Discussion Case: Sony Pictures and North Korean Hackers

Discussion Case: Sony Pictures and North Korean Hackers
In November 2014, just in time to capitalize on the rush of moviegoers during the Thanksgiving and Christmas holiday seasons, Sony Pictures was set to release a new comedy The Interview. Executives at Sony already knew that The Interview would be controversial. The plot involved a television tabloid show host and producer who discovered that the North Korean dictator, Kim Jong-un, was a big fan of their show. When they set up a trip to visit Kim Jong-un, they were recruited by the CIA to turn their trip to Pyongyang, Korea, into an assassination mission. Not surprisingly, the real Korean government leaders were displeased with the plot of the movie, and they apparently took drastic measures to convince Sony Pictures’ executives not to release the movie to theaters.
During a one-week period hackers, going by the name Guardians of Peace and allegedly with ties to North Korea, stole 100 terabytes of sensitive company data from computers belonging to Sony Pictures Entertainment (to put that into perspective, 10 terabytes can hold the entire printed collection of the Library of Congress). The first sign of a digital break-in appeared when the image of a stylized skull with long skeletal fingers flashed on every Sony employee’s computer screen at the same time, accompanied by a threatening message warning that “This is just the beginning.” The message continued, “We’ve obtained all your internal data,” and then warned that if Sony did not comply with their demands, the hackers would release the company’s top secrets. Hackers slowly posted the information online or circulated information over file-sharing networks. North Korea formally denied any involvement in the hacking incident, but did praise the actions as a “righteous deed.”
The leaked information revealed highly sensitive information, like passwords and executives’ salaries, secret details about other upcoming films, and passport and visa information for Sony actors. Other leaked information contained the medical records of dozens of Sony employees and listed conditions including cancers, cirrhosis of the liver, and premature births. The hackers went as far as to threaten Sony employees and their families. The hackers also made threats of violence toward anyone who went to see the movie, with references to the terrorist’s attacks in the United States on September 11, 2001. These threats prompted the nation’s largest theatre chains to announce that they would not show the film.
Sony executives considered releasing the film only via video-on-demand or on television. Comcast, the nation’s largest cable provider, declined the opportunity to show the film through their cable network due to its politically sensitive material. Eventually Sony decided to cancel the distribution of the film. The hackers responded to Sony’s decision by saying “pulling The Interview was a ‘very wise decision’.” “We are deeply saddened at this brazen effort to suppress the distribution of a movie, and in the process do damage to our company, our employees, and the American public,” said Sony’s press release. “We stand by our filmmakers and their right to free expression and are extremely disappointed by this outcome.” The implications of these decisions extended beyond the moviemaking industry. “This is now a case study that is signaling to attackers that you can get all that you want and even more,” said a cybersecurity strategist.
President Obama criticized Sony for pulling the movie, saying it set a bad precedent and could encourage further censorship. While he was sympathetic to the problem Sony faced, the president said, “Yes, I think they made a mistake.” He also pledged that the United States would hit back at North Korea for their role in this incident. “They caused a lot of damage and we will respond. We will respond proportionately and we will respond in a place and time and manner we choose.” (One month later, President Obama, in an executive order, imposed sanctions on three North Korean organizations and 10 individuals, allegedly in response to the hacking of Sony Pictures.) Obama continued, “We cannot have a society in which some dictator someplace can start imposing censorship here in the United States, because if somebody is able to intimidate folks out of releasing a satirical movie, imagine what they start doing when they see a documentary they don’t like, or news reports they don’t like.” Companies in the United States, according to the president, needed to come to terms with the possibility of having their computer systems penetrated, but added that “we can’t start changing our patterns of behavior.” To do so, he said, would be like cancelling the Boston Marathon because bombs were detonated there.
Sony’s CEO Michael Lynton responded to the president’s remarks. “We did not cave. We did not back down. The decision not to move forward with the December 25 theatrical release of The Interview was made as a result of the majority of the nation’s theater owners choosing not to screen the film. This was their decision. Let us be clear—the only decision that we have made with respect to release of the film was not to release it on Christmas Day in theaters, after the theater owners declined to show it. Without theaters, we could not release it in the theaters on Christmas Day. We had no choice.”

Discussion Questions

Did Sony Pictures’ executives, eventually, make the right decision by releasing the film? What were the risks and benefits to Sony and to its customers (both movie theater operators and movie viewers) of doing so?
What actions, if any, could Sony employees take to protect themselves from the theft and release of their data on their employer’s servers?
What role should the U.S. government play in protecting the privacy and security of individual citizens, such as Sony employees in this case? What specific actions could the government take?
What actions should the U.S. government have taken against North Korea? Should the U.S. government have reacted sooner than it did?
Using tools presented in this chapter, what additional measures could Sony take to better protect its company’s information from attack by hackers?