In a recent speech, FBI Director Robert Mueller cited a Computer Security Institute/FBI report claiming that only 20 percent of companies hacked report the incidents to law enforcement authorities.
We know that you have practical concerns about reporting breaches of security. You may believe that calling us will adversely impact your organization’s image and competitive position in the marketplace. You may need to protect confidential information to maintain the trust of your customers and clients.
We know that putting on raid jackets and rushing in may not be the best way to get the job done. We need to minimize the disruption to your business and protect your interests. But we must find a way to stop these attacks. Maintaining a code of silence will not benefit you or your company in the long run.
President Reagan once said, “To sit back, hoping that someday, some way, someone will make things right is to go on feeding the crocodile, hoping he will eat you last--but eat you he will.”
Our safety lies in protecting not just our own interests, but our critical infrastructure as a whole. There are cyber criminals who will hit company after company. Disgruntled employees who will use knowledge gained on the job against their employers. Terrorists who may attempt to harm our infrastructure in a multitude of ways. We cannot continue to feed the crocodile.
Mueller's call for disclosure of incidents will fall mostly on deaf ears, however. The private sector doesn't want to disclose its dirty laundry if it can help it. In the case of CardSystem Solution's breach in May that exposed more than 40 million credit card accounts, the FBI was promptly notified, but for garden variety breaches where the cost is quantified in downtime or maintenance fees from cleaning up viruses or unwanted intrusions, there is less incentive to bring it to the attention of law enforcement or shareholders. That's unfortunate, given the advantages of being able to gather more rather than less data on cyberattacks, and finding patterns in the criminal activity that could lead to faster resolutions.
At the same time, the report also determined that, based CSI/FBI surveys, financial losses from cyberattacks declined 61 percent from last year, accounting for an estimated $130 million in losses. Virus attacks are the most prevalent attacks, followed by unauthorized access, theft of proprietary information and denial of service attacks.