We are all Sony

December 30th, 2014 / Author: John Berard

“Nobody knows anything,” screenwriter William Goldman (think “Butch Cassidy and the Sundance Kid” and “The Princess Bride”) said famously of Hollywood.  The same may be said of enterprise security.  Word now comes that the Sony hack for which the FBI has fingered North Korea may, in fact, be the work of some laid-off and disgruntled Sony staff.  But that’s not clear, either.

It is only when the hacker him, her or itself connects the dots between a network intrusion and siphoned data that anyone can be sure.  But even then, hacks are far more clear about the “what” — “Did you see those Obama emails to-and-from Sony execs?”  — and way less about the “who.”

When it came to the link between the Sony hack and North Korea, the FBI may have felt it had enough information to link the two, but even before the latest report, other, equally savvy engineers said, “no.”  And Sony did itself no favors.  According to security expert Bruce Schneier, “It is hard to put a dollar value on security that is strong enough to assure you that your embarrassing emails and personnel information won’t end up posted online somewhere, but Sony clearly failed here. Its security turned out to be subpar. They didn’t have to leave so much information exposed. And they didn’t have to be so slow detecting the breach, giving the attackers free rein to wander about and take so much stuff.”

Could Sony have better protected itself?  It is a question for every company, campaign or institution relying on computer networks and the people who run them.  When it comes to being hacked, we are all Sony.

Because we are all potential victims, will the Sony hack make us think differently about the NSA revelation of MonsterMind? In Wired’s interview of Edward Snowden is this: “…a new, Strangelovian cyberwarfare program in the works, codenamed MonsterMind. The program, disclosed here for the first time, would automate the process of hunting for the beginnings of a foreign cyberattack. Software would constantly be on the lookout for traffic patterns indicating known or suspected attacks. When it detected an attack, MonsterMind would automatically block it from entering the country—a ‘kill’ in cyber terminology.”

The inability to identify hackers with certainty makes such a capability too easily misdirected, but the need to be able to match the ability of hackers is clear.  For too long security has drawn its metaphors from the Middle Ages what with its fortresses, moats and crenelations. But fixed barriers are false hope in a digital era marked by hyperactive evolution.

The first best chance we have is to see cyber security differently.  Move it from being a line item in a budget to a line of business where working in partnership with security companies now viewed only as vendors creates advances that can be both deployed and marketed to others.  Is it possible that Sony may one day offer security subscription services akin to their online gaming? It and its security providers may not have a choice.

Security companies are already being drawn into data breach lawsuits — even when they are not named defendants or a plaintiff. Getting ahead of what can be seen coming at us makes a lot of sense, but it demands some changes in the way business is done.  It may be time to move from the turf protecting approach of service level agreements, to one more tightly tied to market success.  A business level agreement tied to outcomes could be given more time and attention.

Whatever the approach, the floor is open.  So, too, are our networks.