After the devastating hacks perpetrated against Sony Pictures much has been made of North Korea’s involvement. I’m not yet sold on North Korean origination for a number of reasons. As Dave Kennedy noted on Twitter, Sony’s sizable March layoffs included a fair amount of the IT staff, which is a great way to breed weaponized animosity. Add to that this excellent post by Marc Rogers, “Why the Sony hack is unlikely to be the work of North Korea.” But hey. We’re going with North Korea as the perpetrator anyway, according to the FBI press release. So for the purposes of the rest of this post let’s assume the FBI is correct and North Korea is behind the hack.
President Obama has vowed a response directed at North Korea “in a space, time and manner that we choose.” So we’ve now gone from an FBI response all the way to nation-state actors. This is some pretty thorough bullshit. Let me explain why.
The first response to the Sony hack that I see is that “this is a free speech issue.” “North Korea interfered with the ability of Sony and their content creators to speak freely by showing their movie, and the government must respond to protect it.” Here’s the problem: this isn’t a free speech issue. Free speech doesn’t include the ability to create and broadcast without consequences; in American context, free speech is the ability to communicate without government interference. Consequences have always been a part of the nature of speech.
Consequences arising from the Sony hack already have well-established, long-hallowed remedies: those in civil and criminal court. These are the same remedies offered every other company, corporation and person in the United States. Were a foreign dissident hacked in America (it happens regularly) doubtless that would warrant a criminal investigation by the FBI. But we wouldn’t see Obama up on television getting ready to act on the federal and international level. It’s incredibly troubling the attention that a corporate entity is getting that is routinely denied to dissidents of all stripes. The message from the US government is: “We protect corporate speech. Individuals are largely on their own.”
We have the Computer Emergency Readiness Team in the Department of Homeland Security to analyze, reduce and respond to cyber threats and incidents like Sony’s hack. What we also have is a pervasive corporate lobbying environment utterly hostile to government cybersecurity standards. Every time the government tries to make more stringent standards mandatory the corporate entities involved appeal to the politicians they’ve contributed to on both sides of the aisle to water it down or kill it. So we’re left with a largely voluntary cybersecurity framework that helps set us up for instances like this. But now that an incident’s happened one of these same corporate entities is basically appealing for an international response, and it feels a bit like scammed Bitcoiners demanding FBI action to recover the money they pumped into an intentionally opaque, extragovernmental currency system.
And let’s be clear: Sony’s ground to an electronic halt not by consequences of speech but by its own bad digital hygiene. Of course the response to bringing up Sony’s own practices is that I’m victim-blaming. To bring victim-blaming into this we need to treat the corporation as a person, and that’s also bullshit. Sony Pictures has a clearly stated duty to stockholders (among others) to firm itself up against attacks like this as a simple matter of good business. It’s the legal responsibility of a legal entity, not an anthropomorphized construct requiring consideration of its personality and circumstance. Sony had a legal requirement to protect itself and it failed. This isn’t victim-blaming but requiring an organization to engage in Best Practices-type behavior in order to protect shareholders, employees and customers.
This is where the hack morphs from a speech issue to an economic one: the idea of moral hazard. Moral hazard occurs when someone takes risks they otherwise wouldn’t have when they know that someone else bears the burden, often a government. It was writ large in the 2008 financial crisis when we realized that investment banks were assuming massive leverage and insurers were handing out insanely large policies (credit default swaps) and depending on the government to bail them out when it all soured. Is Sony entitled to nation-state action as a remedy to the consequences they’ve faced? Of course they’re not. Sony’s losses are what corporate insurance is for, in worst case scenarios. Not a presidential address or an international reaction. Because insurance policies are not only triggered by consequences, but possess their own: failure to adhere to conditions such as adopting cybersecurity best practices invalidates the policy. There is no entitlement in an insurance policy, it’s purely a business transaction. The taxpayer does not bear the burden of being Sony’s “protector of last resort.”
And the idea of the US acting in order to protect the corporate speech of a Japanese company administrated from Tokyo is almost as enraging as acting to protect Sony when they’ve been busy threatening websites, newspapers and other entities with legal action over reporting related to the hack. Sony may even have launched cyberattacks of its own, trying to overload websites hosting the leaked data.
What’s my proposal, then? Exactly what I offered above: the same civil and criminal remedies at law offered to every other individual and company in the United States. An FBI investigation for sure, but good lord, keep the State Department dogs of war harnessed good and tight.