Tag: Sony

SOTU: Cyber What?

In last night’s State of the Union Address, President Obama briefly reiterated the point that Congress has an obligation to pass some sort of legislation that would enable cybersecurity to protect “our networks”, our intellectual property and “our kids.” The proposal appears to be a reiteration that companies share more information with the government in real time about hacks they are suffering. Yet, there is something a bit odd about the President Obama’s cybersecurity call to arms: the Sony hack.

The public attention given over to the Sony hack, from the embarrassing emails about movie stars, to the almost immediate claims from the Federal Bureau of Investigation (FBI) that the attack came from North Korea, to the handwringing over what kind of “proportional” response to launch against the Kim regime, we have watched the cybersecurity soap opera unfold. In what appears as the finale, we now have reports that the National Security Agency (NSA) watched the attack unfold, and that it was really the NSA’s evidence and not that of the FBI that supported President Obama’s certainty that North Korea, and not some disgruntled Sony employee, was behind the attack. Where does this leave us with the SOTU?

First, if we believe that the NSA watched the Sony attack unfold—and did not warn Sony—then no amount of information sharing from Sony would have mattered.   Sony was de facto sharing information with the government whether they permitted it or not. This raises concerns about the extent to which monitoring foreign attacks violates the privacy rights of individuals and corporations.   Was the NSA watching traffic, or was it inside Sony networks too?

Second, the NSA did not stop the attack from happening. Rather, it and the Obama administration let the political drama unfold, and took the opportunity to issue a “proportionate” response through targeted sanctions against some of the ruling North Korean elite. The sanctions are merely additions to already sanctioned agencies and individuals, and so functionally, they are little more than show.   The only sense that I can make of this is that the administration desired to signal publicly to the Kim regime and all other potential cyber attackers that the US will respond to attacks in some manner. This supports Erik Gartzke’s argument that states do not require 100% certainty about who launched an attack to retaliate. If states punish the “right” actor, then all the better, if they do not, then they still send a deterrent signal to those watching. However, if this is so, it is immediately apparent that Sony was scarified to the cyber-foreign-policy gods, and there was a different cost-benefit calculation going on in the White House.

Finally, let’s get back to the Sony hack and the SOTU address. If the US was taking the Sony hack as an opportunity in deterrence, then this means that it allowed Sony to suffer a series of attacks and did nothing to protect them. If this is the case, then the notion that we need more information sharing with the government may be false.   What the government wants is really more permission, more consent, from the companies it is already watching. Protecting the citizens and corporations of the US requires a delicate balance between privacy and security. However, attempting to corrupt ways of maintaining security, such as outlawing encryption only makes citizens and corporations more unsafe and insecure. If the US government really wants to protect the “kids” from cyber criminals, then they should equip those kids with the strongest encryption there is, and teach good cyber practices.

Share

North Korea and Hollywood: the Perfect Holiday Storm

the-interview-poster-seth-rogen-james-franco-691x1024

A perfect storm is defined as an event in which a rare combination of circumstances results in an event of unusual scale and magnitude. 9-11 is a classic, and tragic, perfect storm. This December the world has witnessed another perfect storm involving the confluence of culture and foreign policy: the bizarre North Korean hacking of Sony and the scare that arrived just in time for the holidays for millions of Americans.

Not since the Danish publication of a cartoon that Muslims viewed as an insult to Islam has a confluence of this kind had such serious consequences. The Sony executives, who made the spoof film involving a comedic sendup of North Korean repression that ended in an assassination of its sitting leader Kim Jong-un, cannot be faulted for making the film that North Korea took such exception to. But by filming a scene in which the dictator’s head explodes, they crossed a line and all but invited hacker retaliation.

Sony’s internet defenses were surprisingly low, given a previous and rather damaging cyber penetration of its networks. But Sony’s greatest error was actually to take the threat of terrorism from the North Korean hackers on U.S. movie theaters showing the film seriously. Instead of standing up for freedom of expression (and protecting its investment), along with the major movie theater chains it caved. Continue reading

Share

Theatre and Cyber Security

By now I am sure many of you have seen the news that Sony has indefinitely postponed/canceled the theatrical release of The Interview under threat from hackers apparently connected to the regime in North Korea. It is not clear whether the threat was explicitly against movie goers or against the companies screening the film, and whether the assault would be virtual or physical in form (although the Obama Administration has suggested the theatre threat was overblown and has criticized Sony for withholding the film). What is clear is that the cancellation costs Sony tens of millions of dollars in lost production and promotion costs and has established a precedent that digital assaults can produce real world costs and behavioral changes.

Quite striking is the shift in construction of the Sony issue as a threat. Previous breaches of corporate information technology (IT) security have hardly prompted the kind of national security discourses the Sony case has generated. Indeed, the earlier disclosure of sensitive emails from the Sony IT breach did not result in discussions of national threat. Certainly, the more international and public elements of the situation suggest greater basis for making a national security claim. And yet, the appearances are deceptive. The Obama Administration specifically downplayed the possible threat to cinemas, with the Department of Homeland Security indicating there was no credible threat to cinemas or theatregoers. The cancelation of the film is certainly costly, but most of the cost is born by Sony (to the tune of tens of millions of dollars). To that end, the IT breach is not any different from other corporate IT breaches where customer information has been compromised. The North Korean element is certainly substantive, but not altogether unique. 

What the shift in discourse reveals is the socially constructed nature of threat. The public costs of the Sony IT breach are economically smaller than in other breaches, and the linkage to external state is not unique to the Sony case. So materially, there is little that obviously qualifies the Sony IT breach as a national security issue, much less something that calls for US government retaliation. The discursive shift regarding the national security ‘threat’ posed by the Sony incident highlights the utility of securitization theory for thinking about the issue of cyber security. Specifically, securitization theory directs our attention to how political actors are seeking to reconstruct the Sony IT breach in ways that justify extraordinary measures, in this case the US government risking conflict escalation with a isolated, reactive, and militarized regime in North Korea on behalf of a private economic/corporate entity. Notably, since the cancellation of the film discourses have highlighted core elements of American political identity, specifically the right to freedom of expression, as the basis of the security claim. This discursive shift suggests a societal boundary with respect to information technology issues in the United States between a private concern (Sony breach before film cancellation) and a public security matter.

Securitization also draws our attention to the political effects of security, and a consequence the costs of security. Who benefits from or is empowered by treating IT issues as security issues? What consequences arise from making IT security a national security matter? How can the state possibly mandate security measures for an issue that interweaves throughout the economy? What kinds of instabilities are created by involving states as security actors in the cyber realm with the strong potential of militarization? Certainly weak states will seek to take advantage of the asymmetric opportunities of global information technology, but the question of responsibility and countermeasures remains an open one for the most powerful and developed states in the system and whether those should lie with the state. Specifically, in past nonsecuritized (from the standpoint of the state) IT breaches, the responsibility and the cost were assumed to lie with the victimized corporation. Securitization shifts that responsibility and cost to the state.

I have long been a skeptic of the concept of cyber security as such, and for me securitization theory opens up an analytical space for critically interrogating the concept of cyber security, the process by which information technology issues are transformed into security, as well as the political and social effects of terming information technology as security.

 

**Thanks to Dave McCourt for helpful comments on this post!

 

Share

© 2020 Duck of Minerva

Theme by Anders NorenUp ↑