Kaz Hirai's letter to Congress on the PSN breach
Thirteen questions from the Congressional hearing on security breaches answered by Sony boss
What follows is a full transcript of the letter from SCEA president Kaz Hirai to the House Subcommittee on Commerce, Manufacturing and Trade, which is currently addressing the issue of recent online security breaches, including that suffered by Sony.
The letter is a response to a previous communication from Bono Mack and Butterfield, asking for answers to thirteen questions on the circumstances of the attack and Sony's response to it.
Dear Chairman Bono Mack and Ranking Member Butterfield:
Thank you for giving me this Opportunity to respond to questions from the House Energy and Commerce Committee, Subcommittee on Commerce. Manufacturing and Trade.
Sony now fares a large-scale cyber-attack involving the theft of personal information.
This cyber-attack came shortly after Sony Computer Entertainment America was the subject of denial of service attacks launched against several Sony companies and threats made against both Sony and its executives in retaliation for enforcing intellectual property rights In U.S. Federal Court.
We are currently dealing with all aspects of this cyber-attack and have our personnel deployed and working around the clock to get the systems back up and to make sure all our customers are informed of the data breach and our responses to it. We expect to restore most services to our customers shortly. We have received so far no confirmed reports of illegal usage of the stolen information.
In dealing with this cyber-attack, the company has operated on the basis of several key principles:
1. Act with care and caution.
This is why Sony Network Entertainment America Inc. ("Sony Network Entertainment America"), which operates the PlayStation Network and Q-riocity services (collectively, "PlayStation Network"), has taken the almost unprecedented step Of shutting down the affected systems as soon as threats were detected and is keeping them down even at substantial cost to the company, until all changes to strengthen security are completed. We have tried to err on the side of safety and security in making these decisions and judgments.
2. Provide relevant information to the public when it has been verified.
Sony Network Entertainment America immediately hired a highly regarded information technology security firm and Supplemented that firm with additional expertise and resources Over several days Sony Network Entertainment America then released information to its consumers when we and those experts believed that information was sufficiently confirmed. The truth Is that retracing the Steps of experienced cyber-attackers is a highly complex process that takes time to carry out effectively. At the same time that the experienced attackers were carrying out their attack, they also attempted to destroy the evidence that would reveal their steps.
3. Take responsibility for our obligations to our customers.
We have apologized for the inconvenience caused by the illegal intrusion Into our systems and offered a free month of service in addition to the number of days the systems are down as pan of a "Welcome Back" program for our customers. We are also offering our customers in the U.S. complimentary identity theft protection services.
4. Work with law enforcement authorities to assist in the apprehension of those responsible and cooperate with all authorities on meeting our regulatory requirements.
One of our first calls was to the FBI, and this is an active, on-going investigation. I am of course aware of the criticism Sony has received for the time taken to disclose information to our customers. I hope you can appreciate the extraordinary nature of the events the company was facing - brought on by a criminal hacker whose activity was neither immediately nor easily ascertainable. I believe that after you review all the facts you will agree that the company has been acting in good faith to release reliable information in accordance with its legal and ethical responsibilities to its valued customers.
We have been investigating this intrusion around the dock since we discovered it, and that investigation continues today. Just this past Sunday, May 1st, we learned that a likely theft from another Sony company's online service had previously gone undetected, even after highly trained technical teams had examined the network infrastructure that had been attacked around the same time as the PlayStation Network. What is becoming more and more evident is that Sony has been the victim of a very carefully planned, very professional, highly sophisticated criminal cyber attack designed to steal personal and Credit card information for illegal purposes.
Sunday's discovery that data had been stolen from Sony Online Entertainment only highlights this point. When Sony Online Entertainment discovered this past Sunday afternoon that data from its servers had been stolen, it also discovered that the intruders had planted a file on one of those servers named "Anonymous" with the words "We are Legion." Just weeks before, several Sony companies had been the target of a large-scale, coordinated denial of service attack by the group Called Anonymous.
The attacks were coordinated against Sony as a protest against Sony for exercising its rights in a civil action in the United States District Court in San Francisco against a hacker. While protecting individuals personal data is the highest priority, ensuring that the Internet can be made secure for commerce is also essential. Worldwide, countries and businesses will have to come together to ensure the safety of commerce over the Internet and also find ways to combat cybercrime and cyber terrorism.
Almost two weeks ago, one or more cyber criminals gained access to PlayStation Network servers at or around the same time that these servers were experiencing denial of service attacks. The Sony Network Entertainment America team did not immediately detect the criminal intrusion for several possible reasons. First, detection was difficult because of the sheer sophistication of the intrusion. Second, detection was difficult because the criminal hackers exploited a System software vulnerability. Finally, our security teams were working very hard to defend against denial of service attacks, and that may have made it more difficult to detect this intrusion quickly - all perhaps by design.
Whether those who participated in the denial of services attacks were conspirators or whether they were simply duped into providing cover for a very clever thief, we may never know. In any case, those who participated in the denial of service attacks Should understand that - whether they knew it or not - they were aiding in a well planned, well executed, large-scale theft that left not only Sony a victim, but also Sony's many customers around the world. Making the Internet safe for entertainment, commerce and education is a paramount government interest. The criminal cyber-attacks on Sony have been and will continue to be perpetrated on other companies as well.
If not addressed, these types of attacks could become commonplace. Creating more stringent guidelines for maintaining and policing storage of personal information may be necessary in our current climate, but, make no mistake, without addressing the need for strong criminal laws and sanctions and, most importantly, enforcement of these laws, there will not be any meaningful security on the Internet.
Sony is grateful for the assistance it has received from law enforcement and appreciates this opportunity to raise these issues with this Committee as it considers how to build an environment where social networks and commerce on the Internet can develop uninhibited by security risks.
Turning to Sony's responses to the Committee's questions:
1. When did you become aware of the Illegal and unauthorized Intrusion?
On April 19, 2011 at 4:15 p.m. PDT, members of the Sony Network Entertainment America network team detected unauthorized activity in the network system, specifically, that certain systems were re-booting when they were not scheduled to do so.
The network service team immediately began to evaluate this activity by reviewing running logs and analyzing information in order to determine if there was a problem with the system. On April 20, 2011, in the early afternoon, the Sony Network Entertainment America team discovered evidence that indicated an unauthorized intrusion had occurred and that data of some kind had been transferred off the PlayStation Network servers without authorization. At the time, the network service team was unable to determine what type of data had been transferred, and they therefore shut the PlayStation Network system down.