Executive Summary The private sector still hasn't overcome its fear of reporting computer security incidents, citing a backlash from customers, shareholders and even lawyers who might respond to a publicised security problem by withholding trade, selling stock or bringing suit. But many of these fears are based on misunderstandings. For example, law enforcement agencies don't make cases public until there's an arrest. It's customers and hackers who make incidents public.
Some fear any information shared with the government would be accessible through a US Freedom of Information Act request. In reality, an existing exemption already protects records compiled for law enforcement purposes. Another concern is that crime fighters will take away computers during an investigation. Forensics does take time, but officials seize the perpetrator's equipment, not the victim's.
STANLEY "STASH" JAROCKI doesn't act like the agreement he recently signed with the FBI's National Infrastructure Protection Center (NIPC) is a big deal. "It's a prenuptial — nothing exotic," says Jarocki, chairman of the Financial Services Information Sharing and Analysis Center (ISAC) and vice president of information security engineering at Morgan Stanley.
But, in fact, it's a huge deal. With the memorandum of understanding Jarocki signed last June, the ISAC — which was formed in 1999 to give financial companies a place to exchange information about security threats out of the earshot of regulators and law enforcement — has agreed to talk at least once a week to the NIPC, a law enforcement coordination agency.
So what caused the change of heart? Jarocki says it's because Ron Dick, head of the NIPC, is placing the agency's emphasis on preventing crime rather than on catching perpetrators. "Now if I call Ron's people up and say I've got a problem, I'm not necessarily going to have a guy with a gun and badge here tomorrow," says Jarocki. "He's changed things. I'll get a [computer] analyst before I get a criminal investigator." The NIPC has also offered the ISAC something in return for the information it shares about security threats such as unknown viruses or new kinds of attacks on firewalls: expertise in computer forensics and data analysis.
The agreement is good news for Dick. "When it was first created, the Financial Services ISAC indicated that it would share information amongst its members and receive information from the government but found it highly unlikely that they would ever share information back to the government," says Dick. "We have been able to demonstrate that we can protect that information, so certain sectors like the financial services sector have seen the value-added associated with two-way information sharing." For instance, last winter the NIPC briefed the ISAC on a newly discovered vulnerability in the common Simple Network Management Protocol (SNMP). Once the vulnerability became public, the ISAC stayed in touch about attacks on SNMP-based hardware and software.
Not that the ISAC members are ready to tell the government all. When members report security incidents to the ISAC, the information is stripped of identifying information, first by a software "scrubber" that erases trademarks, acronyms and other identifying information based on lists provided by members, and then by a human one. Even so, Jarocki says companies are nervous enough about inadvertently revealing weaknesses that they will refuse to share some kinds of information — such as diagrams of network architecture — until they're convinced that that information could not be accessed through a request under the Freedom of Information Act (FOIA). (See "Fact, Fiction and FOIA," below.)
"TO REPORT IT IS TO ADMIT IT"
While the June agreement between law enforcement and the financial services industry provides the government with what it's wanted for years — a window into the number and types of attacks on the nation's private computer networks — it also shines a light on the anxieties of American industry. Even in financial services, which is accustomed to filing mandatory "suspicious activity" reports with the US Treasury Department about possible money laundering, companies won't easily overcome their fear of reporting computer security incidents, both attempted attacks and actual crimes. "To report it is to admit it," says Sandy Goldstein, CIO and COO of Capsicum Group, the technology subsidiary of law firm Pepper Hamilton in Philadelphia. "To admit it is to say that you're not quite as secure as you want to think you are."
According to the most recent survey by the Computer Security Institute and the San Francisco FBI, only 36 per cent of respondents who experienced a computer intrusion reported it to law enforcement. Of those who didn't, 90 per cent wanted to avoid negative publicity, and 75 per cent feared that competitors would use the information to their advantage.
Executives say they fear backlash from customers, shareholders and even lawyers who might respond to a publicised problem by withholding their trade, selling their stock or bringing suit. And corporate executives are also not convinced that law enforcement is either capable enough or understands business well enough to help.
CIO set out to do a reality check on those concerns. Fears about incident reporting are the long-ignored monsters under the corporate bed. Some of those monsters can be stared down, and others still need to be tamed. But with national security under intense scrutiny, none of them can be ignored.
FEAR #1 I'LL CALL THE WRONG AGENCY.
Even the CIO of the Secret Service can't provide a clear answer about where the Secret Service's jurisdiction over computer crime ends and the FBI's begins. "It's spelled out in the US Code, the law of the land, Title 18," says Secret Service CIO Bob Buchanan. "As far as CIOs from private organisations not knowing if they're calling the right person or the right organisation, I think there's some truth in that. There are a lot of laws, and it's probably confusing."
Technically, in addition to its presidential duties, the Secret Service is charged with protecting the nation's financial systems. That makes fraud and counterfeiting investigations its domain; the FBI is charged with handling intrusions, physical threats and website defacement. In reality, jurisdictional issues are complicated enough that at least once a month a group of law enforcement officials comes together under the auspices of the NIPC to "deconflict" their investigations. Maybe the Secret Service is investigating a case in Los Angeles, the FBI has opened a case in Chicago, the Office of Special Investigations is looking into an incident in Florida — and all three trails lead to the same perpetrator. At this monthly meeting, the 22 organisations represented at the NIPC try to figure out whose job is what.
