Sony Pictures announced the cancellation of the opening of the movie “The Interview” after a well-publicized cyber-attack and threats of attacks on theaters showing the movie. This was a fast developing situation and media reports state that on Tuesday the FBI warned theater owners that they could be the target of a cyberattack related to showing the film. Five major theater chains then decided not to show “The Interview,” leaving Sony few options. This may be the costliest cyberattack ever, according to The Washington Post. Today’s reports indicate that U.S. officials now believe North Korea was behind Sony hack.
But, if North Korea is behind the attack, it also represents something new we may see again− a nation state launching a major cyberattack within the United States that was unrelated to any government policy or function. (Although Sony is a Japan-based corporation, Sony Pictures Entertainment Inc. is headquartered in the U.S.) It was apparently successful and created economic damage for the U.S. and many of its citizens. This makes us think more seriously about recent Congressional testimony by the head of the National Security Agency that China and "probably one or two other" countries have the capacity to shut down the nation's power grid and other critical infrastructure through a cyberattack. It also reminds me of science fiction stories I read in my younger days where multi-national corporations had standing armies and sometimes had shooting wars. This time it was nation-state vs multinat. What happens if a corporation decides to attack or counterattack a nation-state?
I’ll let the national and world leaders debate those kind of questions, including the critical one of whether an in-kind cyber response is appropriate or whether state-sponsored cyberattacks should be thought to “off the table” like nuclear weapons.
Lawyers and law firms have much important and confidential information. Lawyers are often in a position where they have to upset or anger others. One thing I have noticed as the year draws to a close is this subject is mentioned in a number of top ten lists and predictions for the future. More than one commentator has listed cyber security as a critical skill for lawyers and more than one commentator also predicted 2015 will bring a major, highly-publicized and embarrassing security breach for a law firm.
Just imagine if the movies that were stolen from Sony Pictures had been instead stolen from a law firm that had the unreleased movies on its servers to review some legal issues.
I have been saying for some time now that lawyers who are appropriately cautious and skeptical about cloud-based virtual desktops or other cloud computing resources may ultimately come to the conclusion that are actually outsourcing their data security to firms that have many more full time engineers and security experts on staff than any law firm would. Others may decide they must personally control their cyber security
Your data security risk today really comes from operating a computer or mobile device connected to the Internet. So we are all at risk. Your attention is again directed to Cybersecurity: It’s a Moving Target by Sharon D. Nelson and John W. Simek in the Oklahoma Bar Journal.