Business Technology: If You Get Hacked, Are You A Victim Or A Culprit?
Why do many companies not report cyberattacks, Bob Evans asks? Why does FBI Director Mueller say it's time to cut back on highly intimidating raids of companies that have been hacked? Why is some legislation having the exact opposite effect of what was intended?
Bot Attacks U.S. Media GiantsAug. 16, 2005 CNN reported late Tuesday that a worm had hit computers in its newsroom, those at ABC and the New York Times....
So say one of these bot-buggers makes it way inside your network. What would that make you: a victim, or a culprit?
Now, hold on, hold on; we're not talking here about what's "just" -- that would make it an easy question to answer. No, what we're talking about isn't what's just or right, but what's legal. So if you get botted, are you at fault? Are you to blame because your environment wasn't bulletproof? And does the potential exposure of customer data turn you completely from innocent victim to reckless bad guy?
Some recent developments are tilting things in the direction of you getting the bad-guy tag -- the California law mandating that companies based in that state report breaches of IT systems where customer data could be exposed has a good chance of becoming the law of the land . Can you say "chilling effect"? It's gotten so intense that the head of the FBI is launching an effort to persuade reluctant or even recalcitrant execs whose companies have been cyberattacked to come forward.
Consider this anecdote about FBI Director Robert Mueller's recent remarks from a story on InformationWeek.com: "Most businesses do not report cyberattacks to law-enforcement authorities, fearing the disclosure would harm their image and benefit rivals, FBI Director Robert Mueller said."
While it's not likely that an RFID tag embedded in a package of disposable razors is going to pose a whole lot of data-theft risk to consumers (we'll leave the privacy issues to another discussion), long-standing plans for RFID-enabled loyalty cards, credit cards, and passports, to say nothing of a potential national ID card, must have identity thieves drooling in anticipation.
-- Tony Kontzer, InformationWeek blog, Aug. 16
The story from the Associated Press goes on: "This reluctance has become especially important at a time when identity theft is growing rapidly and terrorists are increasingly using the Internet, Mueller said in a speech to the InfraGard national conference, where private companies share security tips and expertise with the FBI."
So we've got very bad things happening with cyberterrorism, but in our legislative rush to do something -- anything! Even if it's counterproductive, just do something! -- about it, we've begun setting up a series of legal and possibly punitive consequences that could very well trigger the exact opposite of the result that was intended.
This isn't some flighty hypothetical exercise in graduate school -- this is happening right here, right now. Reflect once more on the ideas expressed by the director of the FBI: Most businesses don't report cyberattacks to law-enforcement authorities because they're afraid the disclosure could hurt them and help their competitors, and this reluctance is stiffening as the problems get worse: identity theft is growing, and terrorists are increasingly using the Internet.
Mueller based his comments on a recent survey the FBI conducts each year with InformationWeek sibling Computer Security Institute , and this year's results show that the percentage of businesses reporting cyberbreakins in 2004 has held steady the past several years at 20%.
But wait -- didn't Mueller say the attacks are growing in number and severity? So if there are more incidents of cybercrime, why is the number of reported incidents flat? What in the wide, wide world of convoluted thinking have we created here?
Perhaps Mueller's promise of a kinder, gentler FBI approach to such victims/culprits could help: "We also recognize that putting on raid jackets and rushing in may not be the best answer in situations such as those," Mueller said in the AP story. Gee, that's a nice start, but could Mueller get off the fence a bit and give executives a real reason to get behind his proposal by changing "may not be the best answer" to "is definitely not the best answer"?
Mueller urges companies to drop the "code of silence," and in an absolute sense, that's a reasonable suggestion. But it seems to me that he's completely off base if he expects that companies who have already been attacked will put themselves at an even greater disadvantage by reporting the crime and thereby setting themselves up to be treated as perps rather than victims. Your move, Director Mueller.
The Agile ArchiveWhen it comes to managing data, donít look at backup and archiving systems as burdens and cost centers. A well-designed archive can enhance data protection and restores, ease search and e-discovery efforts, and save money by intelligently moving data from expensive primary storage systems.
2014 Analytics, BI, and Information Management SurveyITís tried for years to simplify data analytics and business intelligence efforts. Have visual analysis tools and Hadoop and NoSQL databases helped? Respondents to our 2014 InformationWeek Analytics, Business Intelligence, and Information Management Survey have a mixed outlook.
Top IT Trends to Watch in Financial ServicesIT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Join us for a roundup of the top stories on InformationWeek.com for the week of September 18, 2016. We'll be talking with the InformationWeek.com editors and correspondents who brought you the top stories of the week to get the "story behind the story."