Losing it
Alone among the coverage I've seen of the Sony hack, Gizmodo last week pointed out the impact on the company's many thousands of employees. Here are people who did nothing wrong - unless you consider allowing personal information to pass over company email wrong - but whose medical records, social security numbers, and home addresses are now strewn across the Internet, making them targets for all sorts of thieves, identity fraudsters, and attackers. The scope for harm here dwarfs the amount extra that Sony will have to pay (in both money and personal grovelling) to secure the services of the stars who were dissed in the more gossipy leaked emails. The latter is embarrassment that will pass; the former may reverberate through the lives of the employee and their families for decades.
It is because of those employees - not the shareholders, management, prospective audiences, or talent - that I have to take issue with all the celebrities lambasting Sony for pulling the movie at issue, THE INTERVIEW from release. No, the threat of bombing theatres was not particularly credible, but there is plenty of scope for retaliation to those employees. Sony is in the position of a company whose headquarters has been captured with all the employees inside held hostage. First, you do your best to get out of, or at least calm, the crisis. Then you think what to do longer-term. The movie and its release date are what Alfred Hitchcock used to call a MacGuffin - utterly irrelevant in itself, but the thing everyone fights over that drives the plot.
The news is changing too fast to keep up with. The latest, as I type, is that the FBI has formally accused North Korea of perpetrating the hack, and that the US is consulting Japan and China on what to do next. Books will be written explaining what really happened; it's going to be a while before we know the detail.
Nonetheless, there are already lessons for companies and individuals to apply to their own arrangements. One has to do with the way we think about risk. Humans are notoriously poor at quantifying this, and the Sony hack shows this perfectly.
A commenter to Bruce Schneier's blog posting on this topic pointed out a telling quote from Sony security head Jason Spaltro. In a 2005 interview, Spaltro outlined his thoughts about the tradeoffs a business must make between security and profitability. To wit:
Spaltro offers a hypothetical example of a company that relies on legacy systems to store and manage credit card transactions for its customers. The cost to harden the legacy database against a possible intrusion could come to $10 million, he says. The cost to notify customers in case of a breach might be $1 million. With those figures, says Spaltro, "it's a valid business decision to accept the risk" of a security breach. "I will not invest $10 million to avoid a possible $1 million loss," he suggests.
Earlier in the article, Spaltro also said: "We're trying to remain profitable for our shareholders, and we literally could go broke trying to cover for everything. So, you make risk-based decisions: What're the most important things that are absolutely required by law?"
Two things have gone wrong here. First: Spaltro is the company's head of security, not its business manager or CEO. Second, Spaltro is quantifying the business's risk by measuring its level of compliance with Sarbanes-Oxley. He is not measuring it against the kinds of threats Sony might expect to encounter. Third: there were many more threats than he thought that could cost the company far more than he likely imagined. Maybe we *shouldn't* be sending security people to business school!
Some of his points, such as the one about the counter-productiveness of requiring overly complex passwords, were not necessarily wrong. Again, it comes back to the threat model. If attacker has no access to your offices, not even by Webcam or keylogger, writing passwords on post-it notes doesn't matter; it's insiders who will see those. The better choice is to avoid threats by using a password manager.
The Sony hack shows just how many losses can face a single hacked company: it had valuable intellectual property representing hundreds of millions of dollars of investment; confidential employee information; sensitive customer and partner information; and the film industry equivalent of the diplomatic cables published by Wikileaks. Each poses its own threat to the company's future viability. The irony is that the company's own leaked emails provide the best evidence that it was a soft target, taken down by a crude, bug-ridden attack.
The fact that until now companies that have suffered data breaches have recovered without much damage may have bred some complacency. Target, the most notorious consumer data breach to date, is not suffering from a lack of customers; Sony's previous hacks left it standing. The costs of customer data breaches really fall on the financial industries if customers switch back to paying cash. The depth of the Sony hack should show companies that they have much more to lose than they think. As much, in fact, as their security personnel have been telling them all these years. Let's hope they react by improving their security rather than threatening the media for reporting on their breach.
Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.