Business Technology: If You Get Hacked, Are You A Victim Or A Culprit?
Why do many companies not report cyberattacks, Bob Evans asks? Why does FBI Director Mueller say it's time to cut back on highly intimidating raids of companies that have been hacked? Why is some legislation having the exact opposite effect of what was intended?
Bot Attacks U.S. Media GiantsAug. 16, 2005 CNN reported late Tuesday that a worm had hit computers in its newsroom, those at ABC and the New York Times....
So say one of these bot-buggers makes it way inside your network. What would that make you: a victim, or a culprit?
Now, hold on, hold on; we're not talking here about what's "just" -- that would make it an easy question to answer. No, what we're talking about isn't what's just or right, but what's legal. So if you get botted, are you at fault? Are you to blame because your environment wasn't bulletproof? And does the potential exposure of customer data turn you completely from innocent victim to reckless bad guy?
Some recent developments are tilting things in the direction of you getting the bad-guy tag -- the California law mandating that companies based in that state report breaches of IT systems where customer data could be exposed has a good chance of becoming the law of the land . Can you say "chilling effect"? It's gotten so intense that the head of the FBI is launching an effort to persuade reluctant or even recalcitrant execs whose companies have been cyberattacked to come forward.
Consider this anecdote about FBI Director Robert Mueller's recent remarks from a story on InformationWeek.com: "Most businesses do not report cyberattacks to law-enforcement authorities, fearing the disclosure would harm their image and benefit rivals, FBI Director Robert Mueller said."
While it's not likely that an RFID tag embedded in a package of disposable razors is going to pose a whole lot of data-theft risk to consumers (we'll leave the privacy issues to another discussion), long-standing plans for RFID-enabled loyalty cards, credit cards, and passports, to say nothing of a potential national ID card, must have identity thieves drooling in anticipation.
-- Tony Kontzer, InformationWeek blog, Aug. 16
The story from the Associated Press goes on: "This reluctance has become especially important at a time when identity theft is growing rapidly and terrorists are increasingly using the Internet, Mueller said in a speech to the InfraGard national conference, where private companies share security tips and expertise with the FBI."
So we've got very bad things happening with cyberterrorism, but in our legislative rush to do something -- anything! Even if it's counterproductive, just do something! -- about it, we've begun setting up a series of legal and possibly punitive consequences that could very well trigger the exact opposite of the result that was intended.
This isn't some flighty hypothetical exercise in graduate school -- this is happening right here, right now. Reflect once more on the ideas expressed by the director of the FBI: Most businesses don't report cyberattacks to law-enforcement authorities because they're afraid the disclosure could hurt them and help their competitors, and this reluctance is stiffening as the problems get worse: identity theft is growing, and terrorists are increasingly using the Internet.
Mueller based his comments on a recent survey the FBI conducts each year with InformationWeek sibling Computer Security Institute , and this year's results show that the percentage of businesses reporting cyberbreakins in 2004 has held steady the past several years at 20%.
But wait -- didn't Mueller say the attacks are growing in number and severity? So if there are more incidents of cybercrime, why is the number of reported incidents flat? What in the wide, wide world of convoluted thinking have we created here?
Perhaps Mueller's promise of a kinder, gentler FBI approach to such victims/culprits could help: "We also recognize that putting on raid jackets and rushing in may not be the best answer in situations such as those," Mueller said in the AP story. Gee, that's a nice start, but could Mueller get off the fence a bit and give executives a real reason to get behind his proposal by changing "may not be the best answer" to "is definitely not the best answer"?
Mueller urges companies to drop the "code of silence," and in an absolute sense, that's a reasonable suggestion. But it seems to me that he's completely off base if he expects that companies who have already been attacked will put themselves at an even greater disadvantage by reporting the crime and thereby setting themselves up to be treated as perps rather than victims. Your move, Director Mueller.
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
IT Strategies to Conquer the CloudChances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.