Embattled electronics giant Sony is bringing on some heavy guns as it hired former Homeland Security director to head up its security.
Philip Reitinger, former director of the United States
National Cyber-Security Center, a division of the Department of Homeland
Security, will be joining Sony as a chief information security officer, Sony
said Sept. 6.
The appointment is effective immediately and Reitinger will
become a senior vice-president, reporting directly to general counsel Nicole
Seligman, according to Sony.
Shortly after unknown attackers breached
the PlayStation Network
and Qriocity music and video service, Sony said it would
name a chief information security officer to oversee the company's security
strategy. Reitinger will fill this newly created position and will oversee
privacy and Internet security across the electronics and entertainment
conglomerate's range of businesses.
"He will oversee information security, privacy and
Internet safety across the company, coordinating closely with key headquarters
groups and working in partnership with the information security community to
bring the best ideas and approaches to Sony," said Sony in a statement.
Attackers breached Sony's servers to steal user account
information from PSN, SOE and Qriocity in mid-April and early May. Sony claimed
the breach had occurred while the company was distracted by the
distributed-denial-of-service attacks from Anonymous protesting the company's
lawsuit against PlayStation 3 hacker George "GeoHot" Hotz.
Gene Spafford, a Purdue University professor of computer
science who is head of the U.S. Public Policy Council of the Association for
Computing Machinery and the executive director of the Center for Education and
Research in Information Assurance and Security testified before Congress that Sony
was running an obsolete version of the Apache
Web server software and did
not have any firewalls in place. The services remained offline for nearly a
month as Sony worked to rebuild the infrastructure, but issues remained on its
other properties, as hacker groups such as LulzSec amply demonstrated in May.
Sony CEO Howard Stringer told the Wall Street Journal
shortly after the breaches became public that "nobody's system is 100
percent secure," and that these types of attacks were inevitable in the
current security landscape. "It's not a brave new world; it's a bad new
world," Stringer told the newspaper at the time.
The outage and the subsequent rebuilding may have already cost
Sony approximately $175 million
Security experts and industry watchers criticized Sony for
not having had a CISO prior to the breaches. "How can a worldwide company
with billions in revenue and an even larger market cap not have a CISO? It
boggles the mind," Phil Blank, an analyst in the security,
risk and fraud practice area at Javelin
Strategy & Research
, wrote on the market research firm's blog in May.
The company has not directly responded to the criticism,
just saying it would review and update its online security systems. It has also
promised new security measures, including new firewalls, "automated
software monitoring and configuration management" to defend against new
attacks, Sony has also said it will provide "enhanced levels" of data
protection and encryption and "enhanced ability" to detect software
intrusions within the network as well as unauthorized access and unusual
activity patterns. .
Not having a CISO meant that "Sony's entire network and
application architecture must be considered suspect," as there was no
infrastructure in place to ensure that governance, risk and compliance was
taking place, according to Blank. It was clear that the lack
of security awareness
went "far beyond" just the compromised
cloud services, but was "built-in to every Sony Web presence," Blank
The company claimed the security issues were in the past at
the IFA consumer electronics conference in Berlin, Germany earlier this
month. "This year, we at Sony have been
flooded, we've been flattened, we've been hacked, we've been singed, but the
summer of discontent is behind us," Stringer said at a press conference,
referring to the devastating earthquake in Japan and the data breaches.
PSN is "more secure and better than ever," Stinger
said, claiming that the company has added more than 3 million new customers
since the networks were restored in mid-May.
The breaches were a "catalyst" for appointing
Reitinger, a Sony spokesperson told Reuters, adding, "We are looking to
bolster our network security even further." Reitinger is expected to start
a formal review of Sony's computer networks, the company said.
Reitinger was a chief trustworthy infrastructure strategist
at Microsoft and deputy undersecretary of the National Protection and Programs
Directorate at the Department of Homeland Security before being named as
director of NSCS. He left DHS in May after the White House released its
cyber-security proposal for Congress. He also worked on cyber-security for the
Justice and Defense Departments.