The Sony Pictures hack and its resulting fallout may have caught many people by surprise, but not the FBI — it apparently suspected for months that something like this might happen. The Intercept has obtained a December 2013 agency report warning that it was just a matter of time before a US company faced a “data-destruction attack” like the one that hit Sony, where malware deletes enough data to render systems unusable. The alert was meant for “critical infrastructure” organizations (like energy providers) and never reached Sony, but the scenario was apparently very similar to what the company would face a year later. Intercept‘s tipsters even believe that Sony could have avoided a lot of the resulting damage if it had been aware of the report and heeded its advice on defending against hacks of this nature.
So why didn’t Sony get the report? FBI spokesman Paul Bresson says it went out to several distribution channels to be delivered “as appropriate.” According to the Intercept, that meant organizations whose staff were part of InfraGard, the FBI’s public-private security partnership — something of a problem, since its voluntary membership left Sony Pictures and other companies out of the loop. There’s no guarantee that the FBI could have ensured that Sony saw the report in time to make use of it, or even that it would have been enough to avert disaster. However, it’s clearer than ever that security guidelines are only helpful if they reach the right people.
[Image credit: AP Photo/Nick Ut]
Source: The Intercept