Stanley "Stash" Jarocki doesn\u2019t act like the agreement he recently signed with the FBI\u2019s National Infrastructure Protection Center (NIPC) is a big deal. "It\u2019s a prenuptial?nothing exotic," says Jarocki, chairman of the Financial Services Information Sharing and Analysis Center (ISAC) and vice president of information security engineering at Morgan Stanley. But, in fact, it\u2019s a huge deal. With the memorandum of understanding Jarocki signed last June, the ISAC?which was formed in 1999 to give financial companies a place to exchange information about security threats out of the earshot of regulators and law enforcement?has agreed to talk at least once a week to the NIPC, a law enforcement coordination agency. So what caused the change of heart? Jarocki says it\u2019s because Ron Dick, head of the NIPC, is placingthe agency\u2019s emphasis on preventing crime rather than on catching perpetrators. "Now if I call Ron\u2019s people up and say I\u2019ve got a problem, I\u2019m not necessarily going to have a guy with a gun and badge here tomorrow," says Jarocki. "He\u2019s changed things. I\u2019ll get a [computer] analyst before I get a criminal investigator." The NIPC has also offered the ISAC something in return for the information it shares about security threats such as unknown viruses or new kinds of attacks on firewalls: expertise in computer forensics and data analysis. The agreement is good news for Dick. "When it was first created, the Financial Services ISAC indicated that it would share information amongst its members and receive information from the government but found it highly unlikely that they would ever share information back to the government," says Dick. "We have been able to demonstrate that we can protect that information, so certain sectors like the financial services sector have seen the value-added associated with two-way information sharing." For instance, last winter the NIPC briefed the ISAC on a newly discovered vulnerability in the common Simple Network Management Protocol (SNMP). Once the vulnerability became public, the ISAC stayed in touch about attacks on SNMP-based hardware and software.Not that the ISAC members are ready to tell the government all. When members report security incidents to the ISAC, the information is stripped of identifying information, first by a software "scrubber" that erases trademarks, acronyms and other identifying information based on lists provided by members, and then by a human one. Even so, Jarocki says companies are nervous enough about inadvertently revealing weaknesses that they will refuse to share some kinds of information?such as diagrams of network architecture?until they\u2019re convinced that that information could not be accessed through a request under the Freedom of Information Act (FOIA). (See "Fact, Fiction and FOIA," Page 65.)"To Report It Is to Admit It"While the June agreement between law enforcement and the financial services industry provides the government with what it\u2019s wanted for years?a window into the number and types of attacks on the nation\u2019s private computer networks?it also shines a light on the anxieties of American industry. Even in financial services, which is accustomed to filing mandatory "suspicious activity" reports with the Treasury Department about possible money laundering, companies won\u2019t easily overcome their fear of reporting computer security incidents, both attempted attacks and actual crimes. "To report it is to admit it," says Sandy Goldstein, CIO and COO of Capsicum Group, the technology subsidiary of law firm Pepper Hamilton in Philadelphia. "To admit it is to say that you\u2019re not quite as secure as you want to think you are."According to the most recent survey by the Computer Security Institute and the San Francisco FBI, only 36 percent of respondents who experienced a computer intrusion reported it to law enforcement. Of those who didn\u2019t, 90 percent wanted to avoid negative publicity, and 75 percent feared that competitors would use the information to their advantage.Executives say they fear backlash from customers, shareholders and even lawyers who might respond to a publicized problem by withholding their trade, selling their stock or bringing suit. And corporate executives are also not convinced that law enforcement is either capable enough or understands business well enough to help.CIO set out to do a reality check on those concerns. Fears about incident reporting are the long-ignored monsters under the corporate bed. Some of those monsters can be stared down, and others still need to be tamed. But with national security under intense scrutiny, none of them can be ignored.Fear #1 I\u2019ll call the wrong agency.Even the CIO of the Secret Service can\u2019t provide a clear answer about where the Secret Service\u2019s jurisdiction over computer crime ends and the FBI\u2019s begins. "It\u2019s spelled out in the U.S. Code, the law of the land, Title 18," says Secret Service CIO Bob Buchanan. "As far as CIOs from private organizations not knowing if they\u2019re calling the right person or the right organization, I think there\u2019s some truth in that. There are a lot of laws, and it\u2019s probably confusing."Technically, in addition to its presidential duties, the Secret Service is charged with protecting the nation\u2019s financial systems. That makes fraud and counterfeiting investigations its domain; the FBI is charged with handling intrusions, physical threats and website defacement. In reality, jurisdictional issues are complicated enough that at least once a month a group of law enforcement officials comes together