News of the World Hacking Debacle: Groupthink in Action | InfoSec Perception

Starting in 2003, employees – including editors – of the now-defunct News of the World newspaper in Britain, controlled by Rupert Murdoch’s News Corporation became embroiled in a series of scandals involving bribery of police officers, illegal access to telephone voicemail, dishonestly suing truthful news organizations for libel, lying to parliamentary and congressional investigating committees, and selecting noncompliant employees as scapegoats. I have provided a couple of references at the end of this week’s column for readers seeking details.

The results of the illegal actions include the complete shutdown of the News of the World; the paper published its last edition on July 10, 2011 after 168 years of continuous publication. Two hundred people lost their jobs. In addition, a major corporate acquisition (that of BSkyB) by news Corporation was cancelled and a subsidiary, Wireless Generation, lost a contract with the government of New York State.

Such consequences seem to me to be comparable to those caused by criminal hackers and industrial spies. However, in this case, I think we are seeing the consequences of a sick corporate culture. Carl Bernstein, is famous among people my age (and surely completely unknown to most of my undergraduate students, almost all of whom were born after 1990) for his reporting on the Watergate scandal of the Nixon administration in the USA. Mr Bernstein wrote a commentary in July 2011 entitled “Murdoch’s Watergate?” in which he criticized the culture built by Murdoch:

  • “Between the Post, Fox News, and the Journal, it’s hard to think of any other individual who has had a greater [negative] impact on American political and media culture in the past half century.”
  • “Reporters and editors do not routinely break the law, bribe policemen, wiretap, and generally conduct themselves like thugs unless it is a matter of recognized and understood policy.”
  • “As one of his former top executives—once a close aide—told me, ‘This scandal and all its implications could not have happened anywhere else. Only in Murdoch’s orbit. The hacking at News of the World was done on an industrial scale. More than anyone, Murdoch invented and established this culture in the newsroom, where you do whatever it takes to get the story, take no prisoners, destroy the competition, and the end will justify the means.’”

The 2004 documentary “Outfoxed: Rupert Murdoch’s War on Journalism,” directed and produced by Robert Greenwald provides an inside look at a culture of enforced compliance with the extreme right-wing political views of the owners and upper executives of Fox News – a culture which converted a news organization into an effective propaganda machine not averse to printing doctored photographs of people it doesn’t like into pictures similar to Nazi anti-Semitic caricatures of the 1930s.

So how do these observations bear on information assurance?

I believe that any corporate culture which defines disagreement as treason is headed for disaster. As I wrote in “Social Psychology and INFOSEC: Psycho-Social Factors in the Implementation of Information Security Policy,”

“In the extreme, a group can display groupthink, in which a consensus is reached because of strong desires for social cohesion. When groupthink prevails, evidence contrary to the received view is discounted; opposition is viewed as disloyal; dissenters are discredited. Especially worrisome for security professionals, those people in the grip of groupthink tend to ignore risks and contingencies. To prevent such aberrations, the leader must remain impartial and encourage open debate. Respected security consultants from the outside could be invited to address the group, bringing their own experiences to bear on the group’s requirements. After a consensus—not the imposition of a dominant person’s opinions—has been achieved, the group should meet again and focus on playing devil’s advocate to try to come up with additional challenges and alternatives.

In summary, security experts should pay attention to group dynamics and be prepared to counter possible dysfunctional responses that interfere with acceptance of information assurance policies.”

Preventing corruption at the heart of our enterprises is as essential as preventing intrusion by criminals and spies. If you are confronted with demand for illegal and unethical behaviour, challenge those making the demands. Don’t risk your career by becoming involved in activities which will likely result in serious damage to all the stakeholders of your group.

Stand on principle or fall with the unprincipled.

For Further Study:

  • For a timeline of the scandals as of September 6, 2011, see “Phone hacking: timeline of the scandal” by Indu Chandrasekhar, Murray Wardrop and Andy Trotmanin The Telegraph.
  • In addition, despite persistent debate about the reliability of Wikipedia entries, there’s an extensive summary of the News of the World scandals in that collectively written compendium.
  • If you would like to listen to a lecture for MSIA students about social psychology (specifically organizational psychology), you can download a ZIP file containing the narrated PowerPoint file.

* * *

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services and teaching. He is Chief Technical Officer of Adaptive Cyber Security Instruments, Inc. and Professor of Information Assurance & Statistics in the School of Business and Management at Norwich University.  Visit his Website for white papers and course materials.

Copyright 2011 M. E. Kabay. All rights reserved.

Permission is hereby granted to InfoSec Reviews to post this article on the InfoSec Perception Web site in accordance with the terms of the Agreement in force between InfoSec Reviews and M. E. Kabay.

ADVERT

Information assurance training provides instruction in how to protect information against hackers and other security threats.