On Monday, November 24, 2014, employees at Sony Pictures Entertainment (SPE) headquarters in Culver City, California, had a shock when they switched on their workstations. A red skeleton popped up with a bullet-pointed message. Hackers, who self-identified as "Guardians of Peace", said they controlled all Sony's data.
SPE shut down servers and took its corporate network offline. It suffered massive damage. Unreleased movies were dumped onto the internet. So were e-mails, medical records and compensation data for executives. The personal information of sundry Hollywood stars and entertainers was also released.
The attack was said to be orchestrated by North Korea (officially the Democratic People's Republic of Korea, or DPRK) in retaliation for a Sony comedy, The Interview. This film (released post-hack) is about an assassination attempt on Supreme Leader Kim Jong-un. Then, a hacker group, "Lizard Squad" forced DPRK off the internet for two days in December.
US President Barack Obama blamed North Korea. The DPRK accused the US of a counter-attack. The Federal Bureau of Investigation says the Sony hackers were careless, and revealed internet protocol addresses of DPRK origin.
Consider the damage. SPE, a $8-billion subsidiary of Japanese parent, Sony was crippled for weeks. The digital infrastructure was ruined without physical damage. The release of private data made employees and movie stars personally vulnerable. There was loss of revenue as copyrighted films were released. Future plans were compromised. SPE may even be liable for lawsuits due to the poor encryption of private data of individuals. Insurers will examine this case closely and it could lead to modifications in industrial insurance policies and practices.
The hackers face few consequences. They were anonymous people operating from outside the US borders. There is "deniability" for the DPRK, which is said to have a cyber warfare cell of over 6,000 hackers. The combination of deniability, and the ability to cripple infrastructure without necessarily causing physical damage is tempting. So is the ability to garner intelligence and data.
Not surprisingly, there have been multiple earlier instances of cyber-attacks, allegedly by nations.
Iran's nuclear programme was hit by the Stuxnet worm, which targeted industrial control systems in reactors and research institutions for years. Stuxnet was very sophisticated. It's said to have been developed by Israeli and US coders but, of course, there's no confirmation. Stuxnet found vulnerabilities in specialised chips designed for one purpose.
In 2009, an allegedly Chinese operation, "GhostNet" hacked data off government servers in many nations. In 2007, Estonia was knocked offline by a coordinated attack, made by at least a million hacked computers, turned into a "zombie army". Russia was blamed, given tensions between Estonia and Russia. Georgia was knocked offline during the South Ossetia Crisis of 2008. Again, Russia had circumstantial motives. In the 1990s, the US hit Serbian infrastructure to knock out air traffic control and facilitate UN bombing operations.
Military infrastructure and equipment is heavily dependent on computers and networks. All military equipment relies to some degree on specialised chips, or on networks. General civilian infrastructure is also vulnerable.
The global financial system, for example, is networked and interconnected. Banks, credit cards issuers, financial markets servers, central banks, tax authorities and so on all "talk" to each other. Power grids are smart. So are airport traffic control and airline routing systems, railway networks, traffic lights and so on.
The "Internet of Things" is also growing. This consists of smart unmanned devices connected to the internet. It includes items as diverse as industrial robots, police drones, refrigerators and car navigational systems. Botnet armies of "things" have already been created.
At least 140 nations have cyber war programmes. The US spends untold billions distributed across many agencies. It has a Cyber Command, which is part of Special Operations Forces. The US also has an articulated framework of "five pillars" for active and passive cyber-warfare. The North Atlantic Treaty Organization or NATO has a separate "Tallinn manual" developed after the Estonia episode mentioned above.
While other countries lack similar resources or focus, even small investments in cyber capabilities can pay off big in offensive terms. And, of course, defensive capacities in this area are imperative. This is one area of civilian-cum-military capability where India cannot afford to fall behind.