Logo for print

Things have gotten a wee bit out of proportion

Cybersecurity and Data Breach,
White Collar Defense
Government Enforcement & Investigations
Data Security & Privacy
Litigation

I want you to know that I tried. I really did.

I didn’t write anything at all when the vice president of Korean Air – a degree holder from Cornell and the University of Southern California – resigned after she went … well, after she went completely nuts. You see, a flight attendant gave Heather Cho some macadamia nuts and <gasp!> even worse, gave them to her in a bag and not on a plate. Cho shouted at the flight attendant, demanded that the plane (at the time on the runway) return to the gate, and that the chief flight attendant leave the plane. Nut rage. I wrote nothing about nut rage.

And then, just five days later as if to taunt me, a group of Chinese tourists “went berserk on a flight to Thailand scalding a flight attendant with noodles and hot water and then threatening to bomb the plane, apparently because they were unhappy about their seating arrangements.” Throwing noodles because you don’t like your seat. Okay. Deep breath. I wrote nothing about noodle rage.

Finally, I channeled my inner Frozen (“Let it go!”) and wrote nothing about the Harvard professor who decided that Boston authorities should intervene after an out-of-date website caused a $4 increase in his Chinese food takeout order. I am not making that up. The refund he was offered was not nearly enough to offset the offense that he took – what the good professor wanted was this: “I suggest that Sichuan Garden refund me three times the amount of the overcharge. The tripling reflects the approach provided under the Massachusetts consumer protection statute, MGL 93a, wherein consumers broadly receive triple damages for certain intentional violations.”

No need to wonder why everyone hates lawyers.

Anyway, these were some unbelievable examples of disproportionate responses to everyday situations, like using a flamethrower to light a birthday candle. But I was all set to let these awesome incidents of human behavior go in the spirit of the season. And then North Korea came along and offered up the disproportionate response to end all disproportionate responses … and I just couldn’t help myself.

You probably know the story already unless you are actually in Pyongyang. Sony Pictures greenlighted the “The Interview,” a Seth Rogen/James Franco comedy about the assassination of North Korean dictator Kim Jong-Un. North Korea predictably took offense, and a government-sponsored group calling itself the Guardians of Peace  -- no irony there! – launched a vicious cyberattack that compromised Sony’s cybersecurity, leaked personal identification information and sensitive email communications, and levied threats against anyone who screened the movie. This caused theaters to cancels premieres of the movie, caused the actors to cancel publicity appearances, caused Sony to cancel showings of the movie, and caused the rest of us to wonder why this whole thing sounded suspiciously like the plot of a Seth Rogen/James Franco movie. Time Magazine just needs to dub 2014 “The Year of the Cybercriminal” and be done with it.

Oh, and here’s the best part: North Korea wanted to jointly investigate the hack – the very hack that it sponsored! – with the United States. And it warned that there would be “grave consequences” if the United States rejected this proposal. Really! Great new tactic. “Officer, I have no idea who was speeding but why don’t we find out together?”

As they say on late-night television, “but wait, there’s more!” There’s actually more stuff packed into the plot of this ridiculous fiasco. For example, did you see this excerpt from a 2007 article entitled “Your Guide to Good-Enough Compliance” in CIO Magazine:

“In November 2005, Jason Spaltro, executive director of information at Sony Pictures Entertainment [said], ‘There are decisions that have to be made. We’re trying to remain profitable for our shareholders, and we literally could go broke trying to cover for everything. So, you make risk-based decisions…. Legislative requirements are mandatory, but going the extra step is a business decision.’”

Show of hands, how many people think that Sony would like to retract that quote right about now? You see, Sony is technically right about balancing cost with security. But when the inevitable lawsuits start up challenging Sony’s protection of sensitive information, that quote is not going to be all that helpful for the Board of Directors.

And how about the compromised emails from high-level executives that display messages that appear racially motivated, or illustrate gender-based pay differentials, or levy personal attacks on actors, or … well, you get the idea. Do you think Sony would like to go back right about now and train their personnel on the appropriate use of electronic communications?

If I were to try and summarize all of this, I’d just say that cybersecurity is not something to be taken as lightly as Sony’s unfortunate 2005 quote makes it out to be. And even that commitment to cybersecurity does not help you when internal protocols – such as sending injudicious communications or treating them lightly – are so lacking. This is not the first such attack and it will not be the last. Cybersecurity needs to be fully integrated into every company. It’s just that clear.

The U.S. government rightly views the Sony cyberattack as a national security issue, and it is entirely possible that the United States is striking back right now by disrupting North Korea’s cyber infrastructure. This is certainly the most powerful statement that North Korea has come up with since its debacle with the Taepodong missiles – a name does not instill the intended sense of fear or respect. But pitch this into the too little too late bin, since none of this is going to mitigate the financial and reputational harm that Sony is suffering.

Now North Korea claims that it was not responsible for the Sony hack but that “worse is coming.” Huh. That’s a bit of a problem. I bet you are all wondering what I’ve been wondering. But no, I have no idea where Dennis Rodman is and why he won’t help us. But I do know one thing, and that this: Dennis is not gone for good. You see, he was made out of rainbows and sparkles and can never disappear completely. He sometimes goes away for almost a year at a time and takes the form of spring and summer rain. But you can bet your boots that when a good, jolly December wind kisses the world, Dennis will come back again.

And next time, I hope that he’ll come with a comprehensive cybersecurity policy.