By Cory Bennett - 12/20/14 05:01 PM EST
The Sony Pictures hack has forced Americans to confront an aspect of cyber warfare common overseas but rarely discussed domestically — psychological cyberattacks.
When U.S. policymakers discuss the threat of cyberattacks, the focus is often on their destructive potential — overheating a nuclear power plant’s core reactor, or eliminating essential financial records.
But the apparent success of the Sony hit has exposed the effectiveness of psychological cyber attacks. The attack prompted the studio to pull the movie, costing millions of dollars, damaging Sony’s reputation and reportedly leaving its top executives on the ropes.
“Where cyber can probably be successful is in these psychological operations,” said Dmitri Alperovitch, co-founder of cybersecurity firm CrowdStrike, which monitors critical infrastructure attacks. “Cyber is not necessarily extremely useful in conducting physically destructive attacks.”
That raises the question: Has the U.S. been miscalculating a major looming cyber threat?
“I don’t think anybody, and I include the Department of Defense in this, does a good job of thinking about what future kinds of cyber conflicts look like,” said Jason Healey, a director at the Atlantic Council who has worked on cyber defenses at the White House and for Goldman Sachs in Hong Kong.
The Sony cyberattack, which started as a fairly standard theft of data, quickly escalated into public blackmail and violent threats, as a hacking group called “Guardians of Peace” demanded Sony not release “The Interview,” a comedy depicting the fictional assassination of North Korean leader Kim Jong Un.
Before Sony conceded to the hackers’ demands, the assailants waged a protracted campaign to embarrass the company. They leaked top executives’ emails that contained racially tinged jokes about President Obama and considerable behind-the-scenes bickering among the Hollywood elite.
Not granted their way after two weeks, the group escalated its blackmail campaign with Sept. 11-style threats against any theater that screened the movie. Despite no known credible evidence of a plot, Sony cancelled the movie’s release.
“It’s more than a burglary and home invasion,” said Tom Kellermann, chief cybersecurity officer at security research firm Trend Micro. “It’s, ‘I want to slaughter your family as well.’”
The incident has the whole entertainment industry on edge, wondering who’s next.
“Hollywood is very much a reputation driven business and economics and relationships are really the coin of the realm,” said Seth Shapiro, a two-time Emmy winning producer who has worked at film studios like Walt Disney Company and Universal Pictures. “In this case, both of those were hit.”
Sony stands to lose over $100 million in the wake of the cyberattack, with some analysts predicting that number could double.
“It really does feel like the overarching intent of it was to burn the company to the ground,” Shapiro added.
Lawmakers have noted the shift as well, highlighting the ill-defined line between psychological cyberattacks and cyber terrorism.
“In the past, crime has been the primary motivation [in cyberattacks], but terrorism is now something that’s of equal concern,” said Rep. Patrick Meehan (R-Pa.), who chairs the House subcommittee on cybersecurity, during a Friday interview on “Fox and Friends.”
On Friday, the government accused North Korea of sponsoring the attack and promised a “proportional” response, pulling the U.S. into a conflict that other cyber powers — China, Russia, Iran, North Korea — have been waging for awhile.
Those countries view cyber warfare as a battle of information, not physical dominance, Alperovitch explained. It can be waged in varying ways.
Russian leader Vladimir Putin, for instance, might view a blog post critical of Russian leadership as a cyberattack, Alperovitch said. At the same time, Moscow conducts cyber espionage on other countries with the intention of shaming them publicly.
“It’s just a very different mentality,” Alperovitch said.
And it’s a culture that’s hard to change through retaliatory cyberattacks, indictments or sanctions, said Catherine Lotrionte, who served during the George W. Bush administration as counsel on foreign intelligence issues for the White House, Senate Intelligence Committee and CIA.
The United Nations has a slowly expanding cyber working group that includes the U.S., China and Russia. It’s an ideal forum to address the standards around psychological cyberattacks, Lotrionte said.
“You need to start something saying, ‘No this is not acceptable in the international community,'” she said.
It’s an arduous process, though, Lotrionte acknowledged.
The Atlantic Council’s Healey had a quicker option.
“Show the f-----g movie,” he said, laughing. “It’s that simple.”