Fear Stops Executives from Reporting Computer Crime

When a convenience store is robbed, the clerk calls the cops, gives a description of the crooks, and the cops go on the hunt. If the information and the police work are good enough, the cops will catch the perpetrators before another convenience store gets hit. That’s the way law enforcement works.

So why doesn’t this kind of information sharing happen when it comes to computer crime?

Fear. Executives are afraid they’ll:

Become a target. If they say they’ve been hacked or have concerns of being hacked, they show their vulnerability. Like a wounded cub on the Serengeti Plain, the hyenas will move in to finish them off.

Become a challenge. If, on the other hand, they say their systems are secure, it’s like throwing down the gauntlet to hackers. “Either way, it [sets] us up as a target and a challenge for hackers,” says an anonymous CIO in “Conspiracy of Silence,” beginning on Page 92.

Damage confidence (and revenue and valuation). If news leaks out to customers, it could hurt their confidence in the company. Investors might downgrade the company’s stock. Even sharing the information within the inner circle could trigger a negative reaction among shareholders.

These are serious concerns. But letting them drive behavior may be giving the bad guys the upper hand.

“Hackers share information,” said computer crime fighter Gail Thackeray at a CIO Perspectives Conference in October 2000. “We don’t. We need to share information between industry and law enforcement.”

Bruce Schneier, author of Secrets & Lies: Digital Security in a Networked World, agrees. “We need to publicly understand why systems fail. Secrecy only aids the attackers.”

Until corporations start sharing information with each other and with law enforcement about what’s actually going on, the bad guys will keep the upper hand. And I’ve got news for you: The real bad guys haven’t even arrived on the scene yet.

The recent move by Microsoft, Oracle, Cisco and others to form a security coalition is a promising step in the right direction, following the lead of three other industries (banking, telecom and electric) to share information within their community. But these coalitions are under no obligation to share information with law enforcement (and vice versa), and there are no early signs that they’ll be inclined to do so.

The FBI has plans of its own, rolling out its Infragard intrusion alert program on a national level (for more on this, see Martha Heller’s Sound Off column at comment.cio.com/sound.cfm?ID=85).

Industry-only information sharing is fine if all you want to do is shore up your defenses. But once the real criminals and terrorists start working the Internet in an organized way (and it won’t be long), don’t you think you’ll want to have the crime fighters in the loop? Let me know at lundberg@cio.com.