The Sony Hack Is Not an Excuse to Pass Bad Cybersecurity Laws
“This will be a case study I can guarantee will be both used and misused in everything from legislation to cybersecurity sales pitches.”
Image: Stephan Zurich/Flickr
Lawmakers on Capitol Hill have been warning of a " Cyber Pearl Harbor" for years now. The Sony hack isn't it, but it'll do, for freaking-out purposes anyway.
Since when does a shoddy attack on un- and under-defended network mean we have to lose all sense of rationality? Movie scripts, emails, social security numbers, financial records—at the end of the day, it doesn't matter what was stolen: When you leave the front door to the Louvre unlocked, don't be surprised when some pretty nice paintings get taken.
Leaving the door open is exactly what Sony did. No company deserves to get hacked, but, that said, it's now Sony's problem, not ours. This incident does not signal an all-out cyber war on the United States, as some government fearmongers have suggested.
With the North Korea news, the refrain has quickly moved from one of Sony's incompetence to one of patriotism. All of a sudden, it wasn't just bad movie scripts and worse PowerPoints that were stolen. The talk now is of the social security numbers and the personal emails that were taken and the violence that was threatened.
No one is saying this isn't an impressively devastating hack on a corporate level. It's very, very bad—for Sony.
But we're giving North Korean hackers too much credit, especially when we canceled a movie over a vague threat of violence that came from a bunch of computer hackers half a world away.
North Korea (or whoever it was) used code that has been described by Cisco's security intelligence group as "simplistic, not very complex, and not very obfuscated" to steal social security numbers and intellectual property from a company that stores its passwords in an unencrypted Excel file called Master_Password_Sheet and saves unencrypted, plaintext listings of the unencrypted servers holding its employees' social security numbers.
As cybersecurity expert Peter Singer noted in our interview yesterday, "the ability to steal gossipy emails from a not-so-great protected computer network is not the same thing as being able to carry out physical, 9/11-style attacks in 18,000 locations simultaneously."
we can expect to see others take up the rallying cry about needing cybersecurity legislation
The same can be said for stealing social security numbers and financial information and whatever other type of data you want to say makes this hack look more nefarious than it is.
Once you're in the system, you need no higher-level hacking skills, no greater level of sophistication to scrape a social security number than you need to scrape anything else from an unprotected, unencrypted system. The fact that this sensitive data was taken makes it no more likely that North Korean hackers can and will carry out a terrorist attack on American soil.
So, we—as a nation—probably shouldn't freak out about a vague threat of physical violence perpetrated by hackers using tactics that aren't all that advanced.
And yet, that's what we're doing. Major movie theaters refused to show The Interview, Sony canceled the movie, and Newt Gingrich has already posited that America has "lost its first cyber war."
But the hack says more about how flip Sony was with its own cybersecurity than it does about anything else. And the reason why this fear and overreaction matters is because the Sony hack can and is being spun to sound like the cyber war everyone has been dreading for years.
But, considering the security measures Sony reportedly took, it's not.
The mere specter of something like this happening is what has been used to attempt to push through terrible bills such as the Cybersecurity Information Sharing and Protection Act, a disastrous piece of legislation that would have put the NSA in charge of cybersecurity and would have allowed private companies to pass your information to the federal government.
But you'd think that the hack that's spurring the patriotism I've seen in comment sections, on Twitter, and in the media would be a little more sophisticated than this one, a hack perpetrated against a company whose CEO sends emailed passwords and bank account numbers to his family members from his company account.
"This will be a case study I can guarantee will be both used and misused in everything from legislation to cybersecurity sales pitches," Singer told me in a part of the interview I saved for this article.
Amie Stepanovich, senior policy counsel at civil liberties group Access, says a bill like CISPA wouldn't have helped, in part because this stuff was cybersecurity 101. The hack would have never been this bad in the first place, if Sony took its security more seriously.
Nonetheless, as we always do after a high-profile "security" incident, we're going to see politicians misuse case.
"While [the retiring Mike Rogers], the author of CISPA, won't be in Congress, we can expect to see others take up his rallying cry about needing cybersecurity legislation," she told me. "We can only hope they look at it logically and intelligently and try to figure out what legislation can really protect users and communities without defaulting to broad information sharing."
It's leaving the door unlocked. It's still a crime to go in and take something, but it's almost an invitation to try
The MPAA's Chris Dodd of the MPAA said that it's horrifying that "someone is able to literally hack in and steal what has now been identified as … 10 times the volume of all the printed material in the Library of Congress." He hopes that "steps will be taken [by the government] to minimize this kind of problem in the future."
Well, here's a newsflash: Companies (and the United States government) have been getting hacked by other countries for years. China's new J-20 stealth fighter jet should look familiar, because it's based on America's F-22 stealth jet, because China stole the blueprints and other incredibly important information from Lockheed Martin and the US military. Chinese hackers have been accused of stealing a trillion dollars worth of intellectual property from American companies.
The literal theft of a war machine by another country wasn't enough to spur any sort of fear in the American people. Now, a state-sponsored hack on a company that did less than the bare minimum to keep it and its employees safe is going to spur the beginning of the cyber war age? It's the act that is starting our collective freakout about cyber criminals and state-sponsored hacking?
Congress will eventually pass some sort of cybersecurity law, but before American citizens are asked to give up their privacy and civil liberties in the name of making sure Sony doesn't get "completely owned," maybe companies themselves should take security seriously.
"It should not be acceptable in 2014, 2015 to leave information in the clear and yet, so many companies do," Stepanovich said. "It's leaving the door unlocked. It's still a crime to go in and take something, but it's almost an invitation to try."