Sony hack

Howard Stern is right: Journalists should do a gut check on Sony coverage

Some information behind the Sony breach is important and valuable. But is it ethical and necessary to publish the private details of emails, sales contracts and other privileged information that has been leaked in this breach?

the interview movie
A security guard stands at the entrance of United Artists theater during the premiere of the film "The Interview" in Los Angeles, California December 11, 2014.
Credit: REUTERS/Kevork Djansezian

Full disclosure: I am a Howard Stern fan. I listen to him daily and have for 20+ years. He is the best interviewer in the business and is a smart and compelling radio host. Think what you will, but my general experience is that anyone who has a negative impression of Stern is probably not a regular listener and is instead crafting an opinion based on a few out-of context snapshots of his work.

Now that we have that out of the way, let me get down to business. I was listening to Howard Stern this week and he was interviewing Seth Rogen and James Franco about their upcoming movie The Interview. You might recognize the name of the film because in recent weeks it has been named repeatedly as the motivation behind the hack against Sony, in which a group calling themselves the Guardians of Peace (GOP) managed to gain access to a great number of Sony’s confidential documents, including private emails, sales contracts and financial records.

On the Stern show, of course, the discussion of the movie led to the topic of the Sony hack. Both Stern and the actors agreed that the leaking of the material uncovered by criminals who broke into the corporation’s sensitive assets was an act of terror - and that the media responsible for widely disseminating this material are aiding and abetting the terrorists. Stern likened it to a 9/11-style attack on the country.

The following morning, on Tuesday, the New York Daily News saw fit to run a news story about the in-studio interview and the views held by Stern. The paper copy of the publication featured a picture of the burning Twin Towers, a tragic image etched into the brains of most Americans, and included the caption “This is 9/11, idiot.”

Classy.

Here’s the thing: Stern is not wrong. And neither are the other experienced and knowledgeable security professionals who have voiced similar concerns in the last few days about this issue. While they don’t have as wide of a platform as Stern, they are echoing similar sentiments. Examples include this opinion piece from Rafal Los, in which he makes the following statement: “If the GOP wanted to destroy Sony Pictures Entertainment, then hacking in and releasing secret information and intellectual property was only half the battle. The second half, unfortunately, is being picked up and executed by the media, bloggers, and talking heads putting out "analysis" on all this data.”

Aaron Sorkin, while not a security executive, but a Hollywood Insider, voiced his frustration in the New York Times and noted: “ The Guardians just had to lob the ball; they knew our media would crash the boards and slam it in. First, salaries were published. Not by the hackers, but by American news outlets.”

As a contrary view, Andrew Wallenstein, co-editor-in-chief of Variety, which has published many of the salacious details of what has been leaked, gave this statement: "The hackers are playing the press as pawns. Journalists are essentially doing their bidding by taking the choicest data excerpts and waving them around for the world to see, maximizing their visibility."

Wallenstein’s unapologetic explanation of the media’s choice to publish these details bares naked the truth about how the press operates during this kind of feeding frenzy of open information. But a much larger question we must ask ourselves is now posed: Is this OK?

Here at CSO, we have strived from day one to cover this issue in a way that is useful, educational and relevant to our reader; the security professional who is working to secure their organization’s sensitive data, assets and employees. And as Steve Ragan, CSO's writer behind the majority of our coverage has noted, CSO could have gone into the details of this leaked information many times – but we have chosen not to go there because it serves no valuable purpose.

We’ve been covering security, risk, privacy, strategy and cybercrime since 2002. We hear from the criminals behind breaches, and deal with criminal activity and revelation, almost every day. When presented with information, as a security publication, we always ask ourselves “How can we cover this story, give our readers useful information and not release harmful details in the process?”

Frankly, that is a challenge with some stories.

But we believe we have accomplished that thus far in our work on the Sony breach. Publishing the dirty bits of private emails, the specific of sales documents and other intimate details of operations does little more than offer gawking material and embarrass the parties involved. The groups responsible for this, the GOP, wanted to punish Sony with their actions. One can’t help but question if they have us just where they want us now given the media fall out and coverage of this leak.

As far as the journalists who have covered this are concerned: I get it. I’ve been a journalist now for close to two decades. You see an opportunity for fantastic headlines and reader clicks. It seems irresistible. But let’s evolve beyond that. Let’s ask: Is this ethical? What value does exposing this information really have? To the average person reading this information at their desk with a cup of coffee at work each day, I have to assume it is very little. Who is your reader? And to whom does this serve and give value? Please ask yourself that going forward.

Going back to the first point, which was the beating radio host Howard Stern took from the Daily News, the paper's “idiot” headline is not only misguided – it’s dangerously wrong. Cyber crime is an ever-growing and dangerous threat - not only to us as individuals, but also to our collective. One of the primary differences between the 9/11 terrorist attacks and a massive cyber attack is that we’ve yet to experience the fall out of the latter. As the intelligent, hard-working, diligent professionals in the security industry well know, the implications of a massive cyber attack on critical infrastructure (think: the systems that operate our country’s energy, communications or water supply) are wide-reaching and terrifying. A coordinated effort to take down, or destroy, these systems has the potential to make us uncomfortable at a minimum, and cause widespread illness, or even death, as a worst-case scenario. Cybercrime and hacking is not a tabloid joke. And to treat it as such with a callous headline does us all a great disservice.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.