Sony's CEO has forwarded a remarkable new rationale for his company's recent catastrophic network security failures. Howard Stringer warned last week that the April hacker thefts of millions of his customers' personal records are a prelude to global digital horrors. "It's not a brave new world," he told the media. "It's a bad new world."
Preaching Armageddon as a PR response to a corporation's own faulty technology and service is an unlikely tactic, especially when continuing attacks this very week show that Sony has clearly not eliminated its vulnerabilities. It's not our mess, Stringer seems to be implying with his dramatic blame shifting. It's the world's mess.
What's strange about this is that it seems to undercut an apology by Kaz Hirai, the head of Sony's gaming division, delivered ten days after the intrusion. Reuters called Stringer's comments "a stark departure from the remorseful tone struck just two weeks ago." Just last week the company offered an apology package, including a 12-month free identity protection program, free games and free content. Though late in coming, those were strong moves.
Yet Stringer's comments suggest Sony does not truly feel sorry for how badly it has treated its customers. What this bizarre narrative demonstrates is that Stringer and Sony are stuck in the first stages of grief: Not over the harm they have inflicted upon their customers, but in the potentially irreparable damage they have done to themselves and their brand.
Stage one of grief is shock and denial, stage two is pain and guilt, and stage three is anger and bargaining. Sony has gone through the first two stages and now Stringer is lashing back at critics who have blasted the firm for everything from its substandard security to an indefensible delay in alterting tens of millions of customers -- many of them children -- that personal and credit records were stolen. "Forty-three percent (of companies) notify victims within a month," a feisty Stringer told reporters last week in his first public statement since the April break-ins. "You're telling me my week wasn't fast enough?"
It was a bizarre statistical crutch to rely upon to defend what's widely considered one of the worst network security gaffes in history. Why compare your firm to average companies? Especially when New York's Attorney General and Congress are demanding Sony turn over detailed information about its security breakdown. Like how it allowed hackers to steal the names, addresses, email addresses, birthdays, and PlayStation Network login details of over 100 million customers.
But Stringer's most surprising plot twist was to attempt to divert scrutiny of Sony's problems with a wild claim of impending doom. Stringer told the media that one day hackers may strike at the power grid, air traffic controllers, or the global financial system.
Is Stringer Rumpolstillskin? Hackers have been attacking the Internet and high-tech companies for more than two decades. In 1990, I wrote about Rober Morris, the Harvard graduate who launched the first Internet worm, a science experiment gone awry that disabled a large chunk of the budding network. In the mid '90s I wrote The Fugitive Game and The Watchman, two books about the hackers, Kevin Mitnick and Kevin Poulsen, that showed the deep vulnerability of the Internet and major corporations to criminal intrusions.
Every major firm doing business on the Internet knows that their potential -- and Achilles' heel -- is the Internet. Google, Facebook, Microsoft and hundreds more corporations have known this for a very long time. The Internet makes these companies billions in profit. Doing business responsibly on the Internet -- and taking extraordinary care for the personal records and privacy of your customers -- is nothing short of a sacred duty.
Quite simply, Sony abandoned its duty, and Stringer is steaming mad about that internal breakdown because he knows that it threatens Sony's future. The timing couldn't be worse. This week Sony posted a $3.2 billion loss, due in part to the March earthquake and tsunami. The CEO has declared that Sony did everything possible to prevent the break-ins. That is denial. We've seen this broken narrative before. It is not taking the high road. It does not work. Congress, investigative journalists and hackers will eventually reveal the truth, and it will prove even more costly to the company's tattered reputation (Experts have already predicted the breach will cost Sony nearly $1 billion). We will learn that Sony engineers and officials knew of inherent internal weaknesses. That it had plans to roll out a new, more secure system. That it could have taken far more steps to prevent or reduce the harm to its customers.
Sony's story won't play. It won't play because it is not authentic, and it won't play because Stringer can't seem to remember his own narrative. Security -- and honest communication -- requires consistency. In the same week that Stringer declared the attacks on Sony had ushered in a "bad new world," he called the crisis "a hiccup in the road to a network future."
Which is it -- trivial or cataclysmic? And what a strange, disconnected way to talk about a potential disaster for tens of millions of Sony customers? Would you like threats to your financial and personal security to be seen by Sony as nothing more than hiccup?
