Episode One Hundred and Eighty Eight: The New Normal 

by danhon

0.0 Sitrep

11:25am on Tuesday 16 December, sitting in Kenny & Zuke’s with something of a splitting headache, ploughing through the email that’s collected over the last few days of being sick with the manflu. I don’t have a fever anymore, but I do have a head that feels like its awareness isn’t quite in sync – almost as if moving my head around has some bizarre lag.

In this episode: a thoroughly unsubstantiated reckon and bag of feelings at a bunch of things that have been going on with corporate information security.

1.0 The New Normal

So, the Sony hacks. You probably know all about those. About the abysmal state of corporate security that Sony Pictures Global had that, thanks to the mediocrity principle[1] (and, you know, our collective experience), we can assume to be more-or-less *normal*. About the way that the hackers have been operating: by uploading material to public servers and then sending journalists links to the material, rather than sending the material to journalists directly, thus getting around any sort of regional equivalent to a D-NOTICE because once the stuff’s out there, well: you gotta report on it, right? Can’t issue a takedown on stuff that’s *everywhere*, and being torrented around. That’s how the internet works, right?

And it’s not like the documents haven’t thrown light on things that *are* in the public interest, like fairly egregious and hard-to-justify pay gender pay disparity. And, of course, things that aren’t *really* in the public interest and just illuminate exactly how certain executives do business. (I mean, have you ever sent an email to someone you’re negotiating with that says “why r u punishing me?”)

Anyway. Via Kevin Slavin, the news that *months* prior to the Sony Pictures hack, an equivalent, possibly state-sanctioned hack of American company Las Vegas Sands Corp[3] at Businessweek (who have done excellent reporting on corporate hacks, like their investigation into the abysmal Target credit card breach[4]).

There are moments – with the recent (hard to verify, to be honest) threat that those who go and watch The Interview in cinemas will be punished in some way, and that Sony Pictures executives must satisfy the hackers’ (unclear) demands – where what’s happening feels just a little bit like the National Anthem opening episode of Charlie Brooker’s Black Mirror, which by this point if you’re American you’re probably sick of hearing about from British people, and if you’re British, you’re silently sniggering at how behind the Americans are in their depressing, deflating and nihilistic depictions of a near-to-present dystopias.

At this point, given what little we know about what’s happening and why with Sony Pictures – is it North Korea? Is just a bunch of hackers in it for the lolz? Who can tell? Does it matter? – does it feel like Amy Pascal or Michael Linton are going to be asked to do something fundamentally difficult to understand or unreasonable, just to make a statement? Because, you know, why not? If you’re going to thoroughly destroy a company, well, why not?

But then you zoom out a bit and you ask: how good is *your* employer’s security? Is it good enough to fend off a sustained attack from an unreasonably motivated and skilled attacker? Is your internal email encrypted? Nobody, no-one and nothing looks good in the cold light of day and without context.

So this is one possible future out of all the ones that lie ahead of us: continual, persistent attacks on that *other* infrastructure that is under-invested in because it’s not well understood. Sure, there’s the cyber-infrastructure (sigh, that phrase) that controls the *physical* stuff.

And here’s the bit where people who’ve been reading me for a while will recognise in that today’s episode has been slowly approaching a quote from Sneaker: it’s just like Cosmo said in 1992: “The world isn’t run by weapons anymore, or energy, or money. It’s run by little ones and zeroes, little bits of data. It’s all just electrons.”

(I know you’d rather me quote that than Sandra Bullock vehicle The Net)

We’ve known what Cosmo has said for a while. But something has changed in the 22(!) years since Sneakers came out where now it’s *undeniable* that the world is run by little bits of data. Sure, the weapons and energy and money still *also* run the world. Megalomaniacs always get preoccupied with zero-sum positions.

Given the extent of the breach at Target, all it takes is a politically motivated actor instead of an economically motivated actor. It was *profitable* to steal 40mm credit card details from Target. But what happens when you have actors who only want to make a statement? Who don’t care about the money? Who can still find their way in through a stupidly unsecure HVAC system running on the same physical network as the EPOS systems?

So this is where we are. Your health insurer. Your bank(s). Your car loans. Your insurance. Weirdly, most of the information that’s held about you that is from *non-traditional companies* – ones that are pre-internet, might even be most at risk. Google gives a shit about your security, even from a principled point of view. Microsoft too. Even Yahoo. These are all technology companies.

But Gap? McDonalds? The different bits of GE? And hey, it doesn’t help when there’s evidence that companies are already being targeted by western intelligence agencies for… well, who knows. But Regin[5] came from somewhere (and it’s hilarious that US-CERT has to issue an alert for it).

The thing about phrases like “info-terrorists” or “cyber-terrorists” is that, from background informed by advertising, at least, they sound like silly, made-up juvenile threats from a dated era. They bring about thoughts of mirrorshades and not, you know, hugely competent state-sponsored teams in some cases with specific agendas in mind.

You can’t see this stuff, but it’s out there. It might be the new normal.

Instead of “NO FATE BUT WHAT WE MAKE” etched into a picnic table, we might just end up with “INFOSEC TAYLOR SWIFT WAS RIGHT” etched into a stone tablet.

[1] http://en.wikipedia.org/wiki/Mediocrity_principle
[2] http://en.wikipedia.org/wiki/DA-Notice
[3] Now at the Sands Casino: An Iranian Hacker in Every Server – Businessweek
[4] Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It – Businessweek
[5] Regin Malware – US-CERT

Best,

Dan