Speaking to reporters at the start of the Consumer Electronics Show (CES) in Las Vegas this week, Hirai said that he personally signed off on all decisions Sony Pictures made in response to a data breach which resulted in the loss of thousands of confidential documents and the cancellation of showings of the controversial film The Interview. The film sees Seth Rogan and James Franco play journalists recruited by the CIA to kill North Korean leader Kim Jong-un.
“We are still reviewing the effects of the cyber-attack," Hirai said at the show. "However, I do not see it as something that will cause a material upheaval on Sony Pictures business operations, basically, in terms of results for the current fiscal year."
Sony Pictures said separately that The Interview, which cost US$ 44 million (£29 million) to make, has brought in $31 million (£20.5 million) in online, cable and satellite sales and was downloaded 4.3 million times between Christmas Eve (24 December) and January 4. It also apparently earned another $5 million (£3.3 million) at 580 independent cinemas showing the movie across North America.
Phil Cracknell, head of security and privacy services at Company85, said in an interview with SCMagazineUK.com that it made sense for senior business leaders to work on the remediation, and could help in the long-run.
“Without knowing the exact details of the remediation work that Hirai signed off, it makes sense that after an organisation has had a public breach that the senior leadership are compelled to act, so Sony should be a more resilient and secure network environment providing the improvements address any lessons learned from the attack,” he said.
“Businesses learn their best lessons the hard way; many CISOs have a daily battle to secure the funds to provide what they feel is the level of security commensurate with the value of the asset they are trying to protect. Senior leadership have experienced their security functions asking for a Rolls Royce when a Mini would be just as effective, and so it's only reasonable for them to challenge the shopping list. Equally, after an attack or a breach, there is often a temporary period of time during which defences are hardened at any cost (and that cost is often more than it would have been if the additional security had been implemented during normal business).”
Asked if Sony could truly not see any financial damage, Cracknell added: “…Given the additional defences - the company may retain customers and revenue and with the publicity around the Interview the whole thing may prove profitable.”
Alex Fidgen, commercial director at information security consultancy MWR, said that while Hirai is in a good position to see any financial impact, he's less likely to see other effects such as brand damage.
“As CEO, Kazuo Hirai is in the best position to judge whether the financial results for this year will be unaffected by the recent security breach. However, it is more likely that the non-tangible effects of the breach could impact against the next year's financial result via the loss of consumer confidence, and increased defensive spending overhead,” he told SC via email.
“His comments are also likely to be widely misinterpreted. This might result in further retaliatory action against Sony, by individuals, or groups wishing to prove that subsequent hacking will affect financial performance. Irrespective, it was a potentially brave statement to issue given the increased scrutiny Sony can expect, and the lengthening track record of the organisation with respect to well publicised security incidents. Time will tell.”
Meanwhile, top officials from the FBI and National Security Agency have said that ‘sloppy' attackers prove that North Korea is behind the attack, and suggested that the latter agency could developer stronger counter measures to these attacks in future.
Admiral Mike Rogers, head of the US Cyber Command, was speaking at a cyber-security conference in New York on Wednesday where he detailed the agency's role in the Sony investigation, which has largely saw it investigating the malware and looking at data samples, and also said that the NSA could develop strong counter-measures to these attacks in future.
"If it's a specific malware, for example, that we saw used in the Sony scenario, we partner with others using our technological expertise to write the programs that will counteract the malware," he said.
At the same conference, FBI director James Comey said that hackers had got ‘sloppy', as they had sometimes forgotten to use proxy servers to disguise their location.