title: confession

Your confession is good for us

By Scott Bradner

Do you tell anyone when your enterprise gets hacked? According to a FBI-run survey released Apr 7 the answer is increasingly "no". This result is clearly not good news if there is any benefit to prosecuting the hackers. It is also not good news for many other reasons.

The FBI survey was the seventh in an annual series and involved 503 US government agencies and companies, including universities as well as medical and financial institutions. Most readers would find the results discouraging. Almost all, 90%, of the survey respondents said that their computers had been attacked within the past year but only 34% said that they had reported the attacks. The high level of attacks is not unexpected actually, I suspect that the percentage is not higher only because some attacks were not detected. But the low level of reporting, even lower than what was found last year, is not good for the security of the Net.

Attacks are frequently not reported because of a fear of bad publicity and, I expect, because of a fear of potential liabilities if information about third parties, such as customers, was exposed. But there is real money involved here. The half of the survey respondents who were willing to talk about their losses said they lost an average of $1.8 million each due to these attacks, this is up significantly from last year. Not reporting the attacks makes it harder for the authorities to see if there are any patterns to the attacks or to prosecute the attackers. It also makes it harder for vendors to know what security vulnerabilities to work on and harder for groups like the Computer Emergence Response Team (CERT - www.cert.org) to develop advice on network designs or device configuration to minimize the vulnerability to attackers.

Doing security correctly can be hard, see for example, the US Department of the Interior. Many of the department's computers are still disconnected from the Internet four months after a judge ordered them to be disconnected until they were secure. But trying to get security right in the dark is even harder.

The victims in many of the attacks were the organizations themselves, but there were often other victims as well. Personnel records on employees as well as histories of customer interaction, complete with credit card information, were also exposed.

To me, it seems that it is not good for society or in the long-term interests of an organization to not report on attacks on organizational resources. But in my opinion, it should cause criminal liability (i.e. jail time) to fail to report to authorities cases where information about third parties, including employees, customers and others has been exposed. It should also cause criminal liability to not individually inform the people whose information was exposed about the incident and the level of exposure. I need to know if some hacker got my credit card number because some vendor web site was poorly configured or was using buggy software and the operators were slow to apply security updates.

When you are in the middle of an incident it seems quite reasonable to keep potentially embarrassing news out of the press, but think twice. Be sure that covering up for an attacker, whether a disgruntled employee or industrial spy, is really the right thing to do.

disclaimer: Since Harvard never does anything embarrassing the above must be my own exhortation.