This is the Christmas that is eating Hollywood.
The great hulking behemoth that is America’s entertainment industry has watched first in bemusement, then scorn, and now fear and fury as the mighty Sony Pictures has been brought to its knees by an anonymous group of computer hackers acting – so says the FBI – at the behest of North Korea.
The absurdities have been escalating almost as fast as the diplomatic and geopolitical stakes. This time last week, the country’s media echo chamber was still obsessing about the hurtful things that super-producer Scott Rudin had said in leaked emails about Angelina Jolie and the tasteless, racially tinged jokes about Barack Obama that Rudin exchanged with the co-chairman of Sony Pictures, Amy Pascal.
Now, in the wake of Sony’s decision not to release The Interview in cinemas (though the company says it is seeking other ways to distribute it), the improbably low-brow buddy movie starring Seth Rogen and James Franco that has moved the North Korean regime to extraordinary anger, the company has been lambasted for capitulating to “cyber-terrorists” and failing to stand up for free speech. The White House has both rebuked Sony – Obama said at his year-end news conference on Friday the company had made a mistake – and talked of a “proportional response” to the North Koreans.
In Hollywood, it has been an extraordinary season of fear and loathing. Sony has come under fire for being both too bold and not bold enough. On the one hand, it greenlit a movie depicting the assassination of Kim Jong-un, a living world leader, and continued to support it even after North Korea started describing the film over the summer as “an act of war” and “reckless US provocative insanity”. And, on the other, it decided not to release the film in any form after the hackers distributed a barely coherent email threatening 11 September-style mayhem at any venue that showed it.
The company has been accused of appeasing the North Koreans in the same way that Neville Chamberlain appeased the Nazis, of mishandling the crisis from start to finish and – perhaps most seriously – of betraying its own employees through sloppy oversight of its computer systems. At least three groups of plaintiffs have filed class-action lawsuits accusing the company of failing to protect its confidential data, including medical records, bank details and social security numbers.
Sony, for its part, has made a half-hearted attempt to blame the media, deploying a small army of lawyers and celebrities to accuse them of being accessories to a crime and fanning the flames. Even after the decision to pull The Interview, the prominent screenwriter Aaron Sorkin, who has a project with Sony, claimed that “easily distracted members of the American press who chose gossip and schadenfreude-fuelled reporting” had given the “terrorists” exactly what they were looking for.
It seems scarcely believable that all this has been triggered by a self-consciously sophomoric comedy which, according to the few critics who have seen advance screenings, is more concerned with penis jokes than geopolitics and plays the face-melting death of Kim strictly for laughs, much as the team behind South Park killed Kim’s father, Kim Jong-il, in the 2004 puppet comedy Team America: World Police.
Scarcely believable, too, is the blitheness with which Seth Rogen was talking about the crisis as recently as last Monday. “There was a moment,” he told the New York Times, “where they were like, ‘They threatened war over the movie … Would you consider not killing him?’ And we were like, ‘Nope.’”
The damage, however, is indisputable. Sony’s entire corporate cupboard was laid bare: personnel files, emails, business plans, scripts and rough cuts of forthcoming movies. Swaths of data were erased from its servers altogether. It is being widely described as the largest corporate hack to date.
The cancellation of The Interview means Sony writing off about $80m in production and marketing costs. The interruption to the company’s business and the mounting litigation could push the damage north of $1bn by some estimates.
Meanwhile, the question haunting the rest of the entertainment industry is: who’s next? “Are they going to go after the next studio, because they can?” one former Hollywood executive, who has worked for Sony, worried. “What happens if the whole industry is threatened? The problem is not confined to Hollywood. It could go to the banks, or to critical infrastructure like air-traffic control systems or nuclear power plants. There are potentially deadly consequences.”
Sony’s rivals have gone deathly quiet for fear of attracting undue attention. When a handful of independent cinemas said they wanted to screen Team America instead of The Interview as a form of free-speech solidarity this Christmas, the studio behind the older film, Paramount, hastily denied them permission.
