joeross.me Profile Photo

joeross.me

Civil litigation lawyer. Interested in the collision of law & tech policy. Prone to geekery.

Sony

    Some policy thoughts on corporate "revenge hacking"

    Michael Riley and Jordan Robertson, reporting a fascinating story at Bloomberg:

    In the U.S., companies are prohibited by the 30-year-old Computer Fraud and Abuse Act from gaining unauthorized access to computers or overloading them with digital demands, even to stop an ongoing attack.

    The act exempts intelligence and law-enforcement activities, allowing the government to respond more aggressively than private-sector firms. There’s little indication, though, that military and intelligence agencies have used their most powerful tools to shut down attacks on businesses, as the U.S. has attempted to address foreign-based hacking through diplomacy and the courts.

    Diplomacy and the courts are clearly inadequate channels for preventing, halting or discouraging foreign-based hacking.

    The question, then, is whether the U.S. government will use its broader “revenge” authority under the CFA to defend not only itself but private U.S. companies. This method would be problematic from a funding perspective, and may cause diplomatic friction.

    Alternatively, the CFA could be amended to allow “proportional responses” by private U.S. companies to foreign-based hacking. This method would be problematic from oversight and transparency perspectives, subjecting revenge hacking to market dynamics and the “black box” in which companies conduct so much of their business (especially when they’re privately held).

    Yes, companies often have to deal with reporting requirements in the aftermath of a major data breach, but they don’t have to disclose any countermeasures under any current state or federal notification regime I can find.

    Perhaps the best solution would involve some hybrid of these. For example, a department of government investigators and hackers could be assigned in small groups to companies facing imminent or ongoing foreign-based hacking.

    They could embed into the companies like journalists sometimes embed into military units, assisting the company in its response and pulling the trigger on revenge hacks, insulating the company from CFA immunity.

    The hybrid method minimizes government expense, maximizes company involvement and allows for the use of transparency laws such as the Freedom of Information Act by journalists and policy analysts to peek inside the black box.

    I’m obviously not going to come up with a perfect solution in a short blog post, but it’s worth thinking about.

    Image by the author

    Employees sue Sony over email leaks

    Employees sue Sony over email leaks

    Saba Hamedy and Meg James, at the LA Times:

    Hackers began releasing sensitive data after the studio’s security breach became public on Nov. 24. The group, calling itself Guardians of Peace, has released data including thousands of pages of emails from studio chiefs, salaries of top executives, and Social Security numbers of 47,000 current and former employees.

    Many are warning of the intellectual property fallout of hacks like this. And that could, indeed, lose companies much potential revenue. But the more serious liability here is failure to secure employee information. I anticipate we’ll see many similar class actions unless companies get serious about security.

    The ethics of reporting on the Sony hack

    The ethics of reporting on the Sony hack

    Emily Yoshida (@emilyyoshida), entertainment editor at The Verge, one of my favorite tech news sites, on the publication’s ongoing and deep contemplation of the ethics of reporting on unethically leaked information:

    The contents of the leak are already public; they’re just not in a very user-friendly format until a news outlet decides to amplify a piece of it. Which means, one could argue, that the press is merely drawing lines of best fit through a dataset. It could also mean that the press is essentially finishing what the hackers started.

    Steam has more subscribers than Xbox Live

    Steam has more subscribers than Xbox Live

    The Steam gaming network is now the number 2 community for gamers in the world. Sony’s PlayStation Network is on top with 110 million users, followed by Steam with 65 million. Microsoft’s Xbox Live network takes the third spot with 48 million subscribers.

    The Steam number is truly impressive because, unlike the other two on the list, Steam has no console on the market yet.

    The PC-gaming market and multiplayer software maker expects to launch beta hardware soon, but to take the second position without anything in households yet is quite a feat.