The Sony hack is more than a security nightmare. It’s a once-a-decade event that will kick off major changes in how companies use technology.
That’s according to former Microsoft executive Steven Sinofsky, who was responsible for the last two versions of Windows and many versions of Office before them.
He now works with Andreessen Horowitz and advises various startups in their portfolio, including file-sharing company Box and security company Tanium.
Over the weekend, Sinofsky wrote about how the Sony breach reminds him of some of the big computer virus scares of the 1990s.
First, in 1996, something called the Word Concept worm started popping up on millions of computers. It displayed an alarming looking message like this:
It had hijacked a useful feature of Outlook, Microsoft’s email program.
Three years later, Sinofsky picked up the phone to a reporter “hyperventilating” about Melissa, another virus that also hijacked useful features of Outlook and Microsoft Word.
In both cases, Microsoft was forced to respond with massive changes to how these programs worked. But those changes broke useful functionality, and business customers got angry all over again. Sinofsky writes:
Enterprise customers were on the phone immediately. We were doing white papers. We were working with third parties who built and thrived on Outlook extensibility. We were arming consultants to rebuild workflows and add-ins. While we might have “caused” billions in damage with our oversight (in hindsight) it seemed like were doing more damage. Was the cure worse than the disease?
There were a couple of other defining security moments in the early 2000s — particularly the Code Red and Blaster worms, which kicked off a major program at Microsoft called “Trustworthy Computing” to make Windows and other products much more secure.
In each of these cases, computing technology progressed to a certain point because businesses demanded useful features: email programs that could handle more than just sending and receiving simple text messages, and computers connected to a network and the internet rather than standing on their own.
In each case, both the companies that made products (like Microsoft) and the businesses that used those products had to rethink how they did security.
Sinofsky argues that the Sony breach signals we’re at another one of those breaking points. Here’s why:
- Businesses have demanded more knobs and dials to configure computer systems. That’s great for flexibility, but it also means there are more places to attack.
- There are more places to execute code. As companies add more and more applications, that means there are more and more places to run code. It’s impossible for the people in charge of security to keep track of and secure all of these different places, but the bad guys only have to figure out one. As Sinofsky writes, “Macro languages, runtimes, and more — execution engine on top of programs/execution engines… Today’s platforms have an almost uncountable number of execution engines.”
- New ways of connecting to each other equal new “social engineering” angles. Most hacks rely on somebody inside a company doing something inadvertently wrong — giving a password away to a stranger posing as an IT director, installing malware from a seemingly harmless web site, or letting somebody who looks like they know what they’re doing into a building. When employees communicate mostly over email and the phone, these social engineering vectors could be somewhat tamped down — you could tell employees never to open attachments and not to give passwords out over the phone. But now there’s SMS, social media, weird web sites, malware on USB sticks that you can find at conferences or events, and millions of other ways for attackers to trick us.
The Sony hack is the culmination of these vulnerabilities, which rose up over time as companies demanded more and more productivity.
As in the past, it will take some time for security to catch up.
Sinofsky points to some possible solutions, like new ways of building operating systems (iOS, for instance, is much more restrictive than Windows or Mac OS are); cloud services (cloud providers know much more about security than the typical company, and take great pains to secure their services since an attack can put them out of business); and new authentication models like two-factor authentication (where you have to enter a password sent to you via SMS) or biometrics (like the iPhone’s fingerprint scanner).
But in the meantime, it’s going to be a wild ride.
Business Insider Emails & Alerts
Site highlights each day to your inbox.