{"id":51790,"date":"2014-12-29T12:00:07","date_gmt":"2014-12-29T12:00:07","guid":{"rendered":"https:\/\/www.transcend.org\/tms\/?p=51790"},"modified":"2015-05-05T21:27:08","modified_gmt":"2015-05-05T20:27:08","slug":"hacked-corporations-dont-deserve-our-sympathy","status":"publish","type":"post","link":"https:\/\/www.transcend.org\/tms\/2014\/12\/hacked-corporations-dont-deserve-our-sympathy\/","title":{"rendered":"Hacked Corporations Don\u2019t Deserve Our Sympathy"},"content":{"rendered":"

There is no cyber Pearl Harbor. Sony has been falling on its own sword for a long time.<\/em><\/p>\n

\"the<\/a><\/em><\/p>\n

Whenever news of a major computer breach breaks, the reactions of the affected company are just as revealing as the breach itself, if not more so. This is certainly true of the ongoing train wreck after the crippling Sony Pictures Entertainment hack, which has resulted in not only leaked emails, movies and financial data but also the cancellation of a major feature film.<\/p>\n

The nightmare began on Nov. 24 [2014], when a group calling itself Guardians of Peace penetrated Sony\u2019s network, wiped its servers and began leaking troves of stolen internal documents online. The leaks continued into December, revealing scandalous details of Sony\u2019s anti-piracy plans and political strategies as well as embarrassing emails and sensitive data such as employee Social Security numbers, passwords and encryption keys. While the hackers\u2019 goal originally seemed to be extortion, media reports billed the attack as an attempt to stop the release of \u201cThe Interview,\u201d a comedy about two American journalists recruited to assassinate North Korean leader Kim Jong Un. Then on Wednesday, a new message (ostensibly from the same group) threatened attacks against theaters showing the film. When theaters began pulling out, Sony made the shocking decision to cancel the movie\u2019s release<\/a>.<\/p>\n

There are conflicting theories about who is behind the attacks. Media outlets initially pointed at North Korea, noting the country\u2019s previous vague threats over \u201cThe Interview\u201d and similar cyberattacks believed to originate from the region.\u00a0The FBI has declared<\/a> the Hermit Kingdom responsible. But security experts note<\/a> that identifying hacking culprits with 100 percent accuracy is often practically impossible. As far as we know, it\u2019s possible that Sony\u2019s network is being infiltrated by one or more groups of regular criminals or hacktivists fronting as North Korea for cover.<\/p>\n

But behind this headline-making whodunit is another question: Given Sony\u2019s reputation on cybersecurity and the horrible way it handled the breach, why should we have any sympathy for the company?<\/p>\n

Far from a victim<\/strong><\/p>\n

When giant corporations such as Sony are hacked, they have one priority: Paint themselves as helpless victims by hyping the capabilities of the hackers to convince customers and shareholders that the breach was unavoidable. The public relations effort is often aided by top-dollar security specialists hired to investigate the breaches. Kevin Mandia, CEO of Mandiant, the security firm Sony hired to look into the hack, called the Sony Pictures attack<\/a> \u201cunprecedented\u201d and claimed that neither Sony nor other companies \u201ccould have been fully prepared\u201d for it. The reason, he said, is that the malware used by the intruders wasn\u2019t detectable by any industry-standard antivirus scanners.<\/p>\n

But as Global Cyber Risk CEO Jody Westby points out<\/a> at Forbes, this is a moot point. Any hackers worth their salt use attack code that evades antivirus detection, and such code is frequently traded on online black markets. Writing it isn\u2019t even that hard. And attacks that wipe out entire corporate databanks and email spools are hardly<\/a> \u201cunprecedented.\u201d<\/p>\n

Judging by the company\u2019s long history of lax security and embarrassing breaches (a 2011 hack of the PlayStation gaming network exposed 77 million user accounts<\/a>), it\u2019s far more likely the success of the attack had to do with Sony\u2019s failure to mitigate the damage. In fact, despite previous hacks, the leaks contain evidence that Sony is storing the Social Security numbers and passwords of its employees on its servers unencrypted. Two former employees have already filed a class-action lawsuit, alleging that the company knew about the risks it took but nevertheless failed to reform its security policies. \u201cSony gambled, and its employees \u2014 past and current \u2014 lost,\u201d they wrote in the suit.<\/p>\n

We need to increase liability and punish companies that don\u2019t comply with information security standards, not coddle them when they leave their doors unlocked.<\/p>\n

