The Sony Pictures film, The Interview, seemed destined to be another Seth Rogen/James Franco box office hit of little substance and much crass humor. Seeking to tell a funny story about a vain television personality and his bumbling producer hired to go into North Korea to assassinate its dictator, the film received middling reviews by critics who previewed it, with the main complaint that it lacked satirical bite. However, one critic who feared its potential for sharp satire was able to eliminate the film from theaters entirely — Kim Jong Un, the actual totalitarian leader of North Korea. Unless you’ve been completely preoccupied with holiday preparations or end-of-year craziness, the story of how North Korea hacked Sony’s servers is familiar — hackers traced back to North Korea downloaded films, emails, and other documents, and threatened terrorist attacks if The Interview was shown.
As absurd as this situation seems, it is of a theme — not the theme of terrorism stifling free speech, which is another shameful marker of our times, but of cyberterror and cyberwar, factors that should be increasingly concerning as our businesses and scientific communication in general moves completely online.
Hacking, denial-of-service attacks, and other acts of cyberterror and cyberwar have been with us for years, but are becoming more common as more disenfranchised countries and factions come online and gain the skills to perpetrate hacking attacks. Retailers like Target, Home Depot, and TJ Maxx were famously hacked in order to gain credit card numbers, while banks and other financial institutions have been hacked for monetary gain.
But theft isn’t the only motivation. Increasingly, politics is becoming a motivation, from Wikileaks to Edward Snowden. More recently, casinos in Las Vegas were targeted by Iranian hackers who took issue with comments made by Sheldon Adelson, a right-wing billionaire casino mogul. Those of us who work with platform providers know that cyberattacks from China are commonplace, slowing service, triggering abuse warnings, and even taking servers down from time to time.
The expense of dealing with these is something we are all bearing. Spam email practices have forced us to adopt email marketing practices that keep our notifications white-listed, adding expense to our e-marketing campaigns. Platform providers are under consistent threat as sites from China and elsewhere probe their firewalls for vulnerabilities, which can lead to downtime and increased expenses for publishers. Peer-review systems, e-commerce systems, membership systems, and financial systems at non-profits are all subjected to a constant barrage from hackers, as they seek the weakest link into larger systems.
The Sony attack marks a potential turning point in these matters as the US government is striking a slightly more serious tone due to the economic damage and direct connection with a rogue state. Previously, the government kept itself out of matters that didn’t affect its operations directly. As Ben Elgin and Michael Riley write in BusinessWeek:
. . . Las Vegas casinos don’t deliver essential services to the U.S. population, apart from Cirque du Soleil addicts. Nor do movie studios. Even months of nuisance attacks on websites of major American banks in 2012 and 2013, which U.S. intelligence officials connected to Iran’s Republican Guard, didn’t meet the threshold. The damage wasn’t serious enough.
This time, however, the US government promised “cost and consequences” for those involved in the Sony breach and subsequent threats over The Interview. Other alternatives include larger private companies creating divisions of cyberattackers themselves, on the theory that the best defense is a good offense — that is, if the government won’t attack the hackers, the companies will.
Scientific equipment has entered this territory before, with the Stuxnet virus supposedly set into the logic controllers of nuclear centrifuges delivered to Iran, where it then caused them to misfire, setting the Iranian nuclear program back years. The same type of controller can be found on assembly lines and amusement park rides, making both potential targets.
Shifting to use cyberterror and cyberwar to suppress information or ideas a faction or totalitarian regime might find repugnant is an important move to note. Scholarly publishers have been caught up in information blockades in the past, around particular topics or particular nations, actions which now could make them more likely to be targeted for cyberattacks. Climategate involved the hacking of emails between climate scientists, which were then selectively leaked in an attempt to portray global warming as an academic conspiracy. Just this month, health care and pharmaceutical companies were hacked in an attempt by someone to get inside information that could affect the stock market.
