The cybersecurity, entertainment and political worlds have been abuzz with the recent attack on Sony Pictures.

What makes this such a compelling story?

We Cannot Help But Look

It is hard to blame anyone for being drawn to the wreckage; it really has been quite a grisly spectacle, right down to the skull-themed images splashed across the screens of the employee’s workstation screens when the attack was announced.  The attackers apparently prefer drama to comedy.

The breadth and depth of the pwnage from a technical perspective is astonishing.  So far, it appears that around 100TB of secrets, personal data, movies and even employee PHI were stolen and in many cases, leaked onto the Internet.

Then, the attackers promised an ominous “Christmas present”.  That date coincides with the slated release date of the movie that may be at the center of the controversy, The Intervew.  The warnings came complete with references to 9/11 and other vague but assertive threats of violence.  It has been a highway motorcycle wreck, and we cannot keep ourselves from watching with morbidly intense curiosity.

And, as of today, Sony tapped out.  They pulled the movie citing failing support and safety concerns.

Does it change anything for the rest of the world?

When Kevin Mandia himself says an attack has no precedent, you know things are pretty bad.

But, what does this colossal breach mean for the rest of us?

Is this bigger news just because it involves Hollywood?

Or, is the sheer magnitude of the attack something that should concern us all?

For the worse?  

Is the Internet in more danger now than before?  That seems highly unlikely.  But perhaps this underscores the idea that stopping a focused, motivated and dedicated adversary is difficult if not impossible. It was thorough, vindictive, savage attack, and we won’t know what the technical lessons are until the autopsy is complete.

From a broader perspective, there may be some debate about whether this was handled like a hostage situation, and what the implications could be of ceding to the demands of the attackers.

For the better?  

What if there are some silver linings from this sort of event?  Sony will have to fight a bit harder to find them, of course, but generally, something of this magnitude yields some fruit.

Could awareness about incident response be improved?

Could this define a new APT model or specific attacks that cybersecurity practitioners can defend against in the future?

Might companies recalibrate budgets, strategies and metrics to strive for security instead of compliance?

For the indifferent?

Or is this just another loud fart in a hurricane?  These mega breaches are occurring at an astonishing rate.  Is it possible that people are starting to get numb to it?  Could we become victims of alarm fatigue before the next big attack is announced?

Whats next?

The Sony saga will likely continue for some time, and may well leave an indelible mark on the company that is difficult to recover from.  Hopefully, we are all are able to extract some positive lessons from this very public depantsing.

I’ll stop shy of suggesting that the terrorists win with this salvo, but I will offer one possible apropos ending to this sordid affair:

What if Sony can rise from the ashes of this devastating attack by making a blockbuster movie about the very attack that brought them to their knees?  I could imagine video games, action figures, lunch boxes, tshirts, the whole buffet.  Imagine if they could turn this lemon tree into a lemonade factory that catapults them well beyond the earnings this movie would have earned them without all this free publicity?  I wonder how the attackers would feel about that?

If Sony can figure out how to keep the movie safe until its released, they might be able to pull it off.