The Sony Pictures film, The Interview, seemed destined to be another Seth Rogen/James Franco box office hit of little substance and much crass humor. Seeking to tell a funny story about a vain television personality and his bumbling producer hired to go into North Korea to assassinate its dictator, the film received middling reviews by critics who previewed it, with the main complaint that it lacked satirical bite. However, one critic who feared its potential for sharp satire was able to eliminate the film from theaters entirely — Kim Jong Un, the actual totalitarian leader of North Korea. Unless you’ve been completely preoccupied with holiday preparations or end-of-year craziness, the story of how North Korea hacked Sony’s servers is familiar — hackers traced back to North Korea downloaded films, emails, and other documents, and threatened terrorist attacks if The Interview was shown.
As absurd as this situation seems, it is of a theme — not the theme of terrorism stifling free speech, which is another shameful marker of our times, but of cyberterror and cyberwar, factors that should be increasingly concerning as our businesses and scientific communication in general moves completely online.
Hacking, denial-of-service attacks, and other acts of cyberterror and cyberwar have been with us for years, but are becoming more common as more disenfranchised countries and factions come online and gain the skills to perpetrate hacking attacks. Retailers like Target, Home Depot, and TJ Maxx were famously hacked in order to gain credit card numbers, while banks and other financial institutions have been hacked for monetary gain.
But theft isn’t the only motivation. Increasingly, politics is becoming a motivation, from Wikileaks to Edward Snowden. More recently, casinos in Las Vegas were targeted by Iranian hackers who took issue with comments made by Sheldon Adelson, a right-wing billionaire casino mogul. Those of us who work with platform providers know that cyberattacks from China are commonplace, slowing service, triggering abuse warnings, and even taking servers down from time to time.
The expense of dealing with these is something we are all bearing. Spam email practices have forced us to adopt email marketing practices that keep our notifications white-listed, adding expense to our e-marketing campaigns. Platform providers are under consistent threat as sites from China and elsewhere probe their firewalls for vulnerabilities, which can lead to downtime and increased expenses for publishers. Peer-review systems, e-commerce systems, membership systems, and financial systems at non-profits are all subjected to a constant barrage from hackers, as they seek the weakest link into larger systems.
The Sony attack marks a potential turning point in these matters as the US government is striking a slightly more serious tone due to the economic damage and direct connection with a rogue state. Previously, the government kept itself out of matters that didn’t affect its operations directly. As Ben Elgin and Michael Riley write in BusinessWeek:
. . . Las Vegas casinos don’t deliver essential services to the U.S. population, apart from Cirque du Soleil addicts. Nor do movie studios. Even months of nuisance attacks on websites of major American banks in 2012 and 2013, which U.S. intelligence officials connected to Iran’s Republican Guard, didn’t meet the threshold. The damage wasn’t serious enough.
This time, however, the US government promised “cost and consequences” for those involved in the Sony breach and subsequent threats over The Interview. Other alternatives include larger private companies creating divisions of cyberattackers themselves, on the theory that the best defense is a good offense — that is, if the government won’t attack the hackers, the companies will.
Scientific equipment has entered this territory before, with the Stuxnet virus supposedly set into the logic controllers of nuclear centrifuges delivered to Iran, where it then caused them to misfire, setting the Iranian nuclear program back years. The same type of controller can be found on assembly lines and amusement park rides, making both potential targets.
Shifting to use cyberterror and cyberwar to suppress information or ideas a faction or totalitarian regime might find repugnant is an important move to note. Scholarly publishers have been caught up in information blockades in the past, around particular topics or particular nations, actions which now could make them more likely to be targeted for cyberattacks. Climategate involved the hacking of emails between climate scientists, which were then selectively leaked in an attempt to portray global warming as an academic conspiracy. Just this month, health care and pharmaceutical companies were hacked in an attempt by someone to get inside information that could affect the stock market.
There are more pedestrian effects of the escalating battles — commercial and political — defining the Internet economy. For instance, many journals struggle to get reviewer requests through as their link-filled emails get eaten by institutional and corporate spam filters. This adds to the cost, effort, and time it takes to complete peer review. E-commerce systems, whether for subscriptions or APCs, are under constant surveillance for holes, and complying with PCI standards is a constant struggle. The news that the NSA had found a way to defeat 128-bit encryption was not encouraging, nor are the revelations that the NSA has purposely avoided alerting companies to security vulnerabilities it has found, as it wanted to exploit them before they were closed.
The simple escalation in password controls has added to publisher burdens, as authors, reviewers, institutional administrators, and subscribers find themselves less able to remember the more complex capitalization and special character requirements our systems increasingly require to remain secure.
Publishers possess information that’s sensitive and potentially useful to hackers, such as high-profile papers that have yet to be published, lists of reviewers, and the contents of peer reviews. How well our systems protect this information is an open question. With many editorial offices linked to academic centers or non-profit organizations, publisher systems could represent the “weak link” hackers seek as they probe for ways to get into more robust networks.
There is no easy answer to this problem, but it is growing — adding to the costs of academic publishing, the complexity of our systems, and the amount of support and proactive planning we must conduct. It’s another clear indication that online publishing is not simpler, cheaper, or easier than printing ever was. In fact, it may turn out to be exactly the opposite, especially as cyberspace becomes littered with crime scenes and battlefields.