“There is no overall Strategy in the departments of IT,” reads one 2012 internal evaluation from within the Information Technology department at Sony Pictures. “Unfortunately my department which is supposed to be in the front line of progress is actually close to obsolete,” reads another. These evaluations, leaked as part of a devastating data breach, paint an ominous picture for the ongoing cyber-attack against Sony that has rocked the entertainment industry; and even has implications for American foreign policy as North Korea appears to be the likely (or at least a likely) perpetrator of the attack.
It might seem odd that a company as large and as cash-rich as Sony would find itself in the middle of a massive data-security breach. However, as leaked internal documents now make clear, the possibility for such an assault was not a matter of “if,” but “when.” These documents paint an unflattering picture of Sony’s corporate IT culture; suggesting that not only were the company’s data security practices woefully deficient for a company of its size and complexity, but its ability to evolve to meet new cyber-security threats was hamstrung by corporate bureaucracy and outright apathy.
Far more important than what price Sony will pay for its cyber- somnambulance are the lessons for the federal government, whose vast data assets are to potential hackers infinitely more enticing and valuable than those of any corporation.
Many of the unflattering descriptions of dysfunction and incompetence within the IT department at Sony could readily be applied to nearly any program of the federal government; but most especially to those related to technology. A prime case in point is the launch of Obamacare. According to Bloomberg news, as of last February the federal government had spent more than $800 million on computer systems to run the online healthcare portal that serves as a gateway to the Obamacare system. In spite of this staggering amount of taxpayer dollars, the system — which did not even make it out of the starting gate without catastrophic system failures — remains to this day, nearly a year later, plagued with fundamental functionality issues and critical data security flaws that have yet to be resolved.
The news in early September that the Healthcare.gov portal had been hacked elicited little surprise, except for the fact that the attack occurred more than one full month before anyone noticed. While no data appears to have been stolen, and the attack appeared to be the beginning stages of a larger attack, it was definitive proof of the nightmare scenario predicted by privacy watchdogs: An arrogant and inept government agency now was in charge of massive quantities of highly sensitive personal information, and it could not even detect an attack on that information in spite of hundreds of millions of dollars spent to do just that.
Unlike Sony, in which the fallout from its data breach is limited primarily to its employees and contractors, the federal government holds within its databases personal information on hundreds of millions of individuals touching on virtually every aspect of their lives: criminal, financial, health, travel, and even private communications harvested through the National Security Agency’s data collection programs. Reflecting Uncle Sam’s insatiable appetite for data, these databases are only growing larger and more comprehensive. This makes government targets not only attractive to agenda-driven attackers from countries like North Korea, Russia, China, and others, but also to entities looking to use such information for financial gain.
As we see with Obamacare, the idea that the government can be trusted with protecting information on us that it compiles is not only foolish in theory, but a responsibility it has proven itself incapable of meeting time and again in the real world. Moreover, the refusal to accept this grim reality out of a desire to save face, as Democrats have done regarding Obamacare, only compounds the problems.
Even when the government does get around to discussing cyber-security, its goals usually are more about expanding its own power in domestic surveillance, than it is about data protection for citizens. For example, legislation supposed to protect Internet privacy, such as the Stop Online Piracy Act (SOPA) and the Cyber Intelligence Sharing and Protection Act (CISPA), wound up trampling the very privacy concerns they were supposed to protect.
If we are to take any lesson from the Sony hacking, it is that a culture of incompetence and apathy to data security, such as we so often see in some of the largest federal agencies, creates a target-rich environment for hackers and energizes their endeavors. As government’s demands for data continue to grow both in the scope of data it collects on citizens and in the highly sensitive nature of such information, we should be strongly questioning not only if government is qualified to protect this data from theft, but if it should even be harvesting it in the first place. After all, hackers cannot attack a database that does not exist.