Sony, the principles of a free market, and why threat intelligence alone isn't enough
Following the Sony breach, President Obama is preparing legislation and security initiatives intended to help strengthen the security of the US and companies that operate here. While it is good to see this issue brought to national attention, it’s hard to see how these proposals will actually lead to a stronger security posture for a few major reasons.
1. The Dangerous Precedent of Sony
The attack on Sony Pictures late last year was handled terribly by the government. Instead of telling Sony to handle it themselves, the government stepped in and investigated the issue on Sony’s behalf, eventually flinging a variety of accusations towards North Korea that many in the security industry suspected were at best partially true. Only well after the fact did the government reveal that the attribution of the attack came from NSA intelligence.
The government’s reasoning for their reaction was that the incident was part of an international attack on Sony, and they believed they had a duty to respond to international cyber warfare. It’s hard not to find that a bit curious, as numerous other attacks have shown evidence of international involvement (for example, the recent Target breach had various ties to Russian programmers) and the government did not step in then, so why should it now?
Aside from being a basic breach of the free market principles of our economy, the response to the Sony breach sets up a precedent for any other company that now gets attacked to hoist their troubles off on the government to fix. As long as the attack could possibly be tied to a rival nation-state, companies can now claim the Feds should take over, and walk away. With that kind of backup plan ready to go, does anyone think these companies will actually bother to invest much in improved security on their own?
2. The Failure to Properly Incentivize Security Improvement
While the President’s proposals have some impact on companies (mostly by increasing the available workforce for cybersecurity), they fail to impact companies in a meaningful way. The only way to get companies to change their behavior in any significant manner is to impact their profits.
Traditionally, the American economy has relied on the free market to do this. This line of thinking holds that if a company is doing something wrong or improperly, the market will punish that company by not buying whatever they are selling. If a company prices their goods too high, nobody will by them. If a company acts in a way that makes customers angry, that company suddenly will have a lot less customers.
The problem of security as it stands is that the market alone isn’t doing this. Companies that have been the victims of major data breaches have actually seen their profits rise. Sony managed to turn what would have probably been a disappointing box-office performance for The Interview into a whole new source of revenue in day-of-release streaming sales. Target managed to hit record sales and stock values after their breach.
When the market itself won’t act, the government can and should step in. One of the biggest failures of the President’s proposals is the failure to properly incentivize security. While most of us in the industry know the value in being properly secured, the free market, consumers, and the companies themselves cannot be trusted to value high security in the same manner. By utilizing economic externalities, the government can properly incentivize companies to enhance their security in a way that they will actually act upon.
To develop these, the government could model the program on the efforts to get companies to adopt Green Energy. By taxing companies that failed to clean up, while simultaneously offering subsidies and tax incentives to companies actively working to use greener energy, the government leveraged externalities in a manner that could either positively or negatively affect the profits of a company. If the government were to take the same approach to security, by taxing companies that fail to strengthen their postures while also subsidizing additional security efforts, one can only assume companies would be much more eager to toughen up.
3. The Details of the Threat Intelligence Sharing Plan
One of the cornerstones of the President’s plan is increasing the sharing of threat intelligence between the public and private sectors, which seems like a good idea, but in practice may have some major complications that need to be considered first. A communications network needs to be established with protocols on how threats are shared and when. The details of this need to be carefully considered ahead of time, and adjusted as the program continues.
To examine the complications of this issue further, let’s look again at the recent North Korean attack on Sony. The most recent development in that story is that the US government’s attribution on the attack to North Korea was because the NSA was active within North Korea’s network. While this has raised many speculations, it also goes to show a few important things. First, the NSA supposedly had knowledge of suspicious activity for months prior to the attack and did nothing to warn Sony officials. Then again, let’s picture a hypothetical situation in which they knew Sony was being targeted a month ahead of time and did warn officials of the threat. Sony was initially attacked on November 24, 2014, so hypothetically, the NSA could have shared this information with Sony in mid to late October. What could Sony do with this information? Clearly, from the extent of the data leaked after the incident, the security problem was fairly widespread. One month wouldn’t have been enough time to act fully, since Sony clearly lacks the security program in the first place (something that externalities such as taxes and subsidies would address).
Even then, if a company has a full security program in place, and the proper communication channels exist, what else could go wrong? As discussed in a previous SecureState blog, the “Falling Rocks” problem is already widespread in security. Not a day goes by without another vaguely worded article showing up online, arguing about some very loosely defined threat from the outside. One of the biggest problems this new threat sharing plan could have would be a similar predicament. If all of the information shared over this network is vague and uninformative (something like “Sony will be attacked soon”), eventually everyone will just start to ignore it.
For this threat sharing plan to work, the information shared needs to be as specific as possible about the nature and timing of the threat, and include actionable tactical plans for increasing protection ahead of the attack. The more specific, the better, or else this sharing plan risks becoming the cyber security equivalent of the National Terror Alert level, which is largely ignored.
While we are quick to highlight the major gaps in the President’s proposals, the beginning of this conversation and proposed security initiatives on a national level can only be seen as a good thing. With some more careful thought and consideration, the government has a massive opportunity to drastically alter the security landscape in lasting and meaningful ways. The current proposals though are just not enough. Getting companies to take security seriously while also working to establish a communication network for threat intelligence sharing is not a simple task, but should make this country strong as a whole if properly executed.