As I sit here eating my lunch, I’m thinking about all the articles I’ve read over the last week concerning the Sony cybersecurity attack, the movie “The Interview”, and the reaction thereto. Thoughts are starting to gel together, so I thought I’d share them:
- How Could America Give In Like This? This is a question I’ve seen throughout Facebook, with an appropriate share blaming Obama for all these troubles. The response, however, shows a lack of critical thinking — for it is asking the wrong question. America — at least the government — has no connection to the capitulation to the hacker’s threats. That’s squarely on Sony’s shoulders. Further, Sony isn’t necessarily completely wrong. Put yourself in Sony’s shoes. A hacking group — which you believe to be connected to an unstable government — makes threats intimating mass casualties at theatres showing this movie. Further, a number of your exhibitors are publicly deciding not to show the film. So which is better: Show the film, and if god forfend an attack occurs, deal with all the lawsuits… or take the economic hit for pulling it now (and possibly have insurance cover the loss). Sony made the correct business decision. Where they erred was stating the film would never be released, in any form. That’s stupid. Release it on video-on-demand across multiple platforms — there’s no way the adversary can attack all those individual homes, or all the individual servers serving the media (ETA: of course, after Obama’s statement, now Sony says they may do that). Put CDs in every Target and Walmart and Costco. Pulling it 100% is giving in to FUD (Fear, Uncertainty, and Doubt). I’m not only looking at Sony here — Paramount pulling Team America has given into the same FUD. Want another perspective? Read Ken Davenport. Oh, and by the way, Obama says Sony shouldn’t have pulled it.
- But this permits (name your county) to censor our movies! Oh, and you think your movies aren’t censored now? The government may not censor them, but studio executives do every day when they decide which projects to green light and which to stop. The MPAA does it when they rate movies and amp violence over sex. What happened here will not stop such movies from being made. What it will curtail is major studio distribution of such movies, making them harder to find. That, by the way, is where studios really “censor” — in what they agree to distribute or not. There are many movies that remain unseen for lack of a distribution partner.
- But how could this happen? Isn’t the government supposed to protect us? The government’s job is to protect government systems. There have been repeated attempts to strengthen overall cybersecurity, but they have never made it through Congress as they would involve private corporations working closer with government, and sharing information. This also appears not to be the result of a simple cracker; this seems to be a targeted attack by a determined nation state. Bruce Schneier has a good analysis of this. He also has some very good conclusions:
For those worried that what happened to Sony could happen to you, I have two pieces of advice. The first is for organizations: take this stuff seriously. Security is a combination of protection, detection and response. You need prevention to defend against low-focus attacks and to make targeted attacks harder. You need detection to spot the attackers who inevitably get through. And you need response to minimize the damage, restore security and manage the fallout.
The time to start is before the attack hits: Sony would have fared much better if its executives simply hadn’t made racist jokes about Mr. Obama or insulted its starsor if their response systems had been agile enough to kick the hackers out before they grabbed everything.
My second piece of advice is for individuals. The worst invasion of privacy from the Sony hack didn’t happen to the executives or the stars; it happened to the blameless random employees who were just using their company’s email system. Because of that, they’ve had their most personal conversations, gossip, medical conditions, love lives exposed. The press may not have divulged this information, but their friends and relatives peeked at it. Hundreds of personal tragedies must be unfolding right now.
This could be any of us. We have no choice but to entrust companies with our intimate conversations: on email, on Facebook, by text and so on. We have no choice but to entrust the retailers that we use with our financial details. And we have little choice but to use cloud services such as iCloud and Google Docs.
So be smart: Understand the risks. Know that your data are vulnerable. Opt out when you can. And agitate for government intervention to ensure that organizations protect your data as well as you would. Like many areas of our hyper-technical world, this isn’t something markets can fix.
- But why would they do this? A good question. This isn’t just because the movie makes fun of the leader of North Korea. That’s been done before. Vox has a good analysis of the reasons behind this. The short summary is: To show they can. North Korea gains much of its power through its military, and by presenting the appearance of that power outwardly and inwardly. Outwardly it does it through threats and intimidation; inwardly it does it to justify spending on military rather than the people. Vox summarizes it thusly:
This is belligerence meant to deter the much stronger South Korea and US, and to draw international attention that North Korea can use to bolster domestic propaganda portraying Kim Jong Un as a fearless leader showing up the evil foreign imperialists. It is meant to foment the isolation and tension that has allowed the Kim family to hold onto rule, impossibly, for decades. It has nothing to do with Sony’s film, however offensive it may be, with the film’s portrayal of Kim, or with free speech in America. In believing North Korea’s rhetoric strongly implying a connection, we are buying into the country’s strategy and helping Kim succeed.
[…]
This strategy of portraying itself as crazy is remarkably effective at securing North Korea’s strategic goals. But it is also quite dangerous. By design, the risk of escalation is high, so as to make the situation just dangerous enough that foreign leaders will want to deescalate. And it puts pressure on American, South Korean, and Japanese leaders to decide how to respond — knowing that any punishment will only serve to bolster North Korean propaganda and encourage further belligerence. In this sense, the attacks are calibrated to be just severe enough to demand our attention, but not so bad as to lead to all-out war.
Over on the Kapersky blog, they put it this way:
“It’s not about a movie or even Sony, at all,” wrote Immunity CEO and former NSA scientist Dave Aitel on the Daily Dave mailing list. “When you build a nuclear program, you have to explode at least one warhead so that other countries see that you can do it. The same is true with Cyber.”
- So what is the long term impact? As with anything, I believe there will be both good and bad impacts. On the bad side, we may see artists reluctant to tackle hard subjects in major films, knowing they will have difficulty getting them through the studio system. We may also see studios much more reluctant to distribute controversial films (for example, film studio New Regency has cancelled its planned movie adaptation of acclaimed graphic novel Pyongyang). This may end up being a boon for Science Fiction films, as they can often make the same point using metaphors without naming real countries and real people. More significantly, on the bad side, is the message this sends: For the controversial stuff that gets through, are we going to see more threats and intimidation? If some fundamentalist group doesn’t like the subject of a movie, can they just threaten a 9/11-type attack and have it pulled? This is bad, very bad — and it might even lead to the death of large-screen cinema (as you can’t attack video-on-demand with such threats — only large groups of people). On the good side, it may make corporations much more aware of the need for Cybersecurity, and it may help government efforts related to cybersecurity. In fact, the senate and house just passed a new cybersecurity bill that will bolster cyber research and development, the cyber workforce through training and education and technical standards for cybersecurity through NIST. It’s a start. It may also move controversial subjects back onto the live stage, as such performances often attract much less attention.
