It sounds like a never-ending refrain, but it has been a dreadful couple of weeks for big media. A fresh round of buyouts at The New York Times continues to erode the world’s greatest newspaper, proving that a falling tide sinks all boats. Rolling Stone, which in recent years could legitimately claim Mike Wallace’s legacy with reporting that sent shivers down the spine of its subjects, has unwittingly returned to the days of Dr. Hunter S. Thompson, running stories that may be deeply engaging, but you’re never sure if they’re true. And just nanoseconds after celebrating its centennial, The New Republic strapped on a suicide vest and imploded, showing that $5 million in red ink is too much even for a Facebook founder to mop up. Chris Hughes does not abide.
But by far the most disturbing event was the cyber-terror attack on Sony Pictures. Working under cover of Thanksgiving, a group of hackers calling themselves the Guardians of Peace looted Sony Pictures Entertainment’s corporate data systems. Aside from stealing and publishing terabytes worth of private executive correspondence, salary data, social security numbers, passwords, passports, phone numbers and strategic plans, the Guardians hijacked four upcoming films (and a just-released Brad Pitt feature) and posted them on numerous file-sharing websites.
Assessing the monetary damage is impossible, though cybersecurity experts estimate $75 to $100 million and up (a significant number against the studio’s most recent $500 million annual profit). If history is any guide, the full extent of the breach will never be disclosed.
It is contended, though with no hard evidence, that North Korea orchestrated the blitz, presumably as pre-emptive retribution for “The Interview,” the Christmas-release Sony comedy about two journalists who somehow finagle an interview with Kim Jong-un and are then recruited by the CIA to assassinate the North Korean strongman. The Guardians have demanded Sony drop plans to release the film (not one of the stolen features handed over to the pirate sites). North Korea has officially denied complicity, though they have praised the attack.
Threats against Sony employees have ensued, though the Guardians have denied responsibility for that. And Sony now reports some sort of separate demand from the Guardians, certainly not payable if North Korean won, that Sony says it won’t meet.
Academics, consultants, and journalists have cautioned for decades about the ever-growing corporate dependence on information systems. That ship, of course, sailed a long time ago. Today, some of the most highly valued enterprises on the planet are little more than bits and bytes and the real estate where the employees gather to generate more bits and bytes.
Just as we don’t take our individual online privacy seriously because we believe we can do little to safeguard it, we don’t ponder the implications of corporate reliance on digital systems because there is essentially no alternative beyond doing what little we can to counter the existential threat. But defending against cyber attack is not as simple as stationing an army at the Rhine or the 38th parallel. This is more a game of 3D whack-a-mole, where the moles are constantly evolving cancer cells.
We hardly blink an eye anymore at news of cyber attacks, no matter how brash, since the headline-grabbing hacks (most recently against Home Depot, Target, and JPMorgan) are generally straightforward thefts of account data with rarely discernible impact on individuals. The Sony attack, however, is a horse of a very different color, since the strike is aimed, quite simply, at destroying the company. Other assaults at the heart of an enterprise, such as Anonymous’s targeting of MasterCard when it pulled its service from WikiLeaks, have been recorded, but nothing on this scale.
It is certainly plausible that North Korea is guilty. But putting responsibility aside for the moment, the monetary damages to Sony (partially covered by insurance this time around) and the harm to the company’s reputation are severe. And if the Thanksgiving attack is merely the first salvo in a cyber war, where Sony Pictures is effectively taken hostage and can’t operate, could the studio become the first major company that is virtually executed? Sony is no doubt shoring up its defenses, but what if the attacks continue? What if leaks of private, personal information, operating plans, and additional important films, become a steady stream?
If producers, stars, or agents fear working with Sony, could that failure of confidence doom the studio? Certainly not overnight, but over time? Businesses don’t always fail on the fundamentals. A solvent bank, for instance, can be driven to insolvency by faltering confidence.
And if the culprit is indeed North Korea, how do we respond to such state-sponsored terrorism? A Pentagon-sponsored counter-attack?
Hopefully this is just the premise for a script. (Are you listening, Alex Ganza?) It’s too alarming to think it could be real.
Ken Sonenclar is a Managing Director at DeSilva + Phillips, a media/tech investment bank based in New York. He provides M&A advisory services to middle-market digital-media companies around the world.