Shostack + Friends Blog Archive


"FBI: Businesses (Still) Reluctant To Report Cyber Attacks"

Volubis picks up stories in Information Week and Computer World:

Roughly 20% of businesses report computer intrusions annually, a figure the agency believes is low. Director Robert Mueller urged businesses to step forward, promising greater sensitivity from the FBI in return.

This reluctance has become especially important at a time when identity theft is growing rapidly and terrorists are increasingly using the Internet, Mueller said in a speech to the InfraGard national conference, where private companies share security tips and expertise with the FBI.

We really need to get past this. Defending computers is much harder than defending attacking them. Most of the organizations compelled by California’s SB 1386 to reveal their breaches have not suffered long-term damage because of it. (The ones that have fall into a few categories: Tertiary parties who consumers were not aware had their data, those who lied to the public about what happened, and those where the breach seemed to have more to do with negligence than an accident. Getting defensive about the breach, and focusing PR on how the company was the real victim also doesn’t help.)

What’s more, we need anecdotes from which we can compile data to understand how systems are really compromised. With that data, we could start spending our money on better security systems that actually addressed the threats that matter.

The first step is to admit you have a problem.

3 comments on ""FBI: Businesses (Still) Reluctant To Report Cyber Attacks""

  • Chris Walsh says:

    I didn’t RT entire FA, but if 20% of businesses using IT report security breaches annually, I will be astounded.
    I *think* what this so-called statistic really means is that 20% of the self-selected CSI/FBI “sample” said they were hacked in a mail-in unscientific survey. If so, then this number, is worse than meaningless. The tenacity with which it is clung to — especially by people who know better — is testimony to how sorely needed real data are.
    One day, I’ll write up the rant about this survey which has been festering in my craw for a few years, but for now I’ll just chime in with “YES! We need better data, because we could hardly have worse”.

  • Todd says:

    “Defending computers is much harder than defending them.”
    I’m guessing you meant that defending is harder than attacking. =)

  • Adam says:

    Well, I’m glad someone is paying attention. 🙂

Comments are closed.