There are more pedestrian effects of the escalating battles — commercial and political — defining the Internet economy. For instance, many journals struggle to get reviewer requests through as their link-filled emails get eaten by institutional and corporate spam filters. This adds to the cost, effort, and time it takes to complete peer review. E-commerce systems, whether for subscriptions or APCs, are under constant surveillance for holes, and complying with PCI standards is a constant struggle. The news that the NSA had found a way to defeat 128-bit encryption was not encouraging, nor are the revelations that the NSA has purposely avoided alerting companies to security vulnerabilities it has found, as it wanted to exploit them before they were closed.
The simple escalation in password controls has added to publisher burdens, as authors, reviewers, institutional administrators, and subscribers find themselves less able to remember the more complex capitalization and special character requirements our systems increasingly require to remain secure.
Publishers possess information that’s sensitive and potentially useful to hackers, such as high-profile papers that have yet to be published, lists of reviewers, and the contents of peer reviews. How well our systems protect this information is an open question. With many editorial offices linked to academic centers or non-profit organizations, publisher systems could represent the “weak link” hackers seek as they probe for ways to get into more robust networks.
There is no easy answer to this problem, but it is growing — adding to the costs of academic publishing, the complexity of our systems, and the amount of support and proactive planning we must conduct. It’s another clear indication that online publishing is not simpler, cheaper, or easier than printing ever was. In fact, it may turn out to be exactly the opposite, especially as cyberspace becomes littered with crime scenes and battlefields.
Discussion
6 Thoughts on "Cyberwar and Cyberterror — New and Unwelcome Companions in Publishing and Culture"
What I like about this blog is that intelligent well educated people are writing and commenting. This is very refreshing as I know other US dominated places about scholarly publishing on the Internet where the writing style is much different: less intelligent, but rude and offensive.
Now about the film “The Interview”. Looking at the trailer, I personally find the jokes shallow and would not be prepared to waste my time watching the film. However, if the film would be about MY assassination I would certainly not be amused. Would you? The film has nothing to do with free speech, but simply with (lack of) of good taste. “Rogen and Goldberg developed the idea for The Interview in the late 2000s, joking about what would happen if a journalist was required to assassinate a world leader.“ (http://en.wikipedia.org/wiki/The_Interview_%282014_film%29#Production)
After this joke they should have remembered their decent education and should have turned to some other work. Unfortunately they did not.
I learn from http://en.wikipedia.org/wiki/The_Interview_(2014_film):
On June 25, 2014, the Korean Central News Agency (KCNA) stated:
“making and releasing a film that portrays an attack on our top-level leadership is the most blatant act of terrorism and war and will absolutely not be tolerated.”
„On July 17, 2014, the KCNA wrote to U.S. president Barack Obama, asking to have the film pulled.“ Apparently no reaction.
Do you think an American president would be happy about a film featuring his assassination? Probably not. It does not hurt, if I step on the foot of someone else, but it does if someone steps on my foot.
„On December 16, 2014, the hackers issued a warning to moviegoers“ (They did not need to hack to send this message). Such threats are of course not acceptable. But isn’t the whole thing childish? And if so, don’t we ask children: “Who started the fight?” Who did? North Korea? No, it was started in the USA because of bad taste and a lack of empathy.
Now about the side story “hacking”. The biggest military power in the world (the USA) is also the biggest hacker (see below). It would be embarrassing for the USA, if it would be otherwise. All countries are hacking. The secret services do it together and at the same time against each other, but always against the population. This is not a big issue in the USA, but it makes many Germans upset.
