President Obama Criticizes Sony Pictures, Says U.S. To Respond To Attack

Sony Pictures could have done a better job at protecting its corporate network and made a mistake when it capitulated to attacker demands by pulling the release of the controversial movie ’The Interview,’ said President Barack Obama Friday.

Speaking to reporters in his final press conference of 2014, Obama addressed an FBI statement issued Friday that confirmed North Korea played a role in the attack against Sony Pictures. There is no indication that North Korea was acting in conjunction with another country, he said, adding that the U.S. would ’respond proportionally and in a place and time and manner that we choose.’

Obama lambasted the company for capitulating to the threats wielded by the hacking group calling itself "Guardians of Peace, by giving in to its demands to pull the movie. It’s important that businesses do not get into a pattern in which they are intimidated by these types of criminal attacks, Obama said, adding that he was sympathetic to Sony’s concerns. Sony suffered significant damage and there were threats against employees, he said.

[Related: Sony Breach Linked To North Korean Attackers, FBI Says]

Sponsored post

’In this interconnected, digital world there are going to be opportunities for hackers to engage in cyberassaults both in the private sector and public sector,’ Obama said. "We cannot have a society where some dictator someplace can start imposing censorship here in the United States. This is a satirical movie -- imagine what they start doing if they see a documentary or news reports that they don’t like.

"imagine if producers or distributors or others start engaging in self-censorship because they don't want to offend the sensibilities of somebody whose sensibilities probably need to be offended,"
Obama said. ’That’s not who we are.’

President Obama also took the opportunity to call for stronger cybersecurity laws that allow information sharing across the public and private sectors to detect attacks and better protect critical systems. A failed attempt for such a law in 2013 resulted in President Obama’s Executive Order establishing voluntary measures for the protection of critical infrastructure, much of which is owned by private sector businesses.

The attackers behind the Sony Pictures breach, which was recently linked to the North Korean government, were able to gain unfettered access to the company’s database servers. The massive data breach, which took place Nov. 24, is the second in recent years against Sony. A hacktivist group called LulzSec infiltrated Sony in 2011, successfully bringing down the company’s Playstation Network for weeks and stealing the confidential data of as many as 100,000 users. The group conducted denial-of-service attacks against MasterCard, Visa and PayPal in retaliation for refusing to process donations made to Wikileaks and also was responsible for breaches at security firm HBGary Federal and the computer systems used by Fox Broadcasting.

The massive data breaches are forcing some businesses to completely overhaul their infrastructure and start from scratch with completely new architectures, said Shane Corbett, director of data center engineering at Gardena, Calif.-based solution provider En Pointe Technologies. The goal of the massive overhaul is to reduce network complexity and limit the attack surface as much as possible. But while businesses are improving their security postures, attackers are bolstering their sophistication as well, Corbett said.

’The stuff we see is incredible now,’ Corbett said. ’Why would you smuggle or do high-risk activities when you can steal 75 million credit card numbers with some kid you picked out of programming school?’

The FBI said the destructive malware used in the Sony breach had similarities in the code base, encryption and data deletion methods that paralleled malware developed by other North Korean attackers. The infrastructure used in the Sony attack was used in previous attacks carried out by North Korea, investigators said, pointing to IP addressees that were hard-coded to the data deletion malware that refers to the command-and-control infrastructure. The attackers also used similar tools to those believed to have been used by North Korea in attacks against South Korean banks and media outlets, the FBI said.

The Sony Pictures breach also exposed some basic security lapses at the company. Employee passwords stolen in the Sony Pictures data breach were contained on Excel files labeled ’passwords.’ The files were not encrypted. Data protection measures were also missing on proprietary data. Movie contracts, actor and employee salaries were also exposed in the lapse. Organizations should be encrypting sensitive files, practicing stronger password measures, and establishing and testing secure backups to bring critical systems back online and recover as fast as possible, said Andrew Sherman, security practice lead at New York-based solution provider Eden Technologies.

"Multinationals like Sony have a lot more complexity but they have the resources so there's no excuse for not having basic security measures in place," Sherman said.