The attack on Sony and The Interview and the odd events that followed have looked a lot like a Coen brothers movie. But the affair has left us with a lot of evidence that forces, including both inside the industry and the U.S. government, are failing to deal with real and serious threats as attacks by a range of sources–governments, revolutionaries, criminals, punks, and who knows what else–are hurting the internet.
Let’s review what happened. The Seth Rogan-James Franco comedy (I admit I am no fan of the two and have no taste to see it) featured a U.S. assault on North Korean (DPRK) that ended with the stars having Kim Jung-il assassinated. The DPRK was greatly annoyed and demanded the cancellation of the movie.
About 10 days before the scheduled Christmas release, a flood of Sony information, including hundreds of thousands of emails, was released. The U.S. government says it has proof the DPRK government carried out or approved the attack as a response to the film — though has presented no evidence of it. The Guardian of Peace, the unknown thief of the Sony records, added a threat to attack anyone who attended The Interview. Sony cancelled (only temporarily, as it turned out) the showing of the film and Paramount, in one of the most bizarre events of the affair, added the cancellation of Team America: World Police that some theaters offered as a substitute.
Then Korea’s restricted internet services and wireless data services were shut down. The DPRK thought the U.S. government, led by the “monkey” Obama, was behind the attack. The U.S., of course, said nothing.
Web attacks. To round out the attack, the internet service of Sony’s PlayStation and Microsoft’s Xbox were blocked by a group called LizardSquad. Although they tried to claim a connection with the Sony affair, Brian Krebs (if you are interested in issues of network attacks, I strongly recommend following KrebsonSecurity) wrote:
Various statements posted by self-described LizardSquad members on their open online chat forum — chat.lizardpatrol.com — suggest that these misguided individuals launched the attack for no other reason than because they thought it would be amusing to annoy and disappoint people who received new Xbox and Playstation consoles as holiday gifts.
The attack on Sony’s information and Korea’s internet access may or may not have something in common. But the point is that it is time for governments–the U.S. and others who wants serious communication–and businesses to create and enforce some rules that allow internet communications to run properly.
Mail, phone, and email. An important rule is to bring the use of the network under the sort of guidelines that have long governed other communication. In 1929, Secretary of State Henry Stimson declared, “Gentlemen do not read each other’s mail.” Though he has long been ridiculed for cutting back on government interpretation and decryption of messages, he actually stated a declaration of civility. To this day, government needs a warrant to read anyone’s mail and there is no way for individuals or businesses to do it legally with or without a warrant.
When telephones came into use, the privacy of mail was extended to phone conversations. Even with the government’s ability to snoop on phone conversations post-9/11, there are still broad protections of domestic calls and continued prohibition of privation invasion. [pullquote]It was fun to read Sony’s stolen email about stars, but the effort of Sony lawyers to block the distribution should have had some legal force.[/pullquote]
But we have never been similarly protected with internet communications. Businesses are prohibited from reading employee’s letters (once sealed mail) or monitoring office phone calls, but email is regularly monitored and stored. It’s far from clear who benefits. It was fun to read Sony’s stolen email about stars, but the effort of Sony lawyers to block the distribution should have had some legal force.
Furthermore, we need some serious legal efforts on issues such as the shutdown of the Playstation and Xbox service–or of internet services in general. There are, of course, laws prohibiting these violations and enforcement by the FBI and the Secret Service (the Homeland Security Dept. overseas some violations, particularly those involving finance), but there’s not much evidence they care or focus very much. For better or worse, the terrorists that dominate enforcement are not serious internet attackers.
We also need to put an end to international internet attacks. The FBI is convinced North Korea had something to do with the original attack on Sony, although it’s done nothing to prove the claim. Blocking Korean attacks may be impossible by law; there doesn’t seem to be any punishments we can add short of actual warfare.
Protect the messages. I am more concerned by the charge the U.S. responded by shutting down Korean internet contact for a couple of days, a charge which the FBI has said nothing in response to either the attack on or the PRKA claim the U.S. government was responsible. So far, it remains unclear who did it. “If the U.S. government was going to do something, it would not be so blatant and it would be way worse,” said Dan Holden of Arbor Networks to Bloomberg. “This could just be someone in the U.S. who is ticked off because they’re unable to see the movie.”
I’ll go further: It would be wrong for the U.S. to respond to internet attacks with its own counterattacks. Without going into the ethical issues, it’s obvious the U.S. stands far more to lose than gain from playing this game, with the U.S. vs. Korea a prime example.
It is far too late for the U.S. government to end the widespread breakdown of internet privacy. In fact, we are having trouble enough preserving the evidence of mail and voice services. But Congress and the Administration should do what it can to protect both the privacy of email and attacks or attempts to block internet access. Business should join the fight, even if the cost is exposing its own efforts to spy on both employees and competitors, domestic and international. What we are losing involves far more lost than gain.
My impression is that many companies are shockingly stupid or unconcerned about protecting themselves from attacks. Sony’s policies cost them 100 terabytes of information! If you go on vacation for a week and leave the front door of your house open the whole time, you’ll probably come back to an empty house.
Absolutely. I really didn’t have room to get into a discussion of the corporate role, but many of them do a terrible job of security. Combine that with their insistance of saving a copy of every incoming and outgoing message forever and they create a massive target for attack.
Saving a copy of every incoming and outgoing, as well as internal, message, is a requirement in these days of Sarbanes-Oxley and similar laws. Corporate lawyers don’t know what the absolutely must save, so they save everything, just to be safe.