Sony is run by a bunch of greedy morons who stupidly left their systems vulnerable to an attack by hackers: This is the conventional explanation of how the company finds itself bent into a familiar pose of contrition, following news that cyber-pirates breached its defenses, potentially gaining access to troves of valuable information -- credit card numbers, email addresses -- for more than 100 million customers.
If only life were so soothingly simple. The Sony data hack and the predictable pursuit of villains carries a dose of false comfort, implicitly affirming the assumption that someone must have fouled up to create such a menace to privacy and commerce; someone must have failed in a readily identifiable way, because this surely can't be the ordinary state of events. But the blame narrative masks an unsettling question: What if Sony did the best it could to protect itself, and the pirates still won? What if the company employed the best defenses available, yet they proved inadequate in the face of a decentralized and proliferating threat?
Sony has captured headlines because it is one of the world's most conspicuous consumer brands, and the recent attacks on its network have been both brazen and successful. But the list of companies that have been targeted by similar plots is lengthy and growing.
Last month, the online marketing giant Epsilon confirmed that hackers made off with personal files relating to customers of Best Buy and J.P. Morgan Chase, among other firms.
In February, officials at Nasdaq, the giant stock exchange, confirmed that hackers penetrated servers used to handle communications for some 300 major corporations. The breach did not affect stock trading, and resulted in no stealing of customer data, Nasdaq said.
Congress and assorted government offices collectively absorb 1.8 billion cyber attacks each month, according to Senate Sergeant-At-Arms Terrance Gainer, as cited by Politico. Over the last five months of 2009 alone, some 87 Senate offices and 13 Senate committees were on the receiving end of emails that contained malicious files, the Politico story detailed.
Russian hackers have been implicated in penetrating Citibank ATM systems to make off with cash.
Last week, as the House Subcommittee on Commerce, Manufacturing and Trade convened to probe the public's vulnerability to cybersecurity breaches, Rep. Mary Bono Mack (R-Calif.) kicked off the proceedings with some eye-catching numbers: In April alone, some 100 million records were put at risk through 30 data breaches at hospitals, insurance companies, universities, banks, airlines and government offices.
The hearing she oversaw was part of a public flaying faced by Sony in the wake of disclosures about the penetration of its popular PlayStation gaming network -- an episode Bono Mack referred to as "the great Brinks robbery of cyber-attacks." Far be it from anyone to dismiss the curative powers of an old-fashioned Washington flaying, but the search for simple villains seems misguided, as if more about sowing feelings of greater security than actual delivering it.
Officialdom ought clearly try to figure out what Sony knew and what it did to protect its customers from harm, holding its executives to account. Inquiry is healthy. But the nature of the inquiry underway seems more theatrical than substantive; an effort to satisfy the public that all is in order by pinning bad outcomes on bad actors, rather than a reasoned inquiry directed at addressing a collective vulnerability.
One cybersecurity expert, Eugene H. Spafford of Purdue University, came before Bono Mack's panel and confessed he had no idea who was actually at fault or what had gone awry, even as he fingered Sony and Epsilon for greedily cutting back on security measures.
"Both companies are large enough that they could have afforded to spend an appropriate amount on security and privacy protections of their data," Spafford testified in his prepared remarks.
How did he know that? "I have no information about what protections they had in place," he said, "although some news reports indicate that Sony was running software that was badly out of date, and had been warned about that risk."
None of this is to exonerate Sony, Epsilon, or the other companies that have been penetrated by the apparently growing legions of hackerdom. Let us hope that experts continue to probe for weak points and advocate that gaps be plugged as they are identified. If the culprit proves to be an unwillingness to spend on security by the companies entrusted with our personal information, bring on Congressional compulsion.
That said, there is a uncomfortably familiar quality to this narrative, a reflexive assumption of prescribed roles: Congressional inquisitors and investigative reporters taking on the chiefs of wayward corporations, as if the problem can be solved by identifying the villain. (Indeed, Sony and Epsilon both stepped right into their assigned roles as their executives opted not to show up for the ritual excoriation before Congress.)
We saw this last summer, amid the disastrous oil gusher in the Gulf of Mexico, as BP and its contractors all pointed fingers at one another, trying to stick the other guy with legal liability. Here was a case where blame and media scrutiny were not only justified but productive, an instance where the companies appeared to value their own bottom lines over the safety of their workers and the sanctity of the environment: The disaster could presumably have been avoided had BP and its contractors operated more carefully, maintained their equipment and heeded warnings of danger.
When planes crash, it is logical to assume that something terribly unusual happened and press to identify what precisely failed. When toxins pop up in the food supply and kill people, here, too, the search for a malefactor aligns with the public interest.
But given the ubiquity of the threat involved in the issue of cybersecurity -- 1.8 billion attacks on government offices a month! -- these breaches seems less like an oil spill or a plane crash or an instance of food poisoning, and more like a situation where the available brainpower and technology may simply not be up to the task of providing protection. The threat may be so diffuse and sophisticated that there are no products that can fully safeguard the data.
Consider the abundance of cyber-crime and the blame game seems not only unfair but even dangerous, a diversion from the serious process of collectively coming up with counter-measures. The search for a villain is more about feelings than security, a way to tell ourselves that we are not at risk. This is human. We hear someone got cancer or died in a car crash and we have questions that are really attempts to assure ourselves that there are ways to avoid a similar fate: Was he a smoker? Had she been drinking before she got behind the wheel?
Sony and Epsilon and the other firms in possession of our vital information -- where we live and how to reach us; what medicines we take, and how much money we control -- may be staring at such a complex assortment of threats coming from so many different angles that the traditional mode of accountability may be effectively bankrupt.
In children's stories, wicked witches can be melted into puddles, their black magic defeated -- night-night, sweet dreams.
In messy grownup reality circa 2011 –- and especially in cyberspace -- threats mutate and evolve. Sony and Epsilon may be less the villains than fellow victims, part of a modern society that has entrusted its most valuable gold -- information -- to a frontier that has so far proven beyond taming. That argues not for a blame game but for a sustained process of inquiry aimed at delivering effective policing.