Skip Ribbon Commands
Skip to main content
Skip Navigation LinksHome > News & Information > Features > Schneier Details the 'Early Days of a Cyber Arms Race'


Schneier Details the ‘Early Days of a Cyber Arms Race’

Schneier Details the ‘Early Days of a Cyber Arms Race’

By Katie Vloet
November 25, 2015

We are at the starting point of a new kind of worldwide battle, Bruce Schneier—a cryptographer, computer security and privacy specialist, and writer—told Michigan Law students. “I think we’re in the early days of a cyber arms race,” he said. “We’re all in the blast radius.”

Schneier, author of the 2015 book Data and Goliath (W.W. Norton & Company) and 11 other books, spoke about cybersecurity through the lens of the 2014 attacks on Sony Pictures Entertainment. The hack and subsequent release of data, movies, and embarrassing emails showcase what can go wrong when a company has not established adequate security measures, and savvy hackers find a way to exploit the weakness, he said.

The digital break-in of Sony began Nov. 24, 2014, when skulls flashed on employees’ computer screens, along with a message that a group calling itself #GOP (later identified as Guardians of Peace) had obtained all of Sony’s internal data.

A series of events followed: Five unreleased Sony movies were released on Nov. 27, 2014: Annie, Still Alice, Mr. Turner, To Write Love on Her Arms, and Fury; Schneier called the leak “an extraordinary destruction of intellectual property.” Data, including Sony salaries, were released. When discussing a second major leak, Schneier, during his Nov. 20 talk at Michigan Law, advised: “Do not put your passwords in a plain-text file labeled ‘passwords.’”

Speculation began to build that the government of North Korea was responsible for the cyberattack because the Guardians of Peace said it would attack theaters showing the Sony film The Interview, which features an assassination attempt against North Korean dictator Kim Jong-un. Additionally, an Associated Press story said some cybersecurity experts found “striking similarities between the code used in the hack of Sony Pictures Entertainment and attacks blamed on North Korea which targeted South Korean companies and government agencies last year.” Later in December, the FBI announced that North Korea was at fault.

Sony initially canceled the premiere, screenings, and the planned Christmas Day opening of The Interview, but later announced that the movie would have a limited release in theaters and would be made available for download.

Schneier said he initially didn’t believe the government when it blamed North Korea for the cyberattack on Sony. On his blog, he wrote on Dec. 24, 2014: “I am deeply skeptical of the FBI's announcement on [Dec. 19] that North Korea was behind last month's Sony hack. The agency's evidence is tenuous, and I have a hard time believing it. But I also have trouble believing that the U.S. government would make the accusation this formally if officials didn't believe it.”

Then, in January, the United States imposed sanctions against North Korea in response to the Sony hack. Schneier began to believe that North Korea might actually be the culprit, but he was not fully convinced until he read an article later in January in The New York Times about the U.S. government’s reaction to the attack and about the National Security Agency breaching North Korea’s networks prior to that attacks on Sony.

“Despite what I wrote at the time, I now believe that North Korea was responsible for the attack,” he later wrote on his blog.

The fact that he and many other observers did not immediately believe that North Korea—or any nation’s government—was at fault is indicative of the “democratization of tactics” in cyberattacks, he said. “We were having a debate about whether this was an attack by a nation with a $20 million annual military budget or a couple of guys in a basement somewhere,” he said. “That is extraordinary.”

Cyberattacks, he said, are “an increasingly popular way for the powerless to show power.”

The talk was sponsored by the Michigan Law Privacy and Technology Law Association, Michigan Hackers, the National Security Law Society, Michigan Telecommunications & Technology Law Review, U-M Ford School of Public Policy Domestic Policy Corps, and the Informatics Student Organization.

Read more feature stories.

Share |