Saturday, December 20, 2014

Why the #SonyHack is not cyberwar

Here are two links that are essential reading for anyone tempted to invoke the term "cyberwar" to describe the hacking of Sony Pictures and its subsequent canceling of The Interview.

Book: The Tallinn Manual on the International Law Applicable to Cyber Warfare. This is the primer on the subject. Readable online at no charge.

Article: Cyberwar: reality or a weapon of mass distraction. Very readable paper by my friend and boss, security expert Andrew Lee (.pdf file).

Hopefully, politicians and commentators talking about the Sony Pictures hack will familiarize themselves with the facts and arguments laid out in the above publications before crying War!

Friday, December 19, 2014

Dear George Clooney - A word about cybersecurity

The following letter was written in response to remarks made by the actor and activist, George Clooney, in this article: Hollywood Cowardice: George Clooney Explains Why Sony Stood Alone In North Korean Cyberterror Attack

Dear Mr. Clooney,

I have great respect for your work sir, on film and off; I have a feeling we hold many of the same views on politics and economics and social justice. So it makes me sad to see how badly people have briefed you on the stark realities of cybersecurity. You seem to be under the impression that America can, with impunity, tell cyber criminals to "bring it on". You appear to be having difficulty understanding why big companies don't want to provoke hackers. Please allow me to explain.

In my own work I have seen the way in which multinational companies generate billions of dollars in profits by applying digital technology to improve productivity. My job has been, for the better part of two decades, advising companies on how to defend this highly profitable digital technology that they deploy.

Sadly, time and again, too many times to count, my fellow security professionals and I run into companies and company executives who reject our advice as too costly to implement, as an unreasonable burden on their business. When we say that the path they are taking comes with a large amount of risk, they either don't believe us or they say, "fine, we'll risk it."