In the latest in an ever growing number of massive cyber security breaches the Sony PlayStation Network (PSN) and Online Entertainment Services were hacked for more than 100 million names, addresses, IDs, passwords and possibly credit card numbers, according to the Wall Street Journal (16th May). The worrying part of this account is “possibly” since it leaves customers, the market and regulators with uncertainty.
Time and again, companies have been criticized for delaying the details of such breaches to the public. In some cases it is because they simply do not know how far the information theft has gone; in other cases it is a management strategy that, when exposed badly misfires. Banks know this well. They are past masters at non-transparency, fearing for the loss of their reputations as being secure places to deposit money, instruments of wealth and information. Their problem, like that of credit card companies and may others, is outsourcing. Adding another link to the chain adds vulnerability, and it surfaces all too often.
The incredible aspect of the PSN saga is the scale and duration of the outage. One columnist in the Financial Times pointed out ironically, that as a parent he welcomed time to talk to his children who other times were playing games. But if a network as commercially vital to Sony as PSN can be downed, it follows that should private hackers or terrorists or criminal gangs turn their attentions to public utilities the consequences could be truly disastrous. It is generally recognized that certain states are experimenting with this type of cyber warfare; it was demonstrated recently in Iran. It is also widely recognized that criminal gangs use the threat of cyber-attack to extort money from vulnerable companies. Now President Obama has suggested international computer security standards (http://topics.nytimes.com/top/reference/timestopics/people/c/helene_cooper/index.html?inline=nyt-per) to be observed by all nations to underscore the seriousness of what Sony CEO Howard Stringer has described as “the bad new world” of cybercrime. (Wall Street Journal 18th May)
The problem will not diminish. On the contrary, where opportunity and motivation are rife, the dangers will grow. This is not the real problem, because these circumstances are givens. The real problem is catch-up. The bad guys will always be one step ahead unless serious resources are put into scenario planning; if not, the good guys will always be fighting last year’s battle. Good guys have to ‘think’ like bad guys: and companies must abandon the idea that they can simply outsource cyber security to the experts. Every company with something to lose, and every utility with a public interest role to play, needs to resource a unit to plan scenarios, examine the consequences and design firewalls and strategies that have a decent chance of working. There are servicing and marketing opportunities for IT companies here, but they go beyond the simple idea of either outsourcing or selling safe systems; rather IT companies need to establish partnerships of deeper and longer lasting collaboration with their customers.
But like fire drills, everyone else in the company is likely to see this as a diversion from their ‘real’ business. Maybe Sony or MS can come up with a corporate game that gives managers options to take out risk insurance or not. Problem is, players won’t be able to play if their network goes down.