'No shame' in admitting to cyber-damage, says BIS

Science minister David Willetts has urged businesses to overcome their shame about suffering cyberattacks, to help the UK with its defences.

Science minister David Willetts has urged businesses to be more open about the cyberattacks they experience. Photo credit: BIS

A central plank of government plans to combat such attacks — laid out in the UK Cyber Security Strategy — relies on businesses sharing data about attempts. However, companies are reticent about admitting that they have been attacked or breached, due to the potential impact on shareholder and investor confidence.

Willetts, who is the minster responsible for cyber-strategy at the Department for Business, Innovation and Skills (BIS), on Tuesday urged enterprises to come forward and share information about threats and attacks on their systems.

"I would urge companies to be frank about what is happening," Willetts said in a keynote speech at the Infosecurity Europe 2012 conference. "I want to see British business, whatever sector of the economy they are in, being much more open about their experience of cyberthreats."

However, Willetts told ZDNet UK that firms should not hold back from telling others they have been a target.

"There is no shame in admitting publicly you have been subjected to a cyberattack," he said at the event. "Companies should be willing to share openly. It increases awareness."

There is no shame in admitting publicly you have been subjected to a cyberattack. Companies should be willing to share openly.

– David Willetts

Many UK and US companies are wary of disclosing sensitive data to competitors and the public sector, according to security expert Robert Freeman, manager of IBM's X-Force research.

"There are a lot of problems with sharing information, including a lack of interest [on the part of businesses] in sharing," Freeman told ZDNet UK at the London conference. "You see incremental data leaking out about attacks."

Freeman said one way around this problem is to have a contract between the organisations sharing data, to limit its exposure. He gave the example of IBM, which puts a contractual obligation on certain parts of its business not to share certain types of information with other parts.

In addition, some companies are concerned about the 'red tape' they could face if they begin sharing data with public-sector bodies, Freeman noted.

Public disclosure

Willetts told the Infosec audience that the government sees problems in the way the financial sector currently reports breaches. More public disclosure of data leaks would give investors a clearer picture of financial institutions, he said.

The minister added that the UK defence industry acknowledges attempts on government bodies. "When you talk to people in the defence area, everyone accepts they are under cyberattack," he said.

The government is in the process of setting up 'nodes' to share information between public and private-sector organisations, with GCHQ acting as a hub. The majority of UK companies taking part will not interact directly with GCHQ or the intelligence agencies, Willetts noted; instead, the nodes will act as a buffer.

"There is a limit to the number of organisations the security agencies can or will directly communicate with," he said. "The idea of the [nodes] is to provide protection."