This is going to get worse before it gets better. That’s largely the message from cybersecurity experts and former U.S. cyber officials who say that the alarming hack against Sony Pictures Entertainment underscores not only the lack of corporate Internet security, but also law enforcement’s struggle to prevent similar data breaches from occurring again.
A hacking group calling itself the Guardians of Peace claimed responsibility for the Nov. 24 attack on Sony. The weeks since have seen the unauthorized disclosure of a trove of embarrassing emails sent between Sony executives, the leak of unreleased movies and, earlier this week, a threat by the hackers that references the Sept. 11 terrorist attacks. Yet for all the hackers’ bluster, and Sony’s apparent paralysis, there so far has been sparse talk of meaningful American retaliation.
Jim Penrose, a former directorate of Signals Intelligence and chief of Operational Discovery at the National Security Agency, said forensic investigators are still largely trying to determine the best method to prevent attacks. Recent attacks at Home Depot, Target, JPMorgan Chase & Co. and others also prove that, when it comes to prosecuting international crime, police have no choice but to enter a web of geopolitics that rarely, if ever, results in the perpetrators' apprehension.
After filling various posts within the NSA over a 17-year period, Penrose now serves as executive vice president of cyberintelligence at Darktrace, a United Kingdom-based cybersecurity firm that protects Virgin trains and power company Drax, which provides electricity for 14 percent of Western Europe’s population.
International Business Times caught up with Penrose this week to get his thoughts on the Sony situation and the state of cybersecurity in general.
International Business Times: Pretend you’re one of the FBI investigators on the front lines of the Sony case. What’s going through your mind right now?
Jim Penrose: I think the main thing investigators would like to get to the bottom of is how this initially happened, what was the way in, was there an insider who helped or was it really just from the outside in? That would be an interesting conclusion to find out. You’d also like to figure out by which way they spread the malware. Was that malware unique? Is that malware attributable to specific actors?
This is an area where law enforcement breaks down. There’s no ally to go to get a warrant served, or extradite someone and try to bring them to justice. The military has its own legal regime but this is different. Cyberspace isn’t as well governed as the ships in the sea or planes in the sky.
IBTimes: Does that bureaucratic process mean that law enforcement is always playing catch-up?
Penrose: Yes. I think law enforcement is inherently bureaucratic, unless there’s a circumstance you can point to where there’s a vehicle pursuit and a police officer doesn’t need to go to a judge and say, ‘Can I chase this guy?’ He just does it, whereas here it’s not quite as clear-cut.
If you see command and control packets coming from Thailand, does that authorize you to do something to a machine in Thailand? Thailand’s an ally, so shouldn’t we be sending them a memo to request assistance? But now you’re back into the days', weeks', months’ time to get something done, while in the meantime JPMorgan or any other company is being victimized.
IBTimes: How does the level of investment in cybersecurity relate to the actual risk of a company being hacked?
Penrose: I think I saw that with Sony they expect to lose $100 million. I can’t imagine that their cybersecurity was $100 million, it was probably closer to $10 million.
I think that to be appropriately postured, big companies are going to have start getting up into the hundreds of millions of dollars in cybersecurity investment to really do it. But it’s not just about throwing money at the problem, we’re in an arms race.
The current cyberintelligence is very retrospective. Somebody has to get hacked, it has to be analyzed and then put into an intelligence feed where they can tell you what IP addresses were used or which malware was used, or the domain names. That might take 200 days to get into your intelligence feed, when a lot of damage can be done.
IBTimes: It sounds like there’s no way to be proactive against these attacks.
Penrose: What you need to do is add threat detection that’s anomaly based, that’s critical.
There’s a difference in the behavior of those people’s machines – either the secretary or the CEO, whoever they were targeting – they’re going to start behaving differently when they download the malware and when that malware is used to look left and right, then vacuum up all the data. That change in their behavior has to be manifested in your security intelligence so you can at least have a lead. When you dedicate time to that, you’re more likely to get lead information, which you can then flip back to the community and get better within the arms race.
If you don’t dedicate resources to the unknown unknown, you’re never going to find the next Sony hack or JPMorgan hack beforehand.