea “reaffirms that cyber threats pose one of the gravest national security dangers to the United States.” The agency said that the attackers, who go by the name Guardians of Peace, used “destructive malware” to steal SPE’s proprietary information, personally identifiable data of employees, and render the thousands of the company’s computers “inoperable,” which “forced SPE to take its entire computer network offline and significantly disrupted the company’s business operations.”
It is believed that North Korea attacked SPE’s computer systems because of a satirical movie the film company was planning to release on Christmas Day that portrays a CIA plot to assassinate the country’s leader, Kim Jong-un.
In the wake of the attack and threats by the Guardians of Peace against the release and distribution of the movie, called The Interview, movie theaters and then Sony said this week that the movie will not be shown.
Obama said that he is “sympathetic” to Sony’s position but said the company “made a mistake” in deciding not to release the film.
“We cannot have a society in which some dictator some place can start imposing censorship here in the United States,” Obama said. “Because if someone is able to intimidate folks out of releasing a satirical movie, imagine what they start doing when they see a documentary that they don’t like? Or news reports that they don’t like? Or even worse, imagine if producers and distributors and others start engaging in self-censorship because they don’t want to offend the sensibilities of somebody’s whose sensibilities need to be offended.”
Obama said that there will continue to be opportunities for cyber hackers against the private and public sectors and that work needs to continue to “harden sites and to prevent those kinds of attacks from taking place.” He said there will be more “costly breaches” but “we can’t start changing our patterns of behavior any more than we stop going to a football game because there might be the possibility of a terrorist attack.”
Obama said there are no indications that any other countries aided North Korea in the attack against Sony Pictures, which is a division of Japan’s Sony Corp. [SNE]. China has been accused from conducting cyber espionage against U.S. companies and government.
McCaul warned that given what North Korea has demonstrated through the attack on SPE, “imagine what damage nation-states like Russia, China, or Iran can cause to our nation’s vital networks that control our power grid, energy and water supplies or other critical infrastructure.”
In stating its case that North Korea was behind the attack, the FBI said that malware used in the hack is linked to other malware including similar lines of code and data deletion methods the agency knows has been developed by “North Korean actors.” It also said that the infrastructure used in the attack has “significant overlap” with infrastructure used in “other malicious cyber activity the U.S. government has previously linked directly to North Korea.”
Obama said the latest cyber event also shows the need for more international cooperation around cyber security in terms of “setting up some very clear rules of the road in terms of how the Internet and cyber operates.”