So North Korea (allegedly) hacks Sony pictures because it’s ticked off about The Interview, an (allegedly) humorous movie about a plot to assassinate North Korean supreme leader Kim Jong-un. The hack exposes all sorts of embarrassing Sony secrets (like who’s paid what). Sony cancels the offending movie’s theatrical release at the behest, it says, of terrified exhibitors. President Obama criticizes Sony for caving into terrorism. North Korea’s Internet connection fails, here, a few hours after Obama has promised a “proportional” U.S. response. Then Sony, showing a firm corporate resolve reminiscent of pudding, caves in again and announces a “limited release” of the movie, here, as stoner star and co-director Seth Rogen fatuously tweets, “The people have spoken! Freedom has prevailed!” here.
This all would be comical (funnier, I’m sure, than the movie will be) if one ignores the fact that we now have a semi-acknowledged cyber war, and that’s not funny at all.
Sony has been cavalier about IT security for a long time. In a 2007 CIO Magazine story, here, Sony’s executive director of information security acknowledged that a 2005 audit had identified weak passwords as a security problem and a potential Sarbanes-Oxley violation. Defending himself and Sony, the executive called investing in information security a “risk-based” business decision like any other, guided, he said, by “What’re the most important things absolutely required by law.”
He was wrong, and not because Sony got hacked. Risk-based business decisions are not relevant when it comes to the possibility of planes falling out of the skies, lights going out all over the world, and nuclear reactors running amok (as they did in 2013 in Iran, here, when Israel and the U.S. unleashed the Stuxnet virus, destroying an estimated fifth of Iran’s centrifuges), not to mention the exposure of your credit cards, health records, and so on, ad infinitum.
Cyber-security has been chewed over by vendors and experts for at least a generation and, as far as I’m aware, nobody has come up with a single new, unique, or useful idea – that is, thought leadership. Security vendors urge businesses to buy the stuff they’ve been selling for years: intrusion detection software, encryption keys, firewalls, etc. Experts repeat the same old advice: lock down those laptops and smart phones; confiscate those thumb drives; institute “robust” compliance policies, and buy the stuff the vendors are selling. Both vendors and experts have been saying the exact same things for decades despite the radiantly obvious fact none of it works very well. It didn’t work for Staples, Target, and JP Morgan yesterday; it won’t work for someone else tomorrow. And still the experts recite the by-now tired and utterly meretricious (albeit probably accurate) wisdom that there are two kinds of businesses: Those that have been hacked and those that don’t know they’ve been hacked.
That’s a big help.
It may be that there is no good answer when it comes to information security, no way to foil the bad guys – either state-sponsored criminals or freelancers – except to unplug from the Internet, and no business can do that and stay in business. The Internet was built to connect people and businesses as easily as possible, not to make it difficult, and the increasingly efficient and cost-effective uniformity of hardware and software used to accomplish that makes all connected systems and networks structurally vulnerable to those who would use them to steal and destroy. However, the paucity of thought leadership in the information security field is notable and depressing.
It would be refreshing – and encouraging – if someone came at this admittedly complex problem from a new angle, and developed a new idea, any new idea.
That would be thought leadership, and as universal connectivity increasingly comes to seem more threatening than beneficial, we can certainly use it.