“Snowden’s disclosures had created tensions between the U.S. and some of its close allies after they revealed that the U.S. had spied on Brazil, France, Mexico, Britain, China, Germany, and Spain, as well as 35 world leaders, most notably German Chancellor Angela Merkel [her cell phone was tapped], who said ‘spying among friends’ was ‘unacceptable’ and compared the NSA with the Stasi.” (http://en.wikipedia.org/wiki/Edward_Snowden)
“The NSA began the PRISM electronic surveillance and data mining program in 2007. PRISM gathers communications data on foreign targets from nine major U.S. internet-based communication service providers: Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Skype, YouTube and Apple.” (http://en.wikipedia.org/wiki/National_Security_Agency)
The German parliament established a commission of inquiry about the NSA affair. It debated under the most severe data protection, but … was spied by the CIA. The highest CIA representative in Germany was ordered to leave the country.
(http://de.wikipedia.org/wiki/NSA-Untersuchungsausschuss)
Summary: The problem is on the US doorstep.
Now about scholarly publishing. Exchange of views about scholarly publishing is often done on the Internet in various non-refereed forms. These views are referenced, compiled, and edited to form finally also the Internet image of a publisher. Exchange of views on publishing in English is clearly much dominated by US views. The problem with the film in this respect is not even so much with Rogen and Goldberg’s idea. The real problem is that a for-profit organization reckoned correctly the film would fit to the mentality of a sufficient number (I do not say all!) of US Americans. How far fetched is it to conclude people who love the film will also mock about people in other countries, the further east the more? How are perceived conflicts often solved? With assassination? With torture? With throwing bombs? Not totally unheard of! On the Internet in the absent of real bombs the keyboard will also do: “don’t seem to have a clue about“, „company has been accused“, „company exploits“, „Dr. …, are you proud of …“, „I wonder if the firm reports its income“, „I don’t recall the possible suffering of employees at companies … being an important consideration“, …
The point of this post is that attacks on Internet infrastructure has created costs, security concerns, and other problems for publishers, making online publishing anything but a panacea, driving up costs, and increasing complexity.
While your comment is certainly interesting in many respects, I believe it misses the point of this post.
Scholarly publishers have been caught up in information blockades in the past….
They still are. Anything resembling meaningful manuscript editing is still prohibited (PDF). Then again, this is well on its way to being a complete nonissue in any event.
For what it’s worth, there remains a great deal of skepticism over whether North Korea really had anything to do with this hack:
http://www.theatlantic.com/international/archive/2014/12/did-north-korea-really-attack-sony/383973/?single_page=true
You are doing “e-marketing campaigns”. So you are sending unsolicited commercial e-mails. With the company located in the USA the CAN-SPAM Act of 2003 applies (http://en.wikipedia.org/wiki/CAN-SPAM_Act_of_2003). The bill permits e-mail marketers to send unsolicited commercial e-mail as long as it adheres to 3 basic types of compliance defined in the CAN-SPAM Act: Unsubscribe compliance, content compliance, sending behavior compliance. Publishers in other countries have to follow the rules in their respective countries (http://en.wikipedia.org/wiki/Email_spam_legislation_by_country). If the spam detection algorithms would be sophisticated enough only those e-mails would end up in a spam filter that to not comply with their respective national law. So, either your e-mails where not up to standards or the filter algorithms are not sophisticated enough. If your e-mails are ok and nevertheless end up in the filter, chances are, there are also other e-mails up to standards but end up in the filter. Therefore, also other publishers get annoyed because your many e-mails may have forced programmers to make algorithms tighter. This leads me to define spam e-mails in simple terms: Spam is always what others do.
If complex passwords are the mechanism for security, then snake-oil is the wonder drug of the day.
Is there a better way? Yes, in fact, there is. The adage was ‘something you are, something you have, something you know.’ If you expect to use the same reviewers over and over (care and feeding, as you called it before, is an expected practice), then give them a physical reminder of their association to the organization. Perhaps a read-only USB thumb drive with a digital key. Or a small fingerprint scanner, if they don’t have one already. A plastic card with a 2-D barcode that they can hold up to a camera. So many options. Combine it with a pin or word/phrase, even triggered by an image.
Third factor authentication (texting a cell number, for example) is also an option.
There are many ways to create high security, but complicated passwords is not one of them. Let’s drop that burdensome silliness and move on.