Only a few days ago, the other studios were hopeful that a delay in The Interview’s release date could mean more business for them over the holidays. Now the fear is that the very mention of a 9/11-style attack will depress box-office takings for everyone.
Computer security experts, meanwhile, are said to be working around the clock – at Fox, Warner Brothers and Paramount, as well as Sony – to build up their corporate defences. The consensus is that no entertainment company has taken cyber-security seriously enough. Things are not thought to have improved much since 2007, when Sony’s head of information security, Jason Spaltro, gave a notorious interview in which he said it was a “valid business decision to accept the risk of a breach” and he wasn’t about to spent $10m to prevent a $1m leak.
“Hollywood’s just not that on top of it,” one Sony Pictures employee who has worked at numerous other studios said. “People haven’t been very worried about these things. They are now.”
To some older Hollywood hands, the Sony hack is the digital-age equivalent of another seminal moment, the Manson family murders of 1969, which claimed the life of a pregnant Sharon Tate and seven others. Back then, the beautiful people rushed to lock their previously open doors, moved into gated communities, flushed drugs down the toilet and hired security firms to manage guest lists at parties.
Now, in 2014, everyone is backing up data, setting up password protection for sensitive documents, devising more secure passwords and hiring private data protection consultants – the one group guaranteed to make a killing from this crisis.
In theory, Sony went through this before, following a hack of its PlayStation network in 2011. The company hired Phil Reitinger, a computer security expert who had worked for Microsoft and the US Department of Homeland Security, to overhaul its computer systems, build more secure firewalls, encrypt vital data and improve password practices.
But the results, according to the Sony Pictures employee, have been hard to see. At the time of the hack on 24 November contracts, scripts and other vital documents remained unencrypted. Few if any Word files were password-protected. And while the company talked about doing so-called “penetration testing” – simulated attacks on the servers to test their strength – the hack suggests they were not effective. The hacked documents only confirm the impression of laxity.
Among the stolen personnel and financial records are folders and documents marked “passwords”, containing lists of employee usernames, passwords, credit card numbers and other sensitive data. An email from the chief financial officer, David Hendler, to Sony Pictures chairman Michael Lynton shows the company experienced months of outages in the runup to the hack – outages caused by limited storage space, unstable software repairs and what Hendler described as “an unskilled support team”.
Still, it remains unclear if Sony was targeted because it was easy to attack, or because the hackers – calling themselves the Guardians of Peace – were particularly sophisticated.
Plenty of other questions remain. Many Hollywood insiders and computer experts are questioning the FBI’s finding of North Korean involvement and say an inside job by an ex-employee with a grudge – and an ability to mimic established North Korean hacking techniques – remains more likely.
“It’s not hard to see that North Korea can do this,” the former Sony executive said. “But it’s hard to see how they’d know what to send to Gawker and BuzzFeed, how they’d be so savvy about creating maximum embarrassment for the company out of this vast trove of material.”
Investigators have been poring over the Guardians of Peace communiques, puzzled by the fact that passages of perfectly coherent English are interspersed with lines like: “We will clearly show it to you… how bitter fate those who seek fun in terror should be doomed to.” That’s either a Korean leaning too heavily on Google Translate in a pinch, or a homegrown hacker with a wicked sense of humour. Either way, the Obama administration said the threat was not credible.
Messages purporting to be from the Guardians of Peace in the past 48 hours have grown contradictory – one telling Sony it has suffered enough and can now release the movie, minus the death scene, and another threatening violence if trailers and other supporting material are not pulled off the internet immediately.
The whole affair has wavered alarmingly between deadly seriousness and high farce, making critical judgments difficult or impossible – not that it has stopped the usual media darlings, everyone from Hollywood-haters to Washington foreign-policy hawks, from weighing in. Predictions range from a boardroom shakeup at Sony Pictures to the outbreak of world war three.
The cultural critic Andrew O’Hehir got about as close to the heart of things as anyone. “The titans of America’s culture industry,” he wrote in the online magazine Salon, “have been revealed as stupid and calculating and driven by fear… We should have known that already, but maybe the reminder is useful.”
guardian.co.uk © Guardian News and Media Limited 2010