Infrastructure // Unified Communications
Commentary
8/19/2005
02:40 PM
Bob Evans
Bob Evans
Commentary
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Business Technology: If You Get Hacked, Are You A Victim Or A Culprit?

Why do many companies not report cyberattacks, Bob Evans asks? Why does FBI Director Mueller say it's time to cut back on highly intimidating raids of companies that have been hacked? Why is some legislation having the exact opposite effect of what was intended?

Bot Battle Brewing Aug. 17, 2005
Think the Zotob bot worm sparked a mess? Just wait....

FTC Nails Credit Report Firm For $950,000 Aug. 17, 2005
...The deal is part of a crack down on so-called "imposter" sites of Annualcreditreport.com....

Bots Infest 175 Companies In Year's Biggest Attack Aug. 17, 2005
...Security experts estimated that so far more than 175 corporations have been hit with malicious code....

Bot Attacks U.S. Media Giants Aug. 16, 2005
CNN reported late Tuesday that a worm had hit computers in its newsroom, those at ABC and the New York Times....


So say one of these bot-buggers makes it way inside your network. What would that make you: a victim, or a culprit?

Now, hold on, hold on; we're not talking here about what's "just" -- that would make it an easy question to answer. No, what we're talking about isn't what's just or right, but what's legal. So if you get botted, are you at fault? Are you to blame because your environment wasn't bulletproof? And does the potential exposure of customer data turn you completely from innocent victim to reckless bad guy?

Some recent developments are tilting things in the direction of you getting the bad-guy tag -- the California law mandating that companies based in that state report breaches of IT systems where customer data could be exposed has a good chance of becoming the law of the land . Can you say "chilling effect"? It's gotten so intense that the head of the FBI is launching an effort to persuade reluctant or even recalcitrant execs whose companies have been cyberattacked to come forward.

Consider this anecdote about FBI Director Robert Mueller's recent remarks from a story on InformationWeek.com: "Most businesses do not report cyberattacks to law-enforcement authorities, fearing the disclosure would harm their image and benefit rivals, FBI Director Robert Mueller said."

OTHER VOICES
While it's not likely that an RFID tag embedded in a package of disposable razors is going to pose a whole lot of data-theft risk to consumers (we'll leave the privacy issues to another discussion), long-standing plans for RFID-enabled loyalty cards, credit cards, and passports, to say nothing of a potential national ID card, must have identity thieves drooling in anticipation.

-- Tony Kontzer, InformationWeek blog, Aug. 16



The story from the Associated Press goes on: "This reluctance has become especially important at a time when identity theft is growing rapidly and terrorists are increasingly using the Internet, Mueller said in a speech to the InfraGard national conference, where private companies share security tips and expertise with the FBI."

So we've got very bad things happening with cyberterrorism, but in our legislative rush to do something -- anything! Even if it's counterproductive, just do something! -- about it, we've begun setting up a series of legal and possibly punitive consequences that could very well trigger the exact opposite of the result that was intended.

This isn't some flighty hypothetical exercise in graduate school -- this is happening right here, right now. Reflect once more on the ideas expressed by the director of the FBI: Most businesses don't report cyberattacks to law-enforcement authorities because they're afraid the disclosure could hurt them and help their competitors, and this reluctance is stiffening as the problems get worse: identity theft is growing, and terrorists are increasingly using the Internet.

Mueller based his comments on a recent survey the FBI conducts each year with InformationWeek sibling Computer Security Institute , and this year's results show that the percentage of businesses reporting cyberbreakins in 2004 has held steady the past several years at 20%.

But wait -- didn't Mueller say the attacks are growing in number and severity? So if there are more incidents of cybercrime, why is the number of reported incidents flat? What in the wide, wide world of convoluted thinking have we created here?

Perhaps Mueller's promise of a kinder, gentler FBI approach to such victims/culprits could help: "We also recognize that putting on raid jackets and rushing in may not be the best answer in situations such as those," Mueller said in the AP story. Gee, that's a nice start, but could Mueller get off the fence a bit and give executives a real reason to get behind his proposal by changing "may not be the best answer" to "is definitely not the best answer"?

Mueller urges companies to drop the "code of silence," and in an absolute sense, that's a reasonable suggestion. But it seems to me that he's completely off base if he expects that companies who have already been attacked will put themselves at an even greater disadvantage by reporting the crime and thereby setting themselves up to be treated as perps rather than victims. Your move, Director Mueller.

Bob Evans
Editorial Director
bevans@cmp.com


To discuss this column with other readers, please visit Bob Evans's forum on the Listening Post.

To find out more about Bob Evans, please visit his page on the Listening Post.

Comment  | 
Print  | 
More Insights
Building A Mobile Business Mindset
Building A Mobile Business Mindset
Among 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps and it's past time for those with no plans to get cracking.
Register for InformationWeek Newsletters
White Papers
Current Issue
Video
Slideshows
Twitter Feed
Audio Interviews
Archived Audio Interviews
GE is a leader in combining connected devices and advanced analytics in pursuit of practical goals like less downtime, lower operating costs, and higher throughput. At GIO Power & Water, CIO Jim Fowler is part of the team exploring how to apply these techniques to some of the world's essential infrastructure, from power plants to water treatment systems. Join us, and bring your questions, as we talk about what's ahead.