Sound complicated? Try being on the inside. "I don't believe there are any turf wars," Buchanan says. "I think there are some ambiguities that lead to people stepping on each other's toes."
Instead of worrying about the right person to call, officials agree that companies should get to know a local agent from any agency.
In some cities, the FBI's Infragard or the Secret Service's Electronic Crimes Task Force can help. Those groups have meetings where practitioners can meet local law enforcement officials outside of a crisis situation. (To find a local chapter of either group, visit www.infragard.net or www.ectaskforce.org. A directory of local law enforcement offices is also included in CIO's "Cyberthreat Response & Reporting Guidelines.")
"The FBI is a word to most people. You put a face on that," says Chicago Infragard member Willard S Evans Jr., vice president of information technology services for Peoples Energy. "In this vehicle, you can sit down; you can ask them questions. Now I'm confident I can pick up a phone and talk to someone who is of rank in the FBI about an issue."
REALITY CHECK: Build a relationship with an agent you can trust. Let him worry about jurisdictional issues.
FEAR #2 EVERYONE WILL FIND OUT.
Nobody wants to see his company's security problems plastered on the front page of The Wall Street Journal, so a lot of companies have latched onto a proposed exemption to the FOIA, long championed by US Senator Robert Bennett (R-Utah), as a condition for reporting security incidents. Companies fear that if they share security details with the government, that information could be made public through an FOIA request filed by competitors, journalists or watchdog groups. The proposed exemption, passed by the House in July and at press time was awaiting debate in the Senate, would, they think, guarantee that this information remain private.
Some people believe that any information shared with a government entity is accessible through an FOIA request and that the proposed exemption would protect everything. In reality, the exemption is intended to protect only information that has to do with the nation's critical infrastructure.
Whether or not the exemption becomes law, an exemption already exists to protect records compiled for law enforcement purposes. Agents are not likely to spill the beans voluntarily, either. Not only would that hurt their ability to prosecute criminals, it would damage their relationships with the companies they were working with.
So how do security incidents become generally known? With denial-of-service attacks or website defacement, the incidents are painfully public. Other times, the person who created the security breach steps forward to boast. Still other times, customers or employees volunteer information to journalists.
Of course, when an arrest is made, it becomes part of the public record. But then the company can celebrate the fact that it did the right thing by calling law enforcement. Christopher Painter, deputy chief of the Computer Crimes and Intellectual Property Section of the Department of Justice, points to one recent case: Bloomberg, the New York City-based news and financial information company, worked with the Justice Department to issue a press release about the arrest of a man who attempted to extort company founder (and current New York City mayor) Michael Bloomberg. "It can be a good moment for the victim, showing that they're taking action," Painter says.
REALITY CHECK: Law enforcement agencies don't make cases public until there's an arrest. It's customers and hackers who make incidents public.
FEAR #3 THEY'LL TAKE AWAY OUR COMPUTERS.
You report an incident and agents barge into your offices, slap yellow tape all over and cart off all your computers.
Of course, no one CIO spoke with actually knows anyone this has happened to, but everyone seems to know someone who knows someone to whom it did.
"I know that's a perception out there, but I can't think of any incident where it's happened," says the NIPC's Dick. "It's our intent to minimise as much as we can the impact on operations."
In the past few years, law enforcement agencies have spent a considerable amount of money training computer forensics experts who can make mirrored images of affected drives and use backup tapes and logs of network machines.
Also, law enforcement agents seize the perpetrator's computers — not the victim's.
This is not to say you won't lose control in other ways. Doing forensics and gathering evidence takes time. Companies might have trouble getting access to, say, subpoenaed telephone records. But investigators will try not to get in the way of the business doing business. To do otherwise would be bad PR.
REALITY CHECK: The law takes away the perpetrator's computers — not the victim's.
FEAR #4 WE WILL END UP LOOKING BAD.
In the mid-'90s, in perhaps the biggest computer crime on record, Russian hackers transferred $US10 million from the accounts of Citibank corporate customers into their own pockets. Citibank executives notified the authorities, who worked quietly to identify and arrest then-34-year-old Vladimir Levin and recover all but $US400,000 of the stolen money. "Certainly Citibank had to explain what was going on to the customer base and how they were running security, but no customers left as a result, and as far as I know there was no loss in shareholder value at all," says former Citibank Chief Information Security Officer Stephen Katz.
So why, going on eight years later, is there still a stigma attached to being the victim of computer crime?
"People are afraid of the unknown," Katz answers. "The only time a company should be concerned about reporting is if they haven't done an effective job putting in security in the first place."
Of course, that's often the case. "Most of this stuff happens because basic things were not done," says Jay Ehrenreich, senior manager in the cybercrime prevention and response group of PricewaterhouseCoopers in New York City.
So what should a company do if it realises it's made a mistake? Should it fess up? That's a judgment call. But if the news is going to get out (and most significant news does), it may be in the business's best interest to report it and hope for the best. That way, if the news leaks, at least you'll be able to say that you tried to do something right.
