I wrote about the Sony cyber-attack when company execs’ emails first emerged in the public domain. At the time, the PR narrative was starting to shift away from “Sony-as-victim” to “SONY’s dirty little secrets.” The hack was so audacious, it eventually prompted an unprecedented retaliation by the U.S. government.
As we all know, the story went through an unusually long (for a PR crisis) series of twists and turns. When I last checked, Sony found itself (to its apparent relief) viewed again as a victim and even a hero for defying the hackers’ threats and green-lighting the film for release (on VOD).
I remain skeptical about whether the advice of the studio’s high-priced PR consiglieres produced this desired change. Of course SONY should stand up for the First Amendment and release the film. Rather the 24/7 news cycle and a fickle media consumer more likely speeded Sony’s exit from the headlines.
To its credit, the company did take a page from J&J’s playbook to offer one mainstream news org exclusive access to the crisis decision-making, even though it was after the fact. In its piece “Behind the Scenes at SONY as Hacking Crisis Unfolded,” the Wall Street Journal sympathetically quoted SONY Entertainment chief executive Michael Lynton:
“It took me 24 or 36 hours to fully understand this was not something we were going to be able to recover from in the next week or two.”
One theory we can reasonably debunk asserted that this mess was a giant PR ploy manufactured by the studio to bolster the prospects of a less-than-well-received film. Geesh. No PR person is that shortsighted (nor prescient) to have created such a reputation-compromising controversy to rake in a few dollars at the box office.
In a twist, Wired just posted a piece by a cyber-security expert and academic who took aim at a different actor in the affair: the U.S. government.
In his piece “The Feds Got the Sony Hack Right, But the Way They’re Framing It Is Dangerous,” Robert M. Lee, a PhD candidate at Kings College London and an active-duty Air Force Cyber Warfare Operations Officer, wrote:
“…in presenting inconclusive evidence to the public to justify the attribution, the government opened the door to cross-analysis that would obviously not reach the same conclusion it had reached. It was likely done with good intention, but came off to the security community as incompetence, with a bit of pandering.”
Lee argues that the U.S. government should have either presented all evidence it had collected (from the NSA and elsewhere), or withhold all evidence under the guise of national security. He takes issue with releasing evidence piecemeal or haphazardly:
“The problem in this case is that the government made a decision to have public attribution without the needed public evidence to prove it. It sets a dangerous international precedent whereby we’re saying to the world “we did the analysis, don’t question it — it’s classified — just accept it as proof.”
Every PR crisis has its own peculiar dimensions. In this instant, faced with the prospect of a torrent of embarrassing leaks — not unlike what BP faced with that live video torrent of oil gushing into the Gulf — SONY knee-jerked and pulled the plug on the film’s release hoping to quickly quell the crisis. The PR pendulum then swung back to activate enraged 1st Amendment advocates, which prompted SONY to reverse its decision.
As unique as this crisis was, there are certain best practices to which most organizations under siege should adhere. The most important of these is to quickly establish consistent lines of communications with the org’s various “publics,” e.g., employees, shareholders, customers, citizens, vendors, regulators… The second is transparency, i.e., share what you know as you know it.
Lee is not wrong in questioning the U.S. government’s decision to selectively release what it knew about North Korea’s role in the breech. Ideally, the Feds should have released all the information to unequivocally justify its retaliatory sanctions. He wrote:
“This opens up scary possibilities. If Iran had reacted the same way when it’s nuclear facility was hit with the Stuxnet malware we likely would have all critiqued it. The global community would have not accepted ‘we did analysis but it’s classified so now we’re going to employ countermeasures’ as an answer.”
Still, I don’t agree with Mr. Lee’s “all or nothing” assessment. I do agree that the U.S. government could have been less coy and more forthright in presenting more of what it knew sooner to silence the inevitable second-guessers. I do not believe however that releasing nothing under the guise of national security would have been publicly acceptable.
Others also questioned the basis for the government’s actions. Writing for TIME, Bruce Schneier, a security technologist and fellow at the Berkman Center for Internet and Society at Harvard Law School, had this to say:
“American history is littered with examples of classified information pointing us towards aggression against other countries—think WMDs—only to later learn that the evidence was wrong.”
Minimally, the Feds should have made presented at the outset evidence that an IP address used in the attack was one associated with the North Korean government. They didn’t do so until later.
Would that have been enough to quell the myriad dissenters and conspiracists? Sadly, no. Nowadays, crisis managers can only aspire to have their POV prevail over a plurality of public opinion, and hope the passage of time will do the rest in putting the problem to bed.