The Sony Pictures Hack: Two Years Later
Two years later, how are Sony Pictures and the entertainment industry moving forward in the aftermath of the hack?
November 24 will mark two years since the North Korean government’s massive cyberattack on Sony Pictures Entertainment (SPE). The attack – widely believed to be an attempt to intimidate SPE into canceling the release of The Interview – exposed 30,000 company documents and 170,000 emails.[i] Two years later, how are SPE and the entertainment industry moving forward in the aftermath of the hack?
While no company would ever want to see its inner workings revealed to the public, the SPE attack posed a particularly stark threat to the operating model of the entertainment industry. This model depends centrally on colorful personalities having a safe space to exercise freedom of speech and engage in creative expression. The hacking episode demonstrated that actors, directors, screenwriters, and producers all assumed – wrongly – that email was one such safe space. The hacked emails lifted the curtain on the eccentric, blunt, colorful and at times politically incorrect entertainment industry community. Regarding some of the more controversial emails that were disclosed, Amy Pascal, the former co-chair of SPE who was fired in the wake of the attack, said, “Everyone understood because we all live in this weird thing together called Hollywood. If we all actually were nice, it wouldn’t work.”[ii]
Following the attack, SPE and other entertainment industry firms took steps to strengthen network defenses. Key measures have included: monitoring for atypical login patterns, encrypting data even if it is held behind a firewall, and placing greater control over access to individual files.[iii] As the CEO of a cybersecurity consultancy told CNBC, “Prior to the hack, creative types saw security as friction. It became super personal in terms of the type of information that was stolen. Across the studios, they realized that it could have been any of them.”[iv]
While steps to improve network security were necessary to SPE’s continued functioning as a company, it remains to be seen whether they will be sufficient to reestablish trust among the artists and film executives that had grown accustomed to free-flowing exchanges over email. As one prominent screenwriter wrote in the New York Times, “Since the Sony hacking, I say less in personal emails, and much less in professional ones. … If I’m writing to someone whose cloud a hacker might fancy, I am less cozy, which is a bit like downgrading a close friend to an acquaintance.”[v] On the other hand, SPE chairman and CEO Michael Lynton told Slate, “I still regularly see emails that make me say, ‘Really?’… The technology is so compelling that – for whatever reason – people are still sending me emails that they would very much not like to see show up in another venue.”[vi]
Going forward, can SPE and other entertainment industry firms continue to benefit from the convenience of email while protecting the privacy of their artistic talent? I would encourage SPE and other companies to consider a policy that would delete all emails after a fixed period – say, 90 days – unless the user proactively requested that the messages be archived. And if emails need to be stored for a longer period, they should be held in a highly secure location – not in a standard inbox. I would also encourage the entertainment industry to use other tools like Signal to communicate. Such tools can protect privacy and avoid the sort of self-censorship and chilling effect that the hack was intended to produce.
Some will argue that no digital communication is ever truly secure, and that the only solution is to be more careful when we communicate using technology. For the time being, this may ultimately be true. But my hope is that over the long term we can all restore our faith in the security of digital communications, ensuring that movie stars and ordinary citizens alike can express themselves freely and openly through digital means.
(630 words)
References
[i] Natalie Robehmed, “The Entire Sony Hack Is Now Available On Wikileaks,” Forbes, April 16, 2015, http://www.forbes.com/sites/natalierobehmed/2015/04/16/the-entire-sony-hack-is-now-available-on-wikileaks/
[ii] “Ex-Sony Chief Amy Pascal Acknowledges She Was Fired,” NBC News, February 12, 2015, http://www.nbcnews.com/storyline/sony-hack/ex-sony-chief-amy-pascal-acknowledges-she-was-fired-n305281
[iii] Julia Boorstin, “The Sony hack: One year later,” CNBC, November 24, 2015, http://www.cnbc.com/2015/11/24/the-sony-hack-one-year-later.html
[iv] Ibid.
[v] Delia Ephron, “It’s a Whole New Paranoid World,” The New York Times, March 21, 2015, http://www.nytimes.com/2015/03/22/opinion/sunday/its-a-whole-new-paranoid-world.html
[vi] Amanda Hess, “Inside the Sony Hack,” Slate, November 22, 2015, http://www.slate.com/articles/technology/users/2015/11/sony_employees_on_the_hack_one_year_later.html
Note: All online sources accessed November 17, 2016. Photo from: http://www.yrbmagazine.com/the-interview-free-movie-passes-chicago-houston-nyc-jamesfrancotv-sethrogen-theinterview-theinterviewmovie/.
I find the suggestion that emails get automatically deleted to be a very interesting and constructive one one, although it may not stop the ‘Trojan horse’ style hacks where hostile agents sit within a system and systematically copy/edit all of its content over a long period of time. Dave Aitel talked about this risk in relation to the DNC email hack, talking of turning a hard-drive ‘into signals intelligence product’. [1] This is one of the big risk of the internet of things, namely that the live-feeds become hijacked by other parties for nefarious purposes. Thank you for talking about this!
[1] https://www.wired.com/2016/06/hack-brief-russias-breach-dnc-trumps-dirt/
Great post. While people in the entertainment industry use email for creative expression, the most controversial exposures in the Sony hack were email comments that many people felt were inappropriate or insensitive (https://www.theguardian.com/film/2015/feb/12/sony-pictures-chief-amy-pascal-hack-interview). While Sony executives were undoubtedly exercising free speech, there is no protection from social judgment of that free speech. You posed a good question in wondering whether email can be a risk-free vehicle to express opinions privately. I would say that it is not. While there are many steps companies like Sony Pictures can take to improve cybersecurity, I think the unfortunate reality of the modern internet-connected world is that nothing is entirely private or secure. This article (https://www.technologyreview.com/s/518056/why-e-mail-cant-be-completely-private/) provides an excellent explanation: “. . . even if an e-mail service encrypts messages for secrecy . . . the e-mail headers and routing protocols reveal who the senders and receivers are, and that information can be valuable in its own right. And second, the passcodes used as keys to decrypt messages can be requested by the government (if held by the e-mail company) or simply stolen by sophisticated malware.”
Thank you for this article. Privacy of digital information is indeed becoming a major issue / concern not only for the entertainment industry but also for the business world as a whole. My main concern with your proposed steps going forward is with regards to your suggestion for companies to implement a policy whereby they will have to delete their emails once a predetermined period lapses (such as 90 days). Although this could protect a lot of sensitive data, I think that practically it is very challenging to implement it, especially for a publicly listed company, because audit firms require email communication to audit their clients since emails have become the main written channel of communication in the business world.