Sunday, December 28, 2014

The Interview and Fed Responsibility

As SONY attempted to correct its earlier decision of not 'releasing the movie'; what is required of Americans is to flock to watch the movie and assert our freedom of speech. I enjoyed my viewing using Google Play on Christmas Eve on the beautiful West Coasts of Fort Bragg; the same coast threatened by North Korean ICBMs.

The movie is nothing great. The picture it portrays of Americans as generally ignorant and unaware of things happening in rest of the world is by and large plausible. But the whole movie continues on this dumbness of audience. Perhaps those who are familiar with Bollywood movies can readily recognize such movie making and would not find 'the dumb audience' assumption so out of place. Mercifully, the movie is not long. For other critical reviews, one can read here and here.

The movie raises few important questions.

First, about hacking and cyber security. Clearly SONY's protection of its digital assets (essentially everything what it creates) and it's digitized information has been very poor. As a profit making company, it clearly failed its share holders by not adopting a stronger digital security regime. However, such problems are not limited to one single global corporation. Most publicly traded companies as well as other big organizations are more or less in the same boat. No wonder cost of digital security breaches is pegged already at around Half a Trillion dollar. As more and more our Economy depends on Digital Products and assets, it is bound to surpass a Trillion dollar mark soon, probably within a decade or so. Global Capitalism is only now waking up for the true challenges posed by 'hacking'; blissfully assuming it is all State Responsibility so far.

Imagine a big hacking attack on Gazprom of Russia or ICBC of China or Saudi Armaco of Saudi Arabia or Petrobras of Brazil. (There was one such cyber attack on Saudi Armaco in recent years.) In each of these nations, attack on these state owned public companies will be regarded as sovereign cyber attack. The political pressure in wresting control of Internet on national basis will be unstoppable and right there 'fragmentation of open, global Internet' would start. Among global corporations, only Banks (especially American Banks) seem to have invested continuously to digitize operations and secure those operations all along. Most non-banking corporations seem completely vulnerable. Even company like SONY for which only assets are it's digital creations; its digital security is all too porous. Beyond corporate data, hard assets like oil and gas pipelines, industrial automation (Stuxnet!), water grids, electrical grids and telecom / broadcasting grids; all are susceptible for cyber attacks

Question is what can be done. One way is Silicon Valley way - keep pouring money in cyber security start-ups. But it is wild wild west chase here with no guarantees of finding any 'holy grail' of digital security. Besides, the problem is inherently difficult to address - how to secure data when there are practically infinite ways in which one can reach data to destroy or steal it (because data without data movements in and out of that 'data sink' is of no use and does not exist). Sure there is money to be made here and Valley VCs will ensure that effectively there are no dollars left behind on the table so far as cyber security goes. But again there are no guarantees.

Another way is companies with cyber empires, mostly American companies like Amazon, Google, Apple, Facebook; but upcoming non-American companies like Alibaba as well; undertake more co-operation with Federal Government as well as international agencies to keep intact open global Internet structure while making it more secure. Since these companies have maximum stake in retaining secured open global Internet; these companies need to take lead and spend as needed to fashion a uniform response.

Finally, Congress needs to make necessary legal amendments to put in foundation which makes secure cyber possible. For example, before the world of SEC; corporations were lax in security trading. Today we cannot imagine a public company without a vetted audit. But one has to understand that all those regulatory requirements which we take it for granted were imposed on industry by State (do you hear any more noise about Sarbanes-Oxley Act?). In the same manner, may be time has come where 'data security audit' of public corporation is mandatory. Or else liability insurance premium for such corporations should skyrocket. Congress needs to formulate all such policies and pass necessary laws. But one cannot be much hopeful here considering interests of GOP dominated Congress. (Where are the leading lights of GOP? Nowhere so far as cyber security is concerned. All the brain power of GOP is busy in institutionalizing snake oil mechanics of dynamic scoring when many in GOP themselves are wary of 'tax cuts for everything' policy.) 

The second issue SONY hacking exposes is what should be the government responsibility in underwriting security when cyber attack linked threats are made to private companies. Sure, SONY chickened out in releasing the movie in theaters. But part of the reason was SONY was not sure about its protection when an American Movie Theater would be blown up and hundreds of Americans would die in that physical world terrorist attack. Legal liabilities and reputation loss would have completely wiped out SONY in that eventuality. That is where we stumble upon the missing piece - it was all right for President Obama to call the bluff of SONY in not releasing the movie; but it was precisely required from him as the Commander-in-chief and nation's leader to keep some record straight and make it explicit Fed's security underwriting. As many have noted, indeed American Government does so in many industries. While being coy about what State needs to do but to pillory SONY for being coward - that just seems a cheap trick to solicit clapping from chest thumping Republicans. (You got it - Nationalism, Patriotism, Freedom of Speech, Right to make any movie we want or our Right to watch any movie we want: once such hoary phrases start flying, like a moth to a flame; all these Republicans started jumping on the bandwagon of SONY criticism.) Again, one appreciates President Obama's forthrightness in pointing out where SONY failed; but politically the heavy lifting is left out. That Americans understand, if they want their rights to be preserved, just trotting guns is no use; but occasionally they can be victims of these cyber terrorist attacks as well. The political bulwark which President Obama does not seem to be undertaking is education of America that it has to take the lead in securing global cyber world.

For decades, American Navy guarded Oil tanker passages all over Earth's oceans to guarantee that wheels of global commerce continue to flow. Now is the time for America to do so again in the Cyber World. It is as much a political task as legal and technocratic. With a solid start to his fourth inning, President Obama has an enormous opportunity and duty to lead America in laying down foundations of global cyber security for all and for ages to come.

No comments: