Sony Hack Minimum Cost: Hundreds of Millions of Dollars
Cyberterror specialist Stewart Baker answers five burning questions
This story first appeared in the Jan. 9 issue of The Hollywood Reporter magazine.
1. ARE THESE TYPES OF HACKERS TYPICALLY CAUGHT?
The government has been able to track and jail quasipolitical amateur hackers from groups such as Anonymous and LulzSec. It has had some success in busting credit card thieves in Eastern Europe. It has identified and even indicted a few state-sponsored hackers, but the prospects for bringing them to trial are near zero.
2. WHAT ROLE IS THE WHITE HOUSE PLAYING IN THE INVESTIGATION?
The FBI is collecting forensic data in an effort to identify the hackers with confidence. It is reporting results to the White House and other agencies. The National Security Council probably is working with the State Department, intelligence officials and the Defense Department to develop options if the attack is attributed firmly to North Korea. But there aren't a lot of good options.
3. IS THERE ANY CHANCE OF SCRUBBING EMPLOYEE SOCIAL SECURITY NUMBERS FROM THE WEB?
4. HOW MUCH IS THIS WHOLE ORDEAL LIKELY TO COST SONY? Concrete losses include replacing hardware and other recovery costs, which will run into tens or perhaps hundreds of millions of dollars. Lawsuits for privacy breaches and reissued credit cards also can run into the hundreds of millions. The biggest costs could be less easily quantified — disruption in film production and distraction or departure of top executives, all of which could depress earnings.
5. WHEN DOES THIS END?
What's most troubling is that the campaign has no certain end. Sony can restore all its systems and fortify them to a high standard, but it will still have no guarantee that a determined, state-sponsored attacker can't get back in and do large-scale damage. It takes only one employee to visit a bad site or click on a bad attachment. The only good news is that a series of attacks will make attribution easier. But attribution without retribution won't do much good.
Stewart Baker is a cyberlaw attorney with Steptoe & Johnson and a former policy official in the Department of Homeland Security.