During recent cyber attacks on Sony Pictures, hackers seized the company’s computer network and collected an impressive amount of data, including customer and employee personal information, unreleased films, and credentials for the studio’s financial and social media accounts. As evidence grows against North Korea as the culprit, a new type of threat is emerging that may irreversibly alter the landscape of cyber warfare. If authorities are able to trace the hack to the North Korean government, it would be the first confirmed state-sponsored cyber attack designed solely to disrupt and embarrass a private corporation.
Foreign governments target corporate entities for a number of reasons. Perhaps the most familiar of these is industrial espionage: spying on companies to uncover trade secrets or steal intellectual property. Many of these attacks originate from countries like China or Russia, where a combination of substantial resources and significant state ownership of private industry create a powerful incentive to spy. States also target companies to gain a strategic advantage. For example, government contractors in the defense, transportation, and aerospace industries are some of the most common victims of cyber espionage.
A North Korean attack on Sony Pictures would constitute an escalation of cyber warfare on two fronts. In one sense, it would be the first confirmed cyber attack by Pyongyang against a private company on US soil. While China, Russia, and Iran have gained notoriety for striking US commercial and financial entities in recent years, North Korea appears poised to broaden the playing field with the help of their own cadre of cyber warriors.
This aggression would also signal an evolution in the motivations behind state-sponsored attacks on corporate actors. Instead of seeking to gain a strategic or economic advantage, states are now willing to commit cyber crimes to dish out their own sense of justice against private companies. Humiliation and harm—once the means required to achieve a higher objective—have become ends in themselves.
The latter of these shifts is the most concerning, both for private companies and the countries that host them. Government entities, their affiliates, financial companies, and critical infrastructure companies, usually boast a high degree of cyber defense because of their ties to national security and possession of sensitive information. Conversely, private companies with no stake in critical industries are typically ill-equipped to counter sophisticated cyber attacks. If state actors begin pursuing cyber warfare as a vindictive tactic, it would mean virtually no private company is safe from the caprices of foreign governments.
This prospect is particularly troublesome for countries like the United States, where government has less direct control over the private sector. When government entities or their contractors are victims of state-sponsored cyber warfare, basic interests of national security govern the impulse to reciprocate. But when foreign countries attack private companies that have no direct links to national security, redlines that once defined cyber warfare suddenly become blurry. In the absence of robust and consistent policies that determine state-sponsored cyber warfare, governments may soon find themselves in an environment where state and corporate interests are inextricably conflated. Attacks in one sphere could result in a response from the other.
While the future of cyber warfare rests a great deal on government policy, there is much that private companies can do to mitigate the effects of an increasingly hostile cyberspace. As the Sony Pictures hack demonstrated, high-profile corporations cannot afford to rely on lax information security standards. Sensitive data must be encrypted and password-protected to reduce the probability of exploitation. Furthermore, companies must invest in the personnel, training, and hardware necessary to repel sophisticated external attacks. Vulnerability assessments by third-party cybersecurity specialists are also integral to identifying weaknesses in existing information security policies and procedures. If companies fail to adapt their cybersecurity strategies to reflect emerging threats then state actors will have no shortage of options when seeking a target.