Was Sony Pictures Hack 'Cyber Vandalism' Or Something More?
AUDIE CORNISH, HOST:
The hacking of Sony Pictures has been described variously as a cyberattack, and as we also heard earlier, President Obama called it an act of cybervandalism not an act of war.
ROBERT SIEGEL, HOST:
And that made us wonder about the vocabulary of hacking, especially when the hack might be state-sponsored. Allan Friedman of the Cyber Security Policy Research Institute at George Washington University is one of the authors of "Cybersecurity And Cyberwar: What Everyone Needs To Know."
Welcome to the program.
ALLAN FRIEDMAN: Thank you.
SIEGEL: You write about cyberwar so let's start there. How do you define cyberwar?
FRIEDMAN: Well, it's important to note that we're still feeling our way through these international definitions. So a good start from a lay purpose is, well, let's take off the cyber, look at it, is this an act of war? Is no computers were involved, would this cross the barrier?
SIEGEL: So if buildings are blown-up or lives are taken, or military units are come under attack via some computerized device, that could be cyberwar?
FRIEDMAN: I think if you have large-scale loss of life, large-scale destruction of infrastructure, that would be war.
SIEGEL: There is, we assume, at any given time espionage going on among countries. Is poking around the Pentagon's computers an act of cyberwar or an act of cyber-espionage?
FRIEDMAN: I don't think too many people would call it an act of cyberwar simply because countries do it to each other all the time. It is important to draw a distinction between going after a private entity for profit perspectives with something that might be considered a strategic act of espionage, trying to figure out how I can better defend my country.
SIEGEL: Well, let's say that a foreign country does something to a corporation that causes loss of life. After all, the World Trade Center was owned by the Port Authority of New York and New Jersey, not the Defense Department. Could that be an act of war if it had been a physical attack against Sony Pictures?
FRIEDMAN: Completely. If you shut down the lights at major hospitals, causing massive loss of life, massive panic, it would be the same thing. But remember essentially try to take the word cyber out of it. It's pretty easy to turn off the lights with a bunch of spies or with a plane. We shouldn't look at computers as something that is brand-new.
SIEGEL: The label of cybervandalism, the one that President Obama used, it seems a lot less alarmist than some of the other phrases we've heard. Should we think of what happened at Sony as the digital equivalent of spray painting graffiti on their headquarters?
FRIEDMAN: It's a little stronger than that. I'm comfortable using the term a cyberattack because Sony was attacked. And we have to remember that a number of things happened. They wiped a bunch of computers, they erased data. That's certainly a property crime, you're destroying something. But if we say there's something of value, right? If I break windows or if I walk through the Louvre and throw paint on a painting, I'm committing a terrible crime. But at the end of the day, what I'm doing is vandalism.
SIEGEL: If Sony Pictures had been broken into by a gang of masked gunmen - the kind of gang we might see in a movie from Sony Pictures - and the gang made off with the company's records, we might think that they have poor security at Sony Pictures. But we wouldn't hold them accountable. We'd assume it's a law-enforcement problem. Are we reaching a point where the government should be protecting people's computers since everybody has them?
FRIEDMAN: Well, I think we expect a certain de minimus care whenever we're talking about it. If gunmen walk into a bank and the bank doesn't have video cameras, doesn't have any protection, even though they've heard of bank robbers, simply doesn't have any of these protections, we'd say, listen, the bank has some culpability. We're going to go after the bad guys. And I think in the Sony case on one hand, yes. If a country or an actor said we're going to go after Sony, Sony will suffer some consequences. But the magnitude of those consequences is in part up to the defender, especially when you're going after a relatively unsophisticated attacker.
SIEGEL: Was Sony negligent in its cyber defenses?
FRIEDMAN: I hate to use this term in public, but you can look at the record and say this is a company that failed the security audit as far back as 2005. And some of the documents indicate had things like passwords in plain text, poorly chosen passwords and hadn't really engaged any serious system of defense even though it knew it was in a space that was at risk. You know, the hackers have a long tradition of going after Hollywood companies that go after digital pirates and Sony was in that space, they knew that this was something that should be at risk. They didn't make it a priority.
SIEGEL: Allan Friedman of the George Washington University in Washington, D.C.
Thanks for talking with us.
FRIEDMAN: Thank you very much. Transcript provided by NPR, Copyright NPR.