REALITY CHECK: There is a stigma attached to victimhood. But getting caught hiding a security problem isn't great for your corporate image either.
FEAR #5 WE WON'T GET ANYTHING OUT OF IT.
Russ Lewis, CIO and executive vice president of GFI, asks himself whether reporting a security incident will be a plus for his company.
"If we called law enforcement, it might be more time-consuming than the fix would be," says Lewis, whose New York City-based company provides software and other services to Fortune 50 companies dealing in exotic derivatives. "If somebody hacks into my corporate websites and changes words on a page, I'm not necessarily overly fussed. [But] we'd notify law enforcement if [hackers] were able to go in and modify our trading data or if they caused a financial hardship to the firm. If a trail led anyplace, we might get [law enforcement] involved — if there's a value to me."
That value is exactly what law enforcement wants business to see. Unfortunately, there are no numbers to prove it.
Bob Weaver, deputy special agent in charge of the Secret Service's New York Electronic Crimes Task Force, thinks his agency's value proposition for business can best be demonstrated by changing the traditional, reactive approach of law enforcement to a preventative model, similar to the one his agency uses to protect the president. "Is it a good idea for the United States to have a lot of dead presidents?" he asks rhetorically.
Weaver's task force, which has made more than 1000 arrests since 1995, has a good record — so good that it was named a model for the nation in the USA Patriot Act, the broad antiterrorism legislation passed by Congress shortly after September 11. But what Weaver is most proud of is the quarterly meetings of the task force where practitioners and agents from many branches of law enforcement get to know each other and share best practices.
"You have to break down the cultural barriers between law enforcement and the private sector," Weaver says. With the task force, agents are taught about business, and businesses get to know agents. "I understand your value set, you understand mine, and information flows both ways and not a crime has ever been committed. Now we're cookin'," he says.
REALITY CHECK: Law enforcement must demonstrate that sharing information can help prevent future incidents. Until it does so, the value proposition may not add up.
Right now, you can do your own cost-benefit analysis about whether the risk of reporting a security incident is worth the potential return. But that may not be the case for long. Senator Bennett, who introduced the FOIA exemption proposal, has long said that companies should be required to disclose to the Securities and Exchange Commission their readiness to deal with computer attacks, much as they were forced to disclose their Y2K readiness. And at a heated House committee debate over the proposed FOIA exemption last July, Representative Janice Schakowsky (D-Ill.), after calling the exemption "a loophole big enough to drive any corporation and its secrets through," fired a warning shot: "I just want to suggest there's another option. And that is to say this information isn't voluntary, that we require it."
Or maybe it already is. "We can show that reporting may be a legal duty," says Christopher Wolf, a partner for Proskauer Rose in Washington, DC — specifically, in cases where an incident could have a significant impact on business.
And this might be the real monster under the bed. If you choose not to report security incidents, someone may end up choosing for you.
SIDEBAR: Fact, Fiction and FOIA
You might be surprised by what the proposed exemption will do, and even more by what it won't.
TO HEAR SOME PRACTITIONERS tell it, a new exemption from the US Freedom of Information Act (FOIA) is the number-one thing companies want before they'll willingly share information with the government about security threats, vulnerabilities and incidents. But press these practitioners for details and you'll find they're pretty foggy about what the proposed exemption would or would not do. One chief security officer of a Fortune 500 company, who spoke on condition of anonymity, argued for the exemption and then admitted that he really didn't know what FOIA was.
Established in 1966 in Section 552 of Title 5 of the US Code, FOIA was designed to give the public access to the inner workings of government. Journalists, researchers, advocacy groups, businesses and private individuals can file a request with any government agency to access records that might otherwise remain private. In recent years, FOIA requests have led to the disclosure of files about the assassination of John F. Kennedy and details about Vice President Dick Cheney's energy task force.
FOIA already has several exemptions, but the current debate centers on whether exemption B4 — for "trade secrets and commercial or financial information" — protects information about security threats and vulnerabilities as well as it protects, say, the ingredients in Coke's syrup. Many of the government's experts, including Richard Clarke, President Bush's top information security adviser, insist that B4 is protection enough. Nevertheless, they still advocate for an additional exemption, if only to reassure corporate lawyers who don't want to have to rely on case law to protect sensitive data.
In response, the US House of Representatives added an additional FOIA exemption to last July's bill creating the new Department of Homeland Defense. HR 5005 protects voluntarily submitted critical infrastructure information, including the identity of the submitting person or entity, to any covered federal agency. In the Senate's proposed Homeland Defense bill, S. 2452, a narrower version of the exemption would cover only information voluntarily submitted to the new Department of Homeland Defense. Neither exemption says anything about information that's not critical to the infrastructure — like, say, the ingredients in Coke's syrup. But critics fear that the exemption is poorly worded and may be used to hide things like oil spills.
At press time, the Senate was scheduled to debate its Homeland Defense bill. The differences between the bills are likely to be hammered out in a conference committee in one of the rowdiest debates on Capitol Hill this fall. — Sarah D. Scalet