Sponsored by: This story appeared on Network World Fusion at http://www.nwfusion.com/columnists/2002/0415bradner.html 'Net Insider: Your confession is good for us By Scott Bradner Network World, 04/15/02 Do you tell anyone when your company gets hacked? According to a FBI-run survey released April 7, people increasingly answer this question "no." This is clearly not good news if there is any benefit to prosecuting hackers. It also is not good for many other reasons. The FBI survey was the seventh in an annual series and involved 503 U.S. government agencies and companies, including universities and medical and financial institutions. Most readers would find the results discouraging. Almost all - 90% of the survey respondents - said their computers had been attacked within the past year, but only 34% said they reported the attacks. The high level of attacks is not unexpected actually - I suspect that the percentage is not higher only because some attacks were not detected. But the low level of reporting, even lower than what was found last year, is not good for the security of the 'Net. Attacks are frequently not reported because of a fear of bad publicity and, I expect, because of a fear of potential liabilities if information about third parties, such as customers, was exposed. But there is real money involved here. The half of the survey respondents who were willing to talk about their losses said they lost an average of $1.8 million each because of these attacks. This is a significant increase from last year. The lack of companies reporting attacks makes it harder for authorities to identify patterns of attacks or to prosecute the attackers. It also makes it harder for vendors to know what security vulnerabilities to work on and harder for groups such as CERT (www.cert.org) to develop advice on network designs or device configuration to minimize the vulnerability to attackers. Doing security correctly can be hard. Consider, for example, the U.S. Department of the Interior. Many of its computers are still disconnected from the Internet four months after a judge ordered them to be disconnected until they were secure. But trying to get security right in the dark is even harder. The victims in many of the attacks were organizations, but there were often other victims as well. Personnel records on employees and histories of customer interaction, complete with credit card information, were also exposed. It is not good for society or in the long-term interests of an organization to not report attacks on organizational resources. But it should be cause for criminal liability (such as jail time) to fail to report to authorities cases where information about third parties, including employees, customers and others, has been exposed. It also should be cause for criminal liability to not individually inform the people whose information was exposed about the incident and the level of exposure. I need to know if some hacker got my credit card number because some vendor Web site was poorly configured or was using buggy software and the operators were slow to apply security updates. When you are in the middle of an incident it seems quite reasonable to keep potentially embarrassing news out of the press. But think twice. Be sure that covering up for an attacker, whether a disgruntled employee or industrial spy, is really the right thing to do. Disclaimer: Because Harvard never does anything embarrassing, the above must be my own exhortation. Related Links All contents copyright 1995-2002 Network World, Inc. http://www.nwfusion.com