The last year has been marked by headline-grabbing cybercrimes, including the theft of stunning amounts of personal information from Target, Home Depot and online photo-storage sites. Now, the hackers who targeted Sony Pictures’ computer network have opened a new front in cyberwar: thefts motivated not by money, but by malice. The severity and sophistication of the attack are alarming, yet aside from launching the obligatory FBI investigation, the response from government officials and from Hollywood’s other studios has been strangely muted.
A group that calls itself Guardians of Peace struck a devastating blow to Sony Pictures’ network in late November, extracting copies of a huge number of internal documents and then erasing them from Sony’s computers. It caused enough damage to shut down the network for days, forcing employees to revert to working on paper and whiteboards. Since then the hackers have leaked emails and other material online, revealing secrets about the company’s salaries, business model and executives’ deliberations. Unlike conventional industrial espionage, the point wasn’t to give a company’s secrets to its competitors. It was to make them public on a grand scale, embarrassing the victim and crippling its ability to do business.
The damage is ongoing, with the hackers leaking documents incrementally and reporters mining them for news. Regardless of whether you think the news media are amplifying the attack or just documenting it, one important lesson the coverage has conveyed is the need for companies to take better care of the sensitive information they’ve collected. It’s not just banks and retailers that have to worry about the credit card numbers they have on file. Corporations have to assume they’ll be targets, and never leave such things as passwords and Social Security numbers unencrypted.
Few, if any, companies could defend themselves successfully against assaults of the scale and destructiveness as that on Sony, which rivaled the Stuxnet attack on Iran’s nuclear program and other government-sponsored malware. (There’s some evidence suggesting that the hackers were backed by North Korea, although the government there denies it.) Had it been a physical attack instead of an electronic one, local officials and Hollywood studios would have rallied around Sony. They haven’t, reflecting the intangible nature of the damage and the other studios’ desire not to attract their own hacks. And it’s all the more reason for Congress to allow companies and government agencies to share what they’re learning about the nature of cyberattacks and how to defend against them. Sadly, while Sony was scrambling to contain the damage from the hack, Congress was punting — again — on a bill to permit that sort of information sharing, which has been held up by privacy concerns. Such a law might not have protected Sony against the Guardians of Peace, but it could help the next victim.
Follow the Opinion section on Twitter @latimesopinion