Why do many companies not report cyberattacks, <strong>Bob Evans</strong> asks? Why does FBI Director Mueller say it's time to cut back on highly intimidating raids of companies that have been hacked? Why is some legislation having the exact opposite effect of what was intended?

Bob Evans, Contributor

August 19, 2005

5 Min Read

Bot Battle Brewing Aug. 17, 2005
Think the Zotob bot worm sparked a mess? Just wait....

FTC Nails Credit Report Firm For $950,000 Aug. 17, 2005
...The deal is part of a crack down on so-called "imposter" sites of Annualcreditreport.com....

Bots Infest 175 Companies In Year's Biggest Attack Aug. 17, 2005
...Security experts estimated that so far more than 175 corporations have been hit with malicious code....

Bot Attacks U.S. Media Giants Aug. 16, 2005
CNN reported late Tuesday that a worm had hit computers in its newsroom, those at ABC and the New York Times....

So say one of these bot-buggers makes it way inside your network. What would that make you: a victim, or a culprit?

Now, hold on, hold on; we're not talking here about what's "just" -- that would make it an easy question to answer. No, what we're talking about isn't what's just or right, but what's legal. So if you get botted, are you at fault? Are you to blame because your environment wasn't bulletproof? And does the potential exposure of customer data turn you completely from innocent victim to reckless bad guy?

Some recent developments are tilting things in the direction of you getting the bad-guy tag -- the California law mandating that companies based in that state report breaches of IT systems where customer data could be exposed has a good chance of becoming the law of the land . Can you say "chilling effect"? It's gotten so intense that the head of the FBI is launching an effort to persuade reluctant or even recalcitrant execs whose companies have been cyberattacked to come forward.

Consider this anecdote about FBI Director Robert Mueller's recent remarks from a story on InformationWeek.com: "Most businesses do not report cyberattacks to law-enforcement authorities, fearing the disclosure would harm their image and benefit rivals, FBI Director Robert Mueller said."

While it's not likely that an RFID tag embedded in a package of disposable razors is going to pose a whole lot of data-theft risk to consumers (we'll leave the privacy issues to another discussion), long-standing plans for RFID-enabled loyalty cards, credit cards, and passports, to say nothing of a potential national ID card, must have identity thieves drooling in anticipation.

-- Tony Kontzer, InformationWeek blog, Aug. 16

The story from the Associated Press goes on: "This reluctance has become especially important at a time when identity theft is growing rapidly and terrorists are increasingly using the Internet, Mueller said in a speech to the InfraGard national conference, where private companies share security tips and expertise with the FBI."

So we've got very bad things happening with cyberterrorism, but in our legislative rush to do something -- anything! Even if it's counterproductive, just do something! -- about it, we've begun setting up a series of legal and possibly punitive consequences that could very well trigger the exact opposite of the result that was intended.

This isn't some flighty hypothetical exercise in graduate school -- this is happening right here, right now. Reflect once more on the ideas expressed by the director of the FBI: Most businesses don't report cyberattacks to law-enforcement authorities because they're afraid the disclosure could hurt them and help their competitors, and this reluctance is stiffening as the problems get worse: identity theft is growing, and terrorists are increasingly using the Internet.

Mueller based his comments on a recent survey the FBI conducts each year with InformationWeek sibling Computer Security Institute , and this year's results show that the percentage of businesses reporting cyberbreakins in 2004 has held steady the past several years at 20%.

But wait -- didn't Mueller say the attacks are growing in number and severity? So if there are more incidents of cybercrime, why is the number of reported incidents flat? What in the wide, wide world of convoluted thinking have we created here?

Perhaps Mueller's promise of a kinder, gentler FBI approach to such victims/culprits could help: "We also recognize that putting on raid jackets and rushing in may not be the best answer in situations such as those," Mueller said in the AP story. Gee, that's a nice start, but could Mueller get off the fence a bit and give executives a real reason to get behind his proposal by changing "may not be the best answer" to "is definitely not the best answer"?

Mueller urges companies to drop the "code of silence," and in an absolute sense, that's a reasonable suggestion. But it seems to me that he's completely off base if he expects that companies who have already been attacked will put themselves at an even greater disadvantage by reporting the crime and thereby setting themselves up to be treated as perps rather than victims. Your move, Director Mueller.

Bob Evans
Editorial Director
[email protected]

To discuss this column with other readers, please visit Bob Evans's forum on the Listening Post.

To find out more about Bob Evans, please visit his page on the Listening Post.

About the Author(s)

Bob Evans


Bob Evans is senior VP, communications, for Oracle Corp. He is a former InformationWeek editor.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights