I doubt that I’m the first to say this, but has anyone noticed a striking similarity between 9/11 and the Sony hack? Not in terms of scope or malevolence, of course, but in terms of—what’s the best word here? Creativity? Bang for the buck?
Here’s what I mean. The 9/11 attack wasn’t especially sophisticated. In fact, it was famously crude and butt cheap. All it took was a few guys who learned rudimentary piloting skills and then carried some box cutters on board four airplanes1. The reason it worked is that it was brilliant. Nobody had ever considered that hijackers could take control of a plane without so much as a single cheap handgun, and even if they could, no one had really figured that they could do anything much worse than fly the plane somewhere and maybe engineer a hostage crisis. But al-Qaeda thought different. They understood that (a) box cutters would be good enough to hold pilots and passengers at bay for an hour or two, and (b) this was long enough to fly their airplanes into a pair of iconic skyscrapers, killing thousands in an extraordinarily gruesome way. They took a crude, simplistic weapon and figured out a way to cause damage that was both tangibly enormous and emotionally outsized.
The Sony hack is a far smaller thing, but it shows a lot of the same hallmarks. Despite what press reports say, it wasn’t really all that sophisticated. It was, to be sure, a step up from box cutters, but it’s not like North Korea tried to hack into a nuclear power plant or the Pentagon. They picked a soft target. In fact, based on press reports, it sounds like even in the vast sea of crappy IT security that we call America, Sony Pictures was unusually lax. Hacking into their network was something that probably dozens of groups around the world could have done if they had thought about it. And like al-Qaeda before them, North Korea thought about it. And they realized that a Sony Pictures hack, done right, could have an outsized emotional impact. Like 9/11, it was a brilliant example of using a relatively crude tool to produce a gigantic payoff.
So what happens next? The 9/11 attack was huge, but even for its size it provoked a mammoth overreaction that continues to this day. Will the Sony hack do the same? After the dozens of credit card hacks of the past couple of years corporations are finally getting the news that they need to secure their networks better, and the Sony hack might prompt even more companies to finally get serious about IT security. That would be good. On the other hand, it could also provoke an overreaction that ends up locking down corporate infrastructure so tightly that workplaces turn into digital gulags. That would be dumb.
So then. Better corporate IT security: good. Massive overreaction: bad. Let’s get things right this time.
1It also required recruiting 19 guys willing to die for a cause. This is definitely uncommon. But it doesn’t really change the basic nature of how al-Qaeda managed to pull off such a massive attack.