The Sony Breach Carries Broad Implications Surrounding National Security

The following post originally appeared on Forbes | December 19, 2014

While consumer-related cyber-attacks have been gaining momentum over the years—think the Target data breach in 2013 and Home Depot breach this year—none have the same gravity of the recent North Korean Sony attack. Forcing millions of people to go through the rigmarole of switching cards, and forcing banks to spend millions of dollars to rectify the situation is expensive and annoying. Potentially forcing the most powerful nation in the world to declare the breach an act of war is a whole different ball of wax.

Today I speak to Roberta D. Anderson, partner at K&L Gates LLP, and co-founder of the firm’s global Cyber Law and Cybersecurity practice group. We address the nature of modern cyber-attacks, the state of the cybersecurity market, and some of the broader implications of these attacks—the Sony Pictures breach in particular. See our exchange below:

On A Macro-View Of Cyber-attacks

Parnell:  Can you give me a macro-view of the world of cyber-attacks? Who is doing them? Why are they doing them? What are the most likely targets?

Anderson:  Cyber-attacks are precipitated by scores of different actors, of varying degrees of sophistication, and with myriad motivations, agendas, targets, and ultimate goals.  For some actors, the goal is pure financial gain.  For others, attacks are politically motivated.

The massive Target data breach from last holiday season was orchestrated by a group of Russian and Ukrainian hackers motivated by profit from the sale of stolen credit and debit cards and other personally identifiable information.   Contrast this with the alleged motivation of the Chinese military personnel accused in May of hacking and economic espionage directed at U.S. companies, which, as stated in the DOJ’s indictment, was “to steal information from U.S. companies that would be useful to their competitors in China, including state-owned enterprises.”  Contrast both with the Sony attack, reportedly waged by a North Korean government hacking team for the principal purpose not of stealing sensitive data for profit or gaining competitive advantage, but to injure the company in retribution for the controversial film The Interview.  And then there are the “hacktivist” groups like LulzSec and Anonymous.  Verizon’s 2014 Data Breach Investigations Report found that just under two out of every three web app attacks were attributable to activist groups driven by ideology and lulz.

On How, Specifically, Attacks Happen

Parnell:  How are companies like Sony being attacked, specifically? What vulnerabilities are being taken advantage of?

Anderson:  As to the Sony attack, some speculate that it was precipitated via a malicious insider, while others speculate that an administrator account was compromised. Although it is not yet clear exactly how it occurred, we increasingly see the use of custom malware that anti-virus software—even up-to-date software—cannot detect. That custom-tailored malware often is introduced through increasingly sophisticated social engineering exploits.   The “bad” actors—whether they are a nation state, a hacktivist organization, a sophisticated crime ring, or a teenager working out of his or her parents’ basement—exploit systems and software vulnerabilities, including the ultimate vulnerability:  human error.

An organization can have the best firewalls, perimeter security, end-to-end encryption, and updated antivirus software, but there always remains the human element that is so difficult to control.  By way of example, Target’s breach occurred because an employee of Target’s HVAC vendor clicked on a phishing email laced with malware.

On The Broader Implications Of The Attacks

Parnell:  Understanding that the attacks can happen, and with the increasingly problematic hack on Sony in mind, what are the broader implications of a breach like this? Why is the Sony attack so much more troubling than those before it?

Anderson:  The Sony breach carries broad implications surrounding national security.  As indicated by emerging reports, the attack likely is, in essence, a nation state attack upon a U.S. company’s infrastructure.  Although the goal of the Sony attack apparently was not to cause physical injury to persons or destruction of property, it nonetheless is a very serious attack, seemingly designed to be devastating against a U.S. company.  This could lead to additional sanctions, or worse. Also, this attack ultimately could be a game changer regardless of whether it was North Korea or another actor because it represents the first time an attacker has targeted a company with the apparent principal purpose of harming the company.

Therefore, if the emerging reports are correct, the attack obviously raises important issues of national security, and what form, if any, an appropriate response from the United States would take.   Likewise, the allegations made in the DOJ’s May 2014 indictment against members of the People’s Liberation Army, the military of the People’s Republic of China, are serious and troubling.  General Keith Alexander has called intellectual property loss via cyber-espionage “the greatest transfer of wealth in history.”

On What Measures Other Institutions Are Taking

Parnell:  With prevention in mind, what measures are some of the most secure institutions taking? What lead should be followed?

Anderson:  Recognizing that even the best cybersecurity can and does fail, the most secure institutions recognize that they need to be cyber-resilient in the wake of a breach. This means  being positioned to detect and efficiently and effectively respond to threats, to recover as quickly as possible in the wake of a breach event—with the minimum financial, reputational, and overall, exposure to the organization—and to be defensible to customers, stakeholders, and regulators.

Some of the key avenues to cyber-resilience include a thorough cybersecurity assessment, including penetration and vulnerability testing, ongoing threat monitoring, appropriate employee training, a solid business continuity plan, and a tested, vetted, incident response plan, which should be in place before a breach and should empower key individuals within the organization to take immediate action upon discovery of a qualifying security breach event.

