On April 27 the New York Times published a blog in the 'Your Money' section (The PlayStation Breach: Why You Should Remain Calm, by Ann Carrns). What follows is my response. You can find the New York Times blog and my response at http://community.nytimes.com/comments/bucks.blogs.nytimes.com/2011/04/27/the-playstation-breach-why-you-should-remain-calm/?permid=20#comment20.
The 'don't worry be happy' message of Ms. Carrns absolutely misstates what the Sony PlayStation data breach represents. Given the state of cyber crime today, this data theft was the act of sophisticated cyber criminals motivated by greed, not bragging rights. And the magnitude of the breach -- and the fact that these types of thefts are becoming increasingly routine -- illustrates too that our current approach to 'securing' the Internet is not working. (My recent book, Creeping Failure: How We Broke the Internet and What We Can Do to Fix It (McClelland and Stewart, 2010) discusses both these observations in detail, what follows is the Cliff notes version).
First, while over a decade ago it was not uncommon for the proverbial teenage hacker to break into a computer system for the bragging rights those days are gone. Cyber crime and the associated cyber underworld are now big business, with multinational cartels like the Russian Business Network (its real name) competing for the top grads from computer science at top Eastern European universities. By all accounts cyber crime can be very lucrative, and it is a percentage game based on returns from small percentages of very large numbers. If 77 million accounts are stolen, then some of those cards are not going to be cancelled in time. Under US law the credit card holders liability is limited, but someone will end up with the bill, or, stated differently, the cyber underworld will reap a gain. If one does the math, it turns out that a vanishingly small number of credit cards have to remain 'hot' for an attack like that against Sony PlayStation to be very very profitable for the cyber criminal. And credit card numbers are not the only personal data that Sony's files contain -- all of which can be monetized by a sophisticated criminals using florishing cyber black markets.
This transmogrification of the 'lone hacker' into a sophisticated cyber underworld is one of the most obvious seismic shifts making the Internet increasingly unsafe. I have no idea where Ms Carrns hears that 'hackers in this type of situation are often looking for notoriety' but that statement runs counter to everything I know of what motivates data breaches today.
Second, the Sony data breach is just the latest example of the insecurity of cyber systems. Stuxnet illustrated that a computer worm can disable the physical operations of a sophisticated nuclear plant. WikiLeaks illustrated that amazingly large amounts of sensitive US Government data can be stolen by a single individual. And so on.
I like to think of the Internet today as being the cyber equivalent to the London that Charles Dickens described. The London of 1840's was, like today's Internet, an incredibly vibrant environment, a phenomenal city of unimagined proportions driven and created by new technologies. It was also unsafe, filled with garbage, and lacking any police, uniform law enforcement, or effective government. In other words. just like today's Internet.
The Sony data breach is just the latest criminal escapade illustrating what happens in the cyber equivalent of Dickens' London.
After 1840 London invested in creating and building the institutional infrastructures and public incentives that we take for granted in today's First World cities -- sewers, police departments, public health, some form of unified and effective government.
The message of the Sony PlayStation theft is that we need to do the same for today's Internet.