Vistors

Sunday, January 4, 2015

Cyber Security - Are we headed in the right direction?



2014 is over but it seems to have ended by starting an extremely complex, dangerous and a new chapter in ‘cyber security’.

One of the largest media corporations of the world, Sony Pictures Entertainment (SPE), faced an extremely dangerous and sophisticated cyber attack. Large corporations facing a cyber attack is nothing new. Target, ebay, yahoo and our good old HAL, they have all faced cyber attacks but with SPE’s attack, for the first time a nation state is so vehemently accusing another nation state of sponsoring (or harboring) cyber terrorists.

While FBI has formally accused North Korea, their assertion is based on the evidence, that at best can be termed as ‘circumstantial’ and it is not clear as to what kind of legal action can the US government initiate.


One can’t help but wonder that it is because of lack of any possibilities of a legal action, that US is forced to retort, as accused by North Korea, in alternate manner.


The US government anyways is known to take matters into their hands to protect their country from perceived terrorist attacks.

While there is legal ambiguity in that space, technologically speaking, the details of the malware that attacked SPE are available and can be found here.


However, what is still not clear is how did the malware enter into SPE premises. This particular piece is not specific to SPE attack alone. Even in the earlier famous attacks like Stuxnet (on Iran’s nuclear facility) or Shamoon (on Saudi Aramco), it was never completely clear on how did the infection begin.

In theory, yes, we know that some kind of software or human (or mix of both) vulnerability is exploited but that gets covered by so many layers by the time the attack is detected, that it is virtually impossible to back trace it.

Cyber sleuths are peeling off layers from the attack on SPE while SPE is perhaps facing another legal challenge in the form of many class action law suits from its (former) employees, where the plaintiffs have alleged that SPE did not take adequate measures to safeguard their personal information that got compromised as a result of this hack attack. Also SPE delayed informing about the attack.

SPE, in their defense (or perhaps offense), has threatened to sue media companies for publishing the data based on the stolen documents. Although the legal merit of such threats is debated amongst the experts.


Time will tell as to what comes as the outcome of this mishmash of techno-legal battle, but one thing is clear. We are far away from a secured cyber space. Be it the law makers, law enforcers or cyber experts, any one institution can not secure it by itself. In the light of this looming threat, another fear is the tendency of law makers to take regressive steps like curbing internet freedom, which is neither practical to achieve nor any progressive solution.

In reality, only a collective effort that promotes open-ness and a proactive information exchange and adequate skill building is perhaps what will bring out the right solution. 

No comments: