What Peter Elkind found in his six-month investigation of the cybercrime of the century should terrify corporate America.
We have devoted 12,000 words in our July 1 issue to an extraordinary story by Peter Elkind on the now infamous cyberattack against Sony Corp., which we’ve broken into three sections on Fortune.com. You can read part 1 here. (Part 2 will go live Friday morning, with the stirring conclusion publishing Saturday.) Time Inc.’s TIME top editor, Norman Pearlstine—who has a longer history with this magazine than I do—says it is “one of the most important stories Fortune has ever published.” It is also a chillingly compelling, behind-the-scenes narrative of the events leading up to the attack. Were it not about them, the folks at Sony Pictures SNE might make it into a movie.
In his six months of reporting, Elkind interviewed more than 50 current and former Sony executives, cybersecurity experts, and law enforcement officials, and relied on other sources, including emails made public as a result of the attack. We are sympathetic to the violation felt by Sony executives who committed their most candid communications to email, only to see them become fodder for media exploitation. We also are aware of the letter that Sony’s outside lawyer, David Boies, sent to us and other news organizations contending that those emails were stolen property and should not be used. And we acknowledge that the rise of the Internet, WikiLeaks, hackers, and the likes of Edward Snowden have dramatically changed the nature of our craft and our relationship with the subjects of our work.
Peter ElkindPhotograph by Virgil Bastos
Nevertheless, the story behind the Sony hack needs to be told, and told in full detail. What happened to Sony could happen to others, and the ramifications could be far more severe. The mistakes Sony made—failing to build adequate defenses despite a decade of hacking threats; focusing more intently on the risk of attack from an activist investor than from potential cyber-invaders—are mistakes that are being echoed elsewhere. There are lessons here that need to be learned.
We don’t condone the theft of data from Sony, and we played no role in causing or encouraging it. Reporters have long accepted information from unsavory sources. It’s our job to make sure that information is accurate, to determine whether it is newsworthy, and to do the reporting necessary to present it in proper context. In this case we have done all that, and believe our decision to publish is not only justified but also necessary.
In our recent survey of Fortune 500 CEOs, 10% of respondents called cybersecurity their “single biggest challenge,” with another 56% saying it was one of their “top three or four challenges.” And yet while companies now recognize the need to protect their computer systems, many still struggle with how to accomplish it. Some are looking for a silver bullet—the ultimate firewall, antivirus software, or “black box” solution—even though experts agree that search is futile. Others say they find it hard to justify spending hundreds of millions of dollars to protect against a risk that no one has been able to quantify and that doesn’t appear on their balance sheet.
Whatever rationalizations companies may offer, however, attacks against Sony, Anthem WLP , J.P. Morgan JPM , Target TGT , and most recently the government’s Office of Personnel Management should by now have convinced us all that the cyberthreat is an existential one, and it isn’t going away. We can’t keep the hackers out. What we must do is a better job following the basic hygiene that makes it harder for them to get in—and installing systems and procedures to quickly detect and respond to their incursions. It also may be time to explore alternatives to the open architecture of the Internet for our most sensitive communications.
At the government level, there is one more issue that urgently needs to be addressed: deterrence. In the nuclear era we have avoided conflagration because nations with nuclear weapons know retaliation will be swift and certain. In the cyber age we have yet to develop such policies. What price has North Korea paid—if, indeed, it is responsible—for its attack on Sony? What price will the Chinese pay for the theft of U.S. government files, and many others that preceded it?
Until there are consequences, state-sanctioned cyberattacks will continue to grow.
A version of this article appears in the July 1, 2015 issue of Fortune magazine with the headline “A Story That Needs Telling.”