The CEO of Sony Pictures has been saying that the cyberattack against his company is "the worst cyberattack in U.S. history." And you can see where he's coming from. An entire feature film got canned — at least for now. And his corporate networks were so damaged, Sony workers had to revert to using fax machines to communicate. That said, "the worst" is a big claim.
A lot of people feel for Sony Pictures and CEO Michael Lynton in particular. No one wants their inbox flung all over the Internet for the world to see. Many say the Sony hack is by far the most embarrassing hack. But the worst?
"Clearly this is the first time a movie has been prevented from being released," says Ron Gula of Tenable Network Security. "In raw numbers, the Slammer virus infected 75,000 computers almost instantly. Code Red infected almost half a million computers. And Conficker infected millions of computers."
Gula listed attacks that are large-scale, such as the ones against the entire operating system Windows.
"Yes, some files were stolen, some files were leaked and destroyed," says Steve Sin, a researcher at the University of Maryland. "But if you look at things like JPMorgan, [a] lot more files were actually stolen that contained the personal data of just normal people like you and me."
Robert Rodriguez with SINET, an industry association that brings together government and private-sector security experts, says, "It's hard to say if it's the worst attack because we don't know — some things have happened in terms of attack on critical infrastructure."
And by "critical infrastructure," Rodriguez is referring to things like dams and electricity grids. These attacks go largely unreported to the public. There are 16 categories of critical infrastructure:
"But media doesn't fall under that," Rodriguez says.
Rank it as you will, the Sony hack is clearly getting insiders to think about how to slice and dice and size up the damage.
The president has called the Sony hack an act of cyber-vandalism. Rodriguez thinks that's too soft — it was far worse than a bad graffiti job. But he would not call it an act of war, as some politicians have.
Instead, Rodriguez introduces a new label: "In terms of known attacks, I would call it transformational."
What we call it and who the perpetrators are — these have real-life financial implications.
Like many major companies, Sony has insurance to cover damages in the case of cyberattack. While the terms of each contract are different, insurance expert Mary Beth Borgwing with Advisen Ltd. says if North Korea really did do it, the insurance probably won't kick in.
"It depends on how you manuscripted the policy with the underwriters, with the insurance company," Borgwing says. "I would say that an act of war would be something most likely, in high probability, would not be covered."
But if North Korea is the perpetrator, there could be a financial upside for Sony. If the victims of the Sony hack sue in court, the CEO can use national security as a defense or turn to the government for help with damages.