As the 113th U.S. Congress is putting the finishing touches on one of the most feeble legislative terms in history, I was surprised to learn that they actually did something positive before rushing home for the holidays. They passed four important cybersecurity bills at the last-minute, surprising most of us in the technology world. The bills represent well-crafted legislation that has broad support from the technology industry. The bills would increase government transparency and Congressional oversight of federal cybersecurity efforts, while expanding coordination between civilian agencies and private companies.
As late as early December, no one gave these bills a chance of passing through the lame duck session of Congress, but some people credit the recent massive data breach suffered by Sony with focusing the attention of legislators on the importance of cybersecurity.
As you know, there have been numerous, high profile data breaches this year and the list of companies affected is amazing. You have Target, Home Depot, eBay, Snapchat and even JP Morgan. You also have a number of federal agencies that were targeted, including the State Department, Postal Service and even the White House. But, based on all of the information available publicly today, the Sony breach dwarfs all of them in the amount of raw data stolen and the cost of the breach. Early estimates are the it will cost Sony over $100 million dollars when all is said and done, but I think the final cost will be much higher, even as high as $1 billion dollars as more and more details about the breach leak out.
Hackers originating from North Korea are suspected of being behind the cyberattack on Sony, but there’s some evidence that they had help from people inside the company as well. The working theory is that the hackers targeted Sony because of a movie called “The Interview,” a comedy produced by the file studio that depicts two bumbling journalists recruited by the CIA to assassinate North Korean leader Kim Jong-un. There have even been terrorist threats against the theaters that were scheduled to show the movie, so Sony was forced to cancel the release of the movie just this week.
What’s shocking is that executives at Sony were well aware that the protections they employed were inadequate; Sony is a $22 billion dollar company yet it only had 11 people assigned to the information security team for its world-wide operations and they publicly acknowledged they had a problem. The Director of Information Security Jason Spaltro even claimed in an interview a couple of years ago that, quote, it’s a valid business decision to accept the risk of a security breach. I will not invest $10 million to avoid a possible $1 million loss,” he said at the time. Can you believe that? Well, it looks like the chickens have come home to roost for Sony!
Not only did Sony get robbed of terabytes of information and video of unreleased motion pictures, they also had the identities of thousands of employees stolen, many of whom don’t work at Sony any longer and there are already verified reports of identities being stolen. A few of those affected have banded together to file a class action lawsuit against the company, further adding to the costs to Sony of the breach.
The new cybersecurity laws that Congress just passed will help in preventing future Sonys by forcing many of these big companies to address their security issues up front. It will give them a legal framework to share security information between themselves and the government, and require a more transparent method of reporting breaches to the public and those affected. Like most people, I’m not a big fan of the folks in DC nowadays, but I’m glad they finally did something positive to address the issues this country has with cybersecurity.