Organizations also are increasingly using cybersecurity insurance as part of their overall strategy to address and mitigate cyber-risk.  Cybersecurity insurance can be extremely valuable, but selecting and negotiating the right insurance policy presents challenges given the vast array of products on the marketplace, each with their own insurer-drafted terms and conditions, which vary dramatically.

On Cybersecurity Insurance

Parnell:  That’s interesting. Most talk surrounds preventing the attack. Insurance is a post-attack plan. Can you talk to me about that a little more? How is the insurance industry positioning itself to handle something like a cyber-attack?

Anderson:  There are two important aspects to this:  The first is that, as cyber threats and attacks have become increasingly common, sophisticated, and expensive, and as data privacy laws and regulations have proliferated, the insurance industry has increasingly added exclusions and limitations to so-called “traditional” “or “legacy” insurance policies—commercial general liability (CGL) policies, commercial property policies, and even commercial crime policies—to cut off coverage for attacks like the Sony attack and other cyber-attacks under these typical types of business insurance policies.

Although there may yet be valuable coverage for cyber-attacks and data breaches under “traditional” policies, the insurance industry has made it abundantly clear that organizations should not expect to be covered for cyber-attacks under traditional lines of insurance coverage.  By way of example, Insurance Services Office, which is the insurance organization tasked with drafting standard insurance contract language, introduced a series of “data breach” exclusionary endorsements, which became effective in most states this past Spring for use with the standard-form CGL policy.   The endorsements exclude liability “arising out of any access to, or disclosure of, any person’s or organization’s confidential or personal information, including patents and trade secrets.”   The second aspect is that, as limitations and exclusions have been introduced to “traditional” polices, the insurance industry began developing and selling specialty “cyber” insurance products.

On How Insurance Responds To Attacks

Parnell:  So how would cyber insurance respond to cover exposures flowing from some of the recent high-profile cyber-attacks? Just pay out money? Wouldn’t this overly alleviate responsibility on the end of the insured?

Anderson:  Cyber insurance is an excellent risk transfer vehicle.  In the wake of a data breach that compromises sensitive, personally identifiable information—for example, the Target breach—cyber insurance generally should respond to cover the costs associated with defending and settling the putative class action lawsuits that typically follow in the wake of a significant breach.  The better policies also cover regulatory actions, fines, and penalties, as well as the various “crisis management” activities that are required following a breach, including forensic investigation to determine how the breach occurred, the costs associated with notification to potentially impacted individuals, the offering of credit monitoring services and identity theft insurance to those individuals, call center services, and public relations efforts.

Even before a breach, many of the policies provide risk management services, such as information portals, security and response plan templates, and consulting from industry experts.  The application process itself tends to shine a spotlight on an organization’s current cybersecurity risk management practices and is likely to reveal potential cybersecurity weaknesses that should be addressed.

On Sony Getting Paid For The Interview

Parnell: So, in Sony’s case, assuming that they have cyber insurance, they won’t be paid for losses on The Interview being pulled from theaters?

[Cyber insurance] is not a panacea and clearly is not a substitute for robust cybersecurity and incident response planning.   Nor is all cybersecurity risk—including some of the greatest exposures—insurable.  State-sponsored cyber-espionage resulting in the theft of a company’s intellectual property—“crown jewels,” for example—realistically is not a loss that current cybersecurity insurance policies currently respond to. Nor are they likely to going forward in view of valuation issues.  In addition, cybersecurity insurance that would respond to bodily injury or property damage arising out of a corruption or manipulation of data that impacts a SCADA system, for example, is at best in very nascent stages and without significant market capacity.

Although cybersecurity policies can provide valuable coverage for business income loss resulting from an attack on a insured’s system, they may not respond, for example, to the postponement or cancellation of a major event such as a movie release in the wake of an attack or threatened attack, unless the postponement or cancellation was directly caused  by a failure of cybersecurity related to the attack, which of course it may be depending on circumstances.

On The U.S. Government’s Role In The Sony Attack

Parnell:  This attack puts the US government in a tough spot. Declaring this an act of war could open Pandora’s box. What role do you think that the US government should take in something like the Sony attack?

Anderson:  It has been reported in recent hours that the U.S. government may soon officially announce that the North Korean government was behind the attack, which can fairly be characterized as the most devastating cyber-attack to date on a U.S.-based company.  If the attack was by, or at the order or direction of, the North Korean government, the U.S. government will have to decide whether or not to declare this breach to be an act of war, or terrorism, and also will be in the position of having to determine how to respond to the attack.

Given the serious national security issues raised by this attack, the U.S. government’s role clearly should include taking all appropriate steps to determine exactly how the attack occurred, and by what actor or actors.  If it is a nation state attack, decisions surrounding potential offensive actions are complicated by issues relating to international diplomacy.  At a minimum, I think the U.S. government’s role includes working to secure the support and cooperation of its allies in addressing the Sony attack, including, potentially, through additional sanctions or other offensive actions and in proactively short circuiting these types of events to the extent practicable going forward.

Email: dparnell@davidjparnell.com Twitter: @davidjparnell

Books: The Failing Law Firm: Symptoms And Remedies; In-House: A Lawyer’s Guide To Getting A Corporate Legal Position