And what of Stringer's suggestion that the future does not hold "a brave new world" but a "bad new world?" On top of everything else, Stringer apparently is ignorant of the meaning of a "brave new world." In reaching for a sound bite, Sony made another gaffe.
Perhaps the embattled CEO or someone on his communications team should have bothered to read the Wikipedia page on Aldous Huxley's 1932 book, Brave New World. Stringer shot himself in the foot. Huxley himself described Brave New World as a "nightmare." The Wikipedia page says that the dystopian sci-fi novel explored the "fear of losing individual identity in the fast-paced world of the future."
Indeed.
Jonathan Littman is the co-author of the Ten Faces of Innovation and the Art of Innovation. He is the founder of Snowball Narrative.
Follow Jonathan Littman on Twitter: www.twitter.com/jonlittman
"Yesterday, I went to Sony's online store (sonystyles.com) to order something that is not yet available elsewhere. As I was going through the checkout procedure they asked if I wanted to leave my credit card info on file with them. They explained that doing so would make future orders go faster, and they offered the "reassurance" that the info would be secure and that in any event they would delete it after 25 months of inactivity or after the expiration date on the card.
Needless to say I chose the "do not leave your info on file" option!!!!
Peeps just need to relax the sensationalism here, if you are going to have expertise about security bring some facts to the table and don't just hold Stringer up as the boogey man, when the hackers are the ones that deserve our ire. They participated in digital breaking and entering. It wasn't like Sony left a door open that said come in. The clearly broke the law here, Sony is a victim of being successful.
It's only a matter of who the target is and not necessarily how much money you have tied up. You really think that $50 per year per user is going 100% to security? That is a major profit center for MS. You pay for the same network that PSN enjoys for free minus cross game chat.
PSN has a premium network service that is similarly priced, so Sony has similar revenue streams for the PSN beyond the value it brings. Your comment wreaks of Xbox fanboyism.
I think that's a very big deal, and yes it's good that they are finally taking some positive steps but only after the 100 million horses left the barn.
Privacy vulnerabilities of this scope by major corporations are catastrophic. It's like a massive, illegal chemical spill. The consequences effect millions of people and government and consumer groups need to investigate to get all the facts.
Are you saying they weren't serious about taking GeoHots to court to protect their intellectual property the PS3 Root Key? Funny how that bit of reverse engineering (clearly violating laws) that people were so quick to dismiss as hackers looking to establish an open PS3 was used for such malice.
So PS3 gets hacked, Sony extends their legal wing to try to reign in the situation, which leads to a DDOS attack on Sony that works as cover for a real intrusion.
I would like to see how HuffingtonPost would fare if they were the target of such an attack.
Would I be allowed than to say you guys are not serious about security because you became the target of a coordinated attack by several hundred hackers?
Please just because you don't like Sony doesn't mean you have to give cover to the people who hacked the PSN.
"I have no information about what protections they had in place, although some
news reports indicate that Sony was running software that was badly out of date, and had
been warned about that risk," said Spafford during the eCommerce conference that was held in regards to consumer information security. Places like CNN, MSNBC, and even the Huffington Post spread that rumor as fact when the facts are actually against you. The exact same thing happened regarding the "plain text" credit card information which was also false. To assume that this couldn't happen to anyone else is ignorant and constantly shoving down a company because of it, doesn't help anyone, including your credibility. They had adequate security, both via client and server.
Sony is providing insurance up to a million dollars and a 12 month identity fraud protection gratis. That is more than any other company has ever given.
Stringer has a reason to be mad, mad at the hackers for attacking his company and customers and at the media for spinning the facts.
Of course any company can be hacked that is online. That isn't the point. The point is minimizing that risk and minimizing the damage from a successful attack. Just because the CC details were encrypted does not mean the attackers got nothing useful on the many PSN customers, myself included. That risk should have been minimized and the data that was compromised should have been minimal.
You also have to look at their security from the perspective of what happened once the hackers were inside. They were allowed to tunnel into other areas that clearly were not separated well enough or security internally was poor(reused passwords, unencrypted connections, bad permissions, etc).
To make matters even worse it seems the Sony CEO is clearly simple minded.
Never let the facts get in the way of a good story right?