Instead of talking about what Sony Pictures should have done, we need to look in the mirror: Where was our support for Sony? What are we willing to do as a society that cares about free speech?
There has been a lot of advice and pontificating directed at Sony, ranging from every marketing flack (including this one) at a security vendor to the president of the United States.
But I don’t think we’re focusing on the right subject. Instead of talking about what Sony Pictures should have done, or should do, we need to look in the mirror: What are we willing to do as a society?
I’m willing to say that I’ll go see this movie, support Sony, and more so, not sue anyone involved should the worst come to pass. If you care about free speech, here’s why you should too.
First, why Sony alone could not have done anything to prevent some form of hack attack
Even as someone in the security business for over 15 years and who believes that companies should invest much more in effective detection and response to handle active/advanced attackers on their networks, I don’t believe Sony Pictures alone could have done anything to prevent a very negative outcome.
No specific technical measure would have prevented the intrusion, or some massive form of data theft and damage. Persistent attackers would have worked their way around any such measure.
What Sony probably could have done was invest in better tools and processes for active breach detection within the network instead of alerting on simple technical artifacts (i.e. the presence of malware or IOCs, Indicators of Compromise), which tend to be very noisy. If they had been able to ascertain that there were advanced attackers operating within the network much earlier, and been able to understand the severity of the threat, they could have brought in the FBI and outside investigators before damage had been done.
This is technically feasible because advanced attacks such as this one are measured in weeks and months, even years. Attackers spend significant time gaining knowledge about the internal network (reconnaissance), and expanding their footprint (lateral movement). They take time to identify the targets of value, and in cases like this, to determine what kind of payload won’t be stopped by the existing tools in place. This activity can be detected by the correct tools and processes, but is by no means standard across the industry.
But even with such knowledge, if this was in fact an attack from North Korea, Sony Pictures could have done little but push the attackers back. They might have been able to slow their advance, perhaps remove their beachhead, but would have assuredly faced another incursion, another advance, another compromise of their systems. Short of disconnecting from the Internet and ceasing business, Sony Pictures, acting alone, would have remained exposed.
This cat-and-mouse game might have bought Sony enough time to release the movie on schedule before the “Guardians of Peace” were able to detonate the final stage of the attack. Perhaps at that point the attacker would have given up, since punishing Sony after the fact would look much weaker than what actually occurred.
But, against a nation-state, alone, Sony would have ultimately lost if the attack continued to be pressed – unless they were able to get the U.S. government to truly help.
So, in short, the attack happened and was almost certainly destined to absent earlier detection, escalation to the government, and intervention on Sony’s behalf.
Why we shouldn’t be disappointed that Sony cancelled the movie last week
I’ve read and initially agreed with all the various outraged pieces decrying the cancellation.
But where was our support for Sony? Why did no other studio stand with them and offer to help with distribution at the very beginning? Why did the motion picture association do nothing? Why did we, the people, not pledge to see the movie, and pledge not to sue every theater chain operator and movie studio should a physical attack occur, especially given the low credibility of that threat?
Instead, as a society we did nothing but hide and perhaps vent a little spleen in outraged op-eds. And of course we eagerly clicked on and read all the salacious details from Sony’s internal memos.
Why should Sony Pictures have stood alone, an easy and isolated target? If we felt this was an attack on our freedom of speech, where was our unified action to defend it? If we were unwilling to do so, why should we have expected Sony Pictures to do any better?
I say Sony Pictures was right to cancel the movie. But unfortunately that is a reflection on our society as a whole, and not on Sony Pictures alone.
Now, we should rectify what went wrong and see this movie: Will you?
The views expressed are of the author.
Geektime invites global tech and startup professionals to share their opinions and expertise with our readers. If you would like to share your point of view, please contact us at firstname.lastname@example.org.