Reflecting on the historic pantsing that some North Korean hackers gave Sony Pictures, I think some could fairly describe it as the best possible thing to happen right now. And by ‘some’ I do not mean Sony’s competition. You can bet their own schadenfreude is heavily tempered by a frantic code brown review of their own data security. Rather I mean experts like Richard Clarke who have been screaming, begging and tearing their hair out about digital security.
When you think about how many ways that a hostile power, or a hostile group of teenagers with a laptop, can screw with us the main question about a digital 9/11 is when and how bad.
As it turns out the answer is now and pretty bad, but importantly not the end of the world. A company lost money and a lot of people got embarrassed. Blackmailers got what they wanted, which will no doubt encourage underpowered states to screw with big powers more in the future. But in the end no one died, even if a few sys admins probably wish they had. Overall I think people will eventually look back and feel very, very lucky that it shook out that way. Let me lay out my thinking.
By now it should be clear that most of our digital infrastructure has shit security. College compsci majors can usually red team their way into our electrical grids. Lockheed might put up a fight (the Chinese get through anyway) but 2014 taught some hard lessons about how most companies neglect their computers. Sony’s admins basically kept an unencrypted folder titled ‘everyone’s password’. Target stepped on a rake and Home Depot protected customer data like your great-aunt protects her AOL account. It is not terribly gratifying when you give up begging her to use something more challenging than ‘password1’ for the eighty seventh time and the next day she
‘donates’ $42,000 to a teenager in Sevastopol loses the payment and personal information of every goddamned customer for the last six months.
You could ask, why should the Sony hack do any good? Earlier breaches did not persuade Target to overhaul it security and the Target disaster somehow failed to dislodge Home Depot’s head from its ass. I think it has a lot to do with who got hurt. The earlier breaches embarrassed Target and Home Depot and pissed off shareholders, but aside from sacrificial scapegoats in mid-management the breaches were mostly a customer problem. That let businesses regard these things coolly, from a risk-reward perspective. In broadest terms you could describe the hacks as someone else sneaking in and shearing some more wool off of the sheep.
Sony more or less inverted that story. Some customers got fleeced, for example I might avoid the Playstation Network for now, but that does not begin to describe what happened to Sony. Instead of sneaking in an open barn door and making off with livestock in the dark, North Korea made a public spectacle out of Sony’s humiliation. They screwed with employees’ computer monitors. They released emails, scripts, drafts, planning documents, IT records and anything else they could find on Sony’s hard drives. Nobody likes having their private business written on a banner pulled behind a slow-flying plane, and I imagine it comes as an especially rude shock to corner office executives long used to lavish deference and (limited) untouchability.
When you are humiliated, more than anything else you want the story to fucking please go away already. Sony for example sent some very expensive lawyers on a futile quest to get the press to leave this story alone. Yet the story just. will. not. die. In part this has to do with Sony being an entertainment company. We Americans go embarrassingly gaga for stage managed little news bites about our favorite celebrities and the films they make, so we have no defense against all that stuff shooting unedited out of a fire hose for everyone to consume all at once. What’s wrong with the next Bond movie, what might happen to Spider-Man, what do Sony employees think about Adam Sandler? (not highly.) You have an academic look at one of the larger businesses in entertainment, suddenly rendered completely transparent. You have the national security angle for us policy wonks. Then you have the safety versus freedom angle about releasing the movie, a tough call that I would not necessarily second guess. You never know how much more damaging material they might have held back as a threat. The disaster has an absolute, seemingly bottomless wealth of story hooks.
It all adds up to an astonishing ordeal for Sony: a public humilitation and a financial disaster that just drags on and on, exposes and hampers their long term business plans and then, adding insult to injury, Sony becomes the goat for pulling the movie. Put me in the place of a senior executive at some other business or utility and I will do two things, basically right away. First I will look hard at who I might piss off and how I can avoid it. Like that reaction or not but you better learn to live with it. Power has moved around some since days when America’s most dangerous neighbors were Canada, Mexico and sharks. Nowadays the walls around your castle are only as secure as a password, and most passwords are shit. Nobody with a corner office and a Bentley wants to sacrifice himself for your principles.
However, I also find it pretty damn self-evident that we have entered a bull market for computer security. Nothing bumps security up the cost-benefit ledger like this seemingly neverending public ruin and humiliation of a company that probably did a better job at securing its networks than you do. After all, you can’t please everyone all the time. Stepping lightly earns some peace of mind but people sleep a lot better when they don’t have to. For that reason I suspect, and by that I mean I desperately hope, that Sony will provide that extra psychological nudge for people who run things from radio stations and online stores to airports and electrical grids to spend a little more resources red teaming their network security. The next time someone puts that kind of effort into attacking a network they could have more in mind than a dumb movie.
From the comments.
My day job is network security. Sony is not going to be the wakeup call, because others will simply think they’re different, and it can’t happen to them.
It will take either a major months-long disabling attack on an electrical or water grid, or a major attack on a financial system (you wake up and your bank account, and a few million others, are zeroes) for companies and citizens to finally take this shit seriously.
Hell, even the basic lesson from the Sony hack – that YOUR email can be read by someone/anyone other than the intended recipient – has not gotten through the heads of any users I’ve talked to recently.
Sigh. Gonna start huffing glue early today.