The FBI told Sony they didn't know if the theaters were safe. Seriously, WTF are we paying them for if they can't tell us, with absolute certainty, that our theaters are safe from terrorist attacks on Christmas. That's not very comforting...
So what I'm hearing is, we have no confidence in our national defense, and no ability to prevent, mitigate, or even simply deter these increasingly brutal cyber-attacks... Yeah, actually the last thing I'm worried about right now is CISPA. Like it or not, network defense just became a national security prerogative.
OK, so that's the counter-argument right? So this has been very well played and I don't see how you derail it now.
Are you kidding me? You expect that if the FBI can't say with absolute certainty that all 40K screens in the US are absolutely safe from terrorist attack on Christmas that they've somehow failed us?
They'd have failed us if they could state that with certainty, IMO. Because either they don't know what certainty means, or they'd have frivolously wasted such a massive amount of money securing a soft and nearly useless target. What's next? Food courts? Mall parking lots?
Society simply cannot afford to provide absolute certainty, nor would I want to live in a world where that was the goal. Imagine the surveillance effort and intrusion into your personal life that would be needed to prevent you from carrying out an attack at a time and place of your choosing that the media would call terrorism. Now multiply that by 300 million people. You'd likely need over half of the population to be trusted and in law enforcement and you still wouldn't have certainty...
You think it's too much to ask for the FBI to be able to stand up and say that this particular threat of violence, which feels like little more than chest-pounding script kiddies, is not credible?
My initial reaction was the physical threat was little more than a joke. The FBI and Homeland Security do need to be able to give proper guidance on credible and non-credible threats, and I think in this case in particular, it's a good example of something which I really would have hoped they could have explicitly labeled as non-credible.
Or to state it another way, if the accepted reaction is that we actually have to treat threats like this as credible, if attackers start spamming these threats are we just supposed to shut it all down?
What companies are looking for is a liability shield, and a public reassurance that they can use as a backstop for disregarding the threat. Otherwise they have no choice but to cave-in. So I think we depend on the FBI in specifically these cases to provide that level of assurance.
I agree with your premise though: there is no possible way for society to have absolute certainty of the validity of something so vague as the threats issued. To cave to those demands is absurd.
(full disclosure: I work for a company that owns a large number of theater screens, though not within that department. These are my personal views.)
This is an argument that frustrates me. I don't mean to directly imply that parent feels this way, but there is this idea that our government can provide true assurances of our safety. But in a free society (or any) that's just not true.
This idea isn't helped at all by the government pushing that they can, if we just hand over one more freedom, or give up one more bit of privacy.
There is nothing that can guarantee safety from violence. Nothing. The FBI, NSA, etc., when not spying on us for no reason do seem to keep us safer than we might be without a degree of diligence. Police forces do seem to, in general, care for public safety. But of course the FBI can't guarantee that tens of thousands of theaters are completely safe from violence - and to think otherwise is to be permanently afraid, and to always be looking to Big Brother to assail your fear.
Having spent time deployed, I think a lot of Americans might be conditioned to seeing immediate(ish) responses to threats via Drones, SEAL team 6, Ranger Regiment, whatever. The nature, and future, of Cyberwar is something that's fundamentally different from what we've seen broadcast on CNN over the last 13 (soon to be 14...15...) years. A response to North Korea (though I'm not truly convinced that they're the lone perpetrators) might not be something that pops up in The Situation Room with Wolf Blitzer or trends on Twitter.
I agree it's very early days. I think what I'm fixating on is that we now live in a world where the US government needs to formulate a response to a business hacking. I mean, not a civil but actual military response.
I think this is a reality that even the Top 1% of commercial networks are simply not prepared for. There won't be any lag when more crucial services come under attack.
White House homeland security and counterterrorism adviser Lisa Monaco: As the volume, frequency and intensity of cyberthreats increase, Monaco’s biggest fear is intrusive threats turning destructive. She called cyber “one of the gravest national and economic security threats we face.” [2]
[1] - http://www.washingtontimes.com/news/2014/dec/18/white-house-...
[2] - http://www.fedtechmagazine.com/article/2014/12/white-house-w...
So I guess to touch back on the parent thread, it's not that we're not capable of responding...it's that we haven't invested the intellectual capital to formulate what an appropriate response should be.
Further the actual damage in this case is quite minor. Some of Sony's private business dealings were made public and some employees were embarrassed, but what other harm could you possibly see? Businesses have been online for 10-15 years now and computer security has improved dramatically over that time. We're not in any new era of capability, though with the amount of hysteria over this we may be in a new one mentally.
The only real threat is in our government marching towards totalitarianism by enacting invasive laws and spying on its populace in bulk. Unwarranted fear likes yours is what enables that.
I think these attacks could be reduced by holding companies financially responsible. First, insurers shouldn't be allowed to exclude terrorist attacks in their policies. Second, forcing arbitration or excluding class-action should be unenforceable in a contract. Third, we could establish clearer standards for what constitutes negligence in IT.
edit: And this might be a good time to discuss making software engineers actual licensed professionals and forcing companies to use them.
I think it's likely that fallout cost from this breach will cost Sony hundreds of millions of dollars. It's almost an existential crisis the amount of damage this hack has done. The information disclosure was complete. The hackers took a scorched-earth policy on the way out. They got hit mind-blowingly hard. I do have sympathy with the house of pain they are in, and I don't think they need any more financial incentive than what they are already looking square in the face.
I don't think the story here is about negligence in IT. Even Google has been hacked very badly in its time. There are two kinds of companies, the ones who have been publicly hacked, and the ones that just haven't discovered it yet.
The real story here is we are seeing an escalation in cyber-warfare. This is not "hacking" in any sense. This is extortion, humiliation, and subjugation. It's very sad to watch.
uhhh terrorist attacks and terrorism are, by definition, "not very comforting" and in many ways are impossible to stop, thus the word "terror" that is used so prominently in their constructions.
