If Walt Disney’s “Guardians of the Galaxy” proved Hollywood’s biggest surprise hit this year, then credit Sony’s “Guardians of Peace” with producing Tinseltown’s biggest surprise hack.
It’s like something out of a movie: larger-than-life characters, A-list stars, mystery, farce, international intrigue, revenge and computer-generated special effects designed to captivate a worldwide audience. There’s no business like show business.
How Sony’s “Guardians” hack over the release of the movie “The Interview” is connected with North Korea remains an open question. But what no one doubts is that Sony’s cyber defenses have been breached in the most humiliating fashion. The company’s networks have been corrupted and its most intimate correspondence exposed.
We are rapidly witnessing and experiencing the accelerating erosion of civil digital society.
But what can serious organizations actually do to protect themselves and their customers in the brutal face of cyber assaults from around the world? The legal answer is, “not much.” The law offers little support for organizations serious about deterring or fending-off attack. Domestic digital laws are bad; the international laws are worse. What’s not ambiguous is useless, frivolous, or forbidden.
What’s worse, many countries have laws making it illegal for companies to set up intrusion detection systems that might violate the privacy the criminals/vandals/attackers themselves. If someone breaks into your office and steals something, you may not be allowed to chase after them and follow them home. Similarly, if someone breaks into your network and steals something, you may not be legally allowed to digitally track them to their home computers – especially if tracking them requires you to cross international borders.
Hackbacks? Forget about it. The idea of virtually punching back at one’s possible attackers is one of the most hotly contested in computer law. Respected lawyers and policymakers vehemently disagree about what level of vigorous self-defense should be legally permissible.
Privacy campaigners will not approve of the idea of giving the government that kind of access to private networks, even networks that are under attack. For that matter, businesses with sensitive data won’t much like the stark choice of either letting foreign hackers steal it or giving the U.S. government wide access to their networks.
On a policy perspective, surely everyone would be happier if businesses could hire their own network defenders to do battle with attackers. This would greatly reinforce the thin ranks of government investigators. It would make wide-ranging government access to private networks less necessary. And busting the government monopoly on active defense would probably increase the diversity, imagination, and effectiveness of the counter-hacking community.
But this is obviously and understandably controversial.
Commentators have argued that cyber attacks on local and global businesses will inevitably increase because the perceived benefits to the attackers clearly and unambiguously outweigh the costs. There’s more and more virtual “shattered glass” on the information superhighways of the Internet. If you’re a global organization doing something that someone somewhere doesn’t like, you and your networks may get virtually mugged and have the data beaten out of your networks and servers. But this is as likely true for their smallest customers as their CEOs.
The unhappy reality is that the Sony case is a signal that, if the rule of law doesn’t radically improve, cyberspace will become a shadow war of vandals, vigilantes and mercenaries – some state-sponsored, others paid for by corporations looking to protect their global interests. It will be ugly. It will be risky. It will be dangerous.
(Michael Schrage, a research fellow at MIT Sloan School’s Center for Digital Business, is the author of the books “Serious Play”, “Who Do You Want Your Customers to Become?” and “The Innovator’s Hypothesis.”)
© 2014 Harvard Business School Publishing Corp. Distributed by The New York Times Syndicate