Is Sony Hack Really 'The Worst' In U.S. History, As CEO Claims?

Transcript

DAVID GREENE, HOST:

The CEO of Sony Pictures says his company was hit by, quote, "the worst cyberattack in U.S. history." And you can see where he's coming from. An entire feature film got canned - at least for now - and corporate networks were so damaged, Sony workers had to revert to using fax machines to communicate. That said, the worst is a pretty big claim. NPR's Aarti Shahani takes a closer look.

AARTI SHAHANI, BYLINE: A lot of people feel for Sony Pictures and CEO Michael Lynton in particular. No one wants their inbox flung all over the Internet for the world see. And many say the Sony hack is by far the most embarrassing hack, but the worst?

RON GULA: Clearly this the first time a movie has prevented from being released. But in raw numbers, you know, The Slammer infected 75,000 computers, you know, almost instantly. Code Red infected almost half a million computers. And Conficker infected millions of computers.

SHAHANI: That's Ron Gula with Tenable Network Security, and he's listing off attacks that are large-scale, like against the entire operating system Windows. He is not alone in this assessment. Here's Steve Sin with the University of Maryland.

STEVE SIN: Yes, some files were stolen, some files were leaked and destroyed and things like that. But if you look at things like JPMorgan, a lot more files were actually stolen that contain the personal data of normal people like you and me.

SHAHANI: And here's Robert Rodriguez with SINET, an industry association that brings together government and private sector security experts.

ROBERT RODRIGUEZ: It's hard to say if it's the worst attack because we don't know what - some things have happened in terms of attacks on our critical infrastructure.

SHAHANI: And by critical infrastructure, Rodriguez is referring to things like dams and electricity grids. These attacks go largely unreported to the public. There are 16 categories of critical infrastructure.

RODRIGUEZ: But media doesn't fall under that.

SHAHANI: Rank it as you will, the Sony hack is clearly getting insiders to think about how to slice and dice and size up the damage. The president has called the Sony hack an act of cybervandalism. Rodriguez thinks that's too soft. It was far worse than a bad graffiti job. But he would not call it an act of war, as some politicians have. He introduces a new term.

RODRIGUEZ: In terms of known attacks, I would call it transformational.

SHAHANI: What we call it and who the perpetrators are - these have real-life financial implications. Like many major companies, Sony has insurance to cover damages in the case of cyberattacks. While the terms of each attack are different, insurance expert Mary Beth Borgwing with Advisen Ltd. says if North Korea really did do it, the insurance probably won't kick in.

MARY BETH BORGWING: It depends on how you manuscripted the policy with the underwriters, with the insurance company. I would say that an act of war would be something that most likely, in high probability, would not be covered.

SHAHANI: But if North Korea is the perpetrator, there could be a financial upside for Sony. If and when the victims of the Sony hack sue in court, the CEO can use national security as a defense or turn to the government for help with damages. Aarti Shahani, NPR News. Transcript provided by NPR, Copyright NPR.