Sony Pictures Capitulation Sets a Worrying precedent
The decision by Sony Pictures to give into hackers demands to cancel the release of controversial film The Interview sets a worrying precedent Reuters

In all reality there is no security.

This is the opinion of infamous hacker-turned FBI informant Hector Monsegur (aka Sabu) who believes that no matter what security is in place, if someone wants to get into your systems - be it an airport, bank, phone network or water supply - then they will get in.

In the wake of the devastating attack on Sony Pictures, this sentiment is something which seems all the more prescient.

Hackers and cyber-criminals have always been a step ahead of law enforcement and security companies - it is an accepted part of the cat-and-mouse cyber-security landscape.

But what has escalated the Sony Pictures attack is the response from the studio itself. It has essentially issued an open invitation for hackers and cyber-criminal gangs around the world to target not only other Hollywood studios but any company anywhere in the world which has information to protect.

We don't negotiate with terrorists

More on Cyber-crime

Amar Singh, the founder of the Cyber Management Alliance said Sony's capitulation and decision to not release The Interview represents "a very sad day indeed".

Singh adds: "Keeping aside the Sony context, the motto of the West has always been to not give in to terrorists but obviously it seems to be a different rule if those terrorists are cyber-attackers. Is this the beginning of a trend where corporations are held hostage and then make decisions that impact the masses?"

Cyber security expert Peter Singer has an issue however with assigning the term 'terrorists' to the hacking group behind the attack, known only as Guardians of Peace.

Singer told Motherboard: "The reality is having your scripts posted online does not constitute a terrorist act. The FBI describes it as an 'act that results in violence.' Losing your next James Bond movie script that talks about violence is not the same thing as an act of violence."

Singer compares this situation, where an unknown group of hackers issued a threat in cyberspace, to the situation in 2012 when 12 people were killed and 70 injured at a screening of The Dark Knight Rises. In this case the studio has cancelled the release of the film, yet in the case where people were actually killed, the film continued to play.

In his opinion piece for IBTimes UK, Jarno Limnell, a professor of cyber-security at Aalto University in Finland, believes the first violent responses to cyber-attacks will not be made because of physical destruction but huge loss of digital property.

If Sony would have suffered same amount of loss because of physical attack, would there be physical response? Probably. At the moment it seems that the threshold for triggering a physical response to cyber-attack will be higher than a kinetic equivalent. This might change soon.

The hacker playbook

A mushroom cloud rises with ships below during Operation Crossroads nuclear weapons test on Bikini Atoll, Marshall Islands in this 1946 handout provided by the U.S. Library of Congress.
The US Defense Service Board has suggested that the biggest possible cyber-attacks could prompt a nuclear response. US Library of Congress

The Sony Pictures attack will now act as a game-plan for future cyber-attacks against major western companies.

Sony Pictures' security was clearly not good enough, it's response to the leaking of troves of sensitive personal and financial information has been poor, and the decision to cancel the release of The Interview sets a worrying precedent.

As Singer says: "This is not just now a case study in how not to react to cyber-threats and a case study in how to not defend your networks - it's now also a case study in how not to respond to terrorism threats."

Sony called in security experts Mandiant to investigate the attack, and its founder Kevin Mandia issued the following statement on the company's behalf, attempting to deflect blame from Sony:

This attack is unprecedented in nature. The malware was undetectable by industry standard antivirus software and was damaging and unique enough to cause the FBI to release a flash alert to warn other organisations of this critical threat.

To say this attack was "unprecedented" is disingenuous, particularly for someone like Mandia, whose company rose to prominence investigating the high profile nation-state hacking of the Chinese military against 141 companies around the world including the New York Times.

Sony Picture's security was not up to scratch, and it is now trying to bluff its way out. Hiring lawyer David Boies to try and strong-arm newspapers and publishers to stop reporting the on-going leaks was another attempt to deflect the spotlight on the company's poor security.

The result of this devastating attack on Sony Pictures is huge, but because of the way Sony handled the fallout it has invited every hacker in the world to consider following in the footsteps of Guardians of Peace.

Hollywood stars like Steve Carrell have been calling this "a sad day for creative expression" and while this may be true, what is much more pressing and worrying is what it says to hackers the world over.

Security expert Eugene Kaspersky sums up the problem:

Kaspersky told IBTimes UK: "It's a very strong signal that even the most advanced hi-tech companies are not immune to hacker attacks, and we have to prepare ourselves for very serious and painful attacks in the future. Sadly, it's not easy to say which industry or company will be the next target."

North Korea