Just about a year ago my bank debit card got caught up in Target's giant IT security crisis. I never had any fraudulent purchases charged to my account and eventually the bank issued me a new card. As the story behind this mess unfolded it became apparent that Target had failed to take basic and obvious security measures. The network penetration was able to exist for an extended period without detection. It was not some new esoteric piece of fiendish hacker brilliance. The vulnerabilities that they exploited had been known for several years and there were reliable means of protecting against them. The real problem was not the technological challenge, but managerial incompetence. It turned out that Target management had a person as the senior executive in charge of IT who had no background and experience in the field. I haven't been back to Target since.
When these security disasters happen we hear the predictable chorus claiming that it could have happened to anybody. In practical terms that isn't very far from the truth. The vast majority of business corporations do a really lousy job of dealing with IT security. It appears that Sony is no exception.
SONY PICTURES HACK WAS A LONG TIME COMING, SAY FORMER EMPLOYEES
We still don’t know exactly how Sony Pictures got hacked or who did the hacking. But we do know that the security protections the company had in place were a bigger flop than Sex Tape. Intruders got access to movie budgets, salary information, Social Security numbers, health care files, unreleased films, and more. To rub in the pwnage, the hackers posted a file called “Passwords” in a new info dump Wednesday.
The new trove appears to include a collection of documents the hackers came across on the Sony Pictures network that had “password” in their titles, and includes digital keys for everything from Sony computers and servers to magazine subscriptions and YouTube accounts for Sony movies. (As much as we’d like to log into This is the End’s YouTube page, we haven’t actually tried any of these passwords to see if they work.) It is generally a bad idea to store all your passwords in a document on your computer. It is an even worse idea to title that document something like “My Passwords.”
“Sony’s ‘information security’ team is a complete joke,” one former employee tells us. “We’d report security violations to them and our repeated reports were ignored. For example, one of our Central European website managers hired a company to run a contest, put it up on the TV network’s website and was collecting personally identifying information without encrypting it. A hack of our file server about a year ago turned out to be another employee in Europe who left himself logged into the network (and our file server) in a cafe.”
The information security team is a relatively tiny one. On a company roster in the leaked files that lists nearly 7,000 employees at Sony Pictures Entertainment, there are just 11 people assigned to a top-heavy information security team. Three information security analysts are overseen by three managers, three directors, one executive director and one senior-vice president.
This article goes on to detail pervasive failures to take really basic and obvious security measures. It sounds very similar to the pattern that existed at Target and other corporate networks that get penetrated by hackers. So why does this continue to go on? There are a number of reasons to consider, but one of them is the attitude that most people have developed about using computers. If it is easy, convenient and free to use it must be safe. Things that make life easier aren't supposed to be threatening. Only a tiny percentage of consumers take basic precautions like active password management and doing regular backups of computer files. For most people the risks of having a data breach aren't terribly great. If your credit card account gets hacked, you are not likely to have to pay for fraudulent purchases.
The problem is that most of the people who control large corporations approach the issue of IT security with the same mind set that they use in dealing with their personal computer use. It is something that just isn't going to happen and there is no use spending time and money worrying about it. The important difference is that the risks for a business are enormous. The estimate of the costs to Target for its breach is $148M. Estimates for the costs to Sony are being placed at something of $100M. Yet nothing seems to get done about it.
One possible approach would be some form of government intervention and regulation. This happens is such areas as uniform accounting procedures and environmental regulation. The results in those areas are far from perfect, but they do establish a principle of requiring businesses to operate in a responsible manner with some regard for the public interests. So far the only industry to have significant security and privacy regulations imposed on it is health care. It would take a strong and persistent public demand to overcome the fundamental antipathy of business to any form of government regulation.
There is also another problem with the notion of the US government taking responsibility for general IT security. After the revelations provided by Edward Snowden, it appears plausible that the world's largest and most sophisticated hacker is the US National Security Administration. Despite the claim that they are just there to protect us from terrorists, it is pretty clear that in reality that is at best a sideline. Their vast apparatus has been used not only to collect information about foreign governments and heads of government, but appears to be regularly engaged in collecting information about the business activities of private corporations. It seems likely that some of the back doors that they have implanted in software and hardware systems to give them easier access have been discovered and exploited by various of their fellow hackers spread around the world.
As Alice said about Wonderland, "It gets couriouser and couriouser.".