The 2014 Sony breach proves that businesses and governments are not prepared for the coming cyber war, according to cryptography expert Bruce Schneier.
Schneier cited the Sony breach as proof that businesses and governments are overly focused on attribution as opposed to defence when dealing with cyber threats during a keynote address at InfoSec 2015.
“For me what’s disturbing is the Sony attack happened and the first question the world asked is ‘who did it?’ The last question you should ask is who did it,” he said.
“When you’re being attacked in cyber space the two things you don’t know is who is attacking you and why. This is why we need really good defence without attribution.
“What we want is resilience in our networks and systems and institutions. We need to think about who secures critical infrastructure, power, communication, chemical plants.”
The Sony breach occurred in 2014 when hackers infiltrated the firm’s network in a destructive data-stealing cyber attack.
The hackers, who the FBI believe were a North Korean state-sponsored group, subsequently published sensitive information stolen during the attack.
Schneier highlighted the confusion and lack of trust around the FBI’s accusation against North Korea as proof of the difficulty with attribution, arguing that, even if governments have proof, the nature of intelligence work makes it impossible to prove it publically.
“The US had some evidence, links to Dark Seoul, and alluded to having other intelligence [probably from the NSA],” he said.
“The NSA [probably] did have secret evidence but we don’t know what it is. It could be recorded conversations or a piece of paper with Kim Jon-un’s signature saying do the attack. It could have been a human resource. But at the time there was a lot of doubt.
“This encapsulates much of the [problems of cyber conflict. There are three levels of attribution. There’s the lowest, the ‘I know you did it’. The second is the ‘I know and I can convince you I know’. Third is the ‘I know and I can convince the world’. With secret evidence you can get to one not three.”
Schneier explained that the focus on blame is doubly troubling as it distracts firms from the increasing danger of state-sponsored groups.
“Cyber rhetoric is real and it’s scary. There was a lot of sabre rattling in the US after Sony. A lot of war talk,” he said.
“We need to think about resilience. We’re in the early years of a cyber arms race where we’re seeing more and more rhetoric and nation states going against third parties. We’ve seen this with North Korea and Sony, China and GitHub.
“This is going to continue in the future. Nations are building for cyber war and we’re in the blast radius.”
Security professionals will have to adapt their strategies to deal with the untypical motivation of state-sponsored groups.
“The goal [with Sony] wasn’t theft. Most crime is about money, but here the goal was coercion, embarrassment or just pure damage. This is not the sort of threat we think about and let me tell you, none of us could withstand this sort of attack,” he said.
“This was a high skill, high focus attack, an advanced persistent threat. This is different to regular attacks. Against a low focus [group] what matters is that you’re better than the guy next to you.
“Against high focus what matters is if your security is better than the hackers’ skill. [But when a group has both] we all know that a sophisticated and motivated hacker will always get in.”
Schneier’s comments follow wider industry and government concerns around state-sponsored hacking.