Even if that isn\u2019t the case, Sony\u2019s response to the leaks and threats undoubtedly made things worse. It started by sending legal threats to journalists<\/a> reporting on the leaks, warning that they would be held \u201cresponsible for any damage or loss arising from … use or dissemination\u201d of the documents the hackers released. The letter, which reads like it\u2019s from an era before the Internet existed, is a tone-deaf diatribe on the realities of 21st century journalism. Corporations and governments should know by now: Once it\u2019s out on the Internet, it\u2019s out.<\/p>\n

Sony also allegedly attempted to stop the spread of the files by flooding BitTorrent sites with false data<\/a>, an anti-piracy tactic the company has used before that could run afoul of hacking laws. The company\u2019s decision to cancel the release of \u201cThe Interview\u201d also drew criticism; observers saw it as a capitulation to whoever made clearly overblown threats against the movie theaters showing the film. In an interview with Vice\u2019s technology magazine Motherboard, cybersecurity expert Peter W. Singer stated<\/a> what should have been obvious: \u201cThe ability to steal gossipy emails from a not-so-great protected computer network is not the same thing as being able to carry out physical, 9\/11-style attacks in 18,000 locations simultaneously.\u201d<\/p>\n

Which brings us back to that question, Why should anyone feel bad for Sony?<\/p>\n

The company\u2019s leaked emails provide many convincing reasons we shouldn\u2019t. Prime among them is Project Goliath<\/a>, a multipronged anti-piracy campaign waged by Sony and other Hollywood studios against Google. The project, according to leaked emails, is designed to \u201crespond to\/rebut [Google]\u2019s public advocacy\u201d and \u201camplify negative [Google] news,\u201d and it includes a secret effort to revive through nonlegislative means the Stop Online Piracy Act (SOPA), the Internet censorship bill that was killed after nationwide protests in 2012. The documents mention influencing state attorneys general to take an anti-Google stance and even discuss blocking content by meddling with the Internet\u2019s DNS addressing system \u2014 <\/em>a dangerous proposition that was the most contentious part of the SOPA bill.<\/p>\n

Draconian anti-piracy measures are nothing new for Sony. In the mid-2000s, Sony BMG, the conglomerate\u2019s music division, tried to block users from copying music by secretly placing malicious rootkit software on their computers through legally purchased CDs. The malware modified customers\u2019 operating systems to prevent CD copying and transmitted their private listening habits to Sony, prompting public outrage, government investigations and a partial recall.<\/p>\n

True protection<\/strong><\/p>\n

Cybersecurity is a serious problem, even if Sony isn\u2019t the most sympathetic victim. But as with any attack, the biggest long-term consequence comes from our overreaction. Warmongering commentators are already spinning the Sony hack as an act of war against the United States, and policymakers will surely use it to advance controversial laws such as the twice-failed Cybersecurity Information Sharing and Protection Act, which would allow companies to share private customer data with the government.<\/p>\n

These bills aren\u2019t real cybersecurity solutions; their hawkish proponents fearmonger about nonsensical action-movie scenarios such as a cyber Pearl Harbor<\/a>\u00a0or cyber 9\/11<\/a>\u00a0while pushing some of the same failed solutions as did the post-9\/11 \u201cwar on terrorism\u201d: decimating civil liberties to provide new capabilities that don\u2019t offer any security. And all the while, the U.S. is developing its own cyber-arsenal to unleash on whomever it pleases, no matter the costs. As journalist Russell Brandom put it at The Verge, cyberwarfare isn\u2019t about good guys versus bad guys;\u00a0it\u2019s about aggressors and victims, and we are all collateral damage.<\/p>\n

Fortunately, there is a better way to protect Americans from hacking: Enforce better information security standards for corporations that hold sensitive data. Security experts already have a good idea of what these standards should be. <\/em>We just need to increase liability and punish companies that don\u2019t comply, not coddle them when they leave their doors unlocked.<\/p>\n

_____________________________<\/p>\n

Joshua Kopstein is a cyberculture journalist and researcher from New York City. His work focuses on Internet law and disorder, surveillance and government secrecy.<\/em><\/p>\n

Go to Original \u2013 aljazeera.com<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

There is no cyber Pearl Harbor. Sony has been falling on its own sword for a long time.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[216],"tags":[],"class_list":["post-51790","post","type-post","status-publish","format-standard","hentry","category-technology"],"_links":{"self":[{"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/posts\/51790","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/comments?post=51790"}],"version-history":[{"count":0,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/posts\/51790\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/media?parent=51790"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/categories?post=51790"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/tags?post=51790"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}