The recent Sony case highlights the depth of the problem:
Sony is run by a bunch of greedy morons who stupidly left their systems vulnerable to an attack by hackers: This is the conventional explanation of how the company finds itself bent into a familiar pose of contrition, following news that cyber-pirates breached its defenses, potentially gaining access to troves of valuable information — credit card numbers, email addresses — for more than 100 million customers.
If only life were so soothingly simple. The Sony data hack and the predictable pursuit of villains carries a dose of false comfort, implicitly affirming the assumption that someone must have fouled up to create such a menace to privacy and commerce; someone must have failed in a readily identifiable way, because this surely can’t be the ordinary state of events. But the blame narrative masks an unsettling question: What if Sony did the best it could to protect itself, and the pirates still won? What if the company employed the best defenses available, yet they proved inadequate in the face of a decentralized and proliferating threat?
Sony has captured headlines because it is one of the world’s most conspicuous consumer brands, and the recent attacks on its network have been both brazen and successful. But the list of companies that have been targeted by similar plots is lengthy and growing.
The problem is that we don’t focus enough resources on this issue, and we don’t go after simple targets.
Take simple spam. It’s all over the place. But if we pursued these idiots aggressively, we would start to build an apparatus that would start to root out cyber criminals at all levels.
We need to get serious about these issues, and stop wasting time on things like online poker.
It’s also one of the few areas where the interests of security and privacy converge.