under the auspices of the NIPC to "deconflict" their investigations. Maybe the Secret Service is investigating a case in Los Angeles, the FBI has opened a case in Chicago, the Office of Special Investigations is looking into an incident in Florida?and all three trails lead to the same perpetrator. At this monthly meeting, the 22 organizations represented at the NIPC try to figure out whose job is what.Sound complicated? Try being on the inside. "I don\u2019t believe there are any turf wars," Buchanan says. "I think there are some ambiguities that lead to people stepping on each other\u2019s toes."Instead of worrying about the right person to call, officials agree that companies should get to know a local agent from any agency.In some cities, the FBI\u2019s Infragard or the Secret Service\u2019s Electronic Crimes Task Force can help. Those groups have meetings where practitioners can meet local law enforcement officials outside of a crisis situation. (To find a local chapter of either group, visit www.infragard.net or www.ectaskforce.org. A directory of local law enforcement offices is also included in CIO\u2019s "Cyberthreat Response & Reporting Guidelines" at www.cio.com\/printlinks.)"The FBI is a word to most people. You put a face on that," says Chicago Infragard member Willard S. Evans Jr., vice president of information technology services for Peoples Energy. "In this vehicle, you can sit down; you can ask them questions. Now I\u2019m confident I can pick up a phone and talk to someone who is of rank in the FBI about an issue."Reality check: Build a relationship with an agent you can trust. Let him worry about jurisdictional issues.Fear #2 Everyone will find out.\nNobody wants to see his company\u2019s security problems plastered on the front page of The Wall Street Journal, so a lot of companies have latched onto a proposed exemption to the FOIA, long championed by Sen. Robert Bennett (R-Utah), as a condition for reporting security incidents. Companies fear that if they share security details with the government, that information could be made public through an FOIA request filed by competitors, journalists or watchdog groups. The proposed exemption, passed by the House in July and at press time was awaiting debate in the Senate, would, they think, guarantee that this information remain private.\nSome people believe that any information shared with a government entity is accessible through an FOIA request and that the proposed exemption would protect everything. In reality, the exemption is intended to protect only information that has to do with the nation\u2019s critical infrastructure.\nWhether or not the exemption becomes law, an exemption already exists to protect records compiled for law enforcement purposes. Agents are not likely to spill the beans voluntarily, either. Not only would that hurt their ability to prosecute criminals, it would damage their relationships with the companies they were working with.\nSo how do security incidents become generally known? With denial-of-service attacks or website defacement, the incidents are painfully public. Other times, the person who created the security breach steps forward to boast. Still other times, customers or employees volunteer information to journalists. \nOf course, when an arrest is made, it becomes part of the public record. But then the company can celebrate the fact that it did the right thing by calling law enforcement. Christopher Painter, deputy chief of the Computer Crimes and Intellectual Property Section of the Department of Justice, points to one recent case: Bloomberg, the New York City-based news and financial information company, worked with the Justice Department to issue a press release about the arrest of a man who attempted to extort company founder (and current New York City mayor) Michael Bloomberg. "It can be a good moment for the victim, showing that they\u2019re taking action," Painter says.\nReality check: Law enforcement agencies don\u2019t make cases public until there\u2019s an arrest. It\u2019s customers and hackers who make incidents public.\nFear #3 They\u2019ll take away our computers. You report an incident and agents barge into your offices, slap yellow tape all over and cart off all your computers.Of course, no one CIO spoke with actually knows anyone this has happened to, but everyone seems to know someone who knows someone to whom it did."I know that\u2019s a perception out there, but I can\u2019t think of any incident where it\u2019s happened," says the NIPC\u2019s Dick. "It\u2019s our intent to minimize as much as we can the impact on operations."In the past few years, law enforcement agencies have spent a considerable amount of money training computer forensics experts who can make mirrored images of affected drives and use backup tapes and logs of network machines.Also, law enforcement agents seize the perpetrator\u2019s computers?not the victim\u2019s.This is not to say you won\u2019t lose control in other ways. Doing forensics and gathering evidence takes time. Companies might have trouble getting access to, say, subpoenaed telephone records. But investigators will try not to get in the way of the business doing business. To do otherwise would be bad PR.Reality check: The law takes away the perpetrator\u2019s computers?not the victim\u2019s.Fear #4 We will end up looking bAD.In the mid-\u201990s, in perhaps the biggest computer crime on record, Russian hackers transferred $10 million from the accounts of Citibank corporate customers into their own pockets. Citibank executives notified the authorities, who worked quietly to identify and arrest then-34-year-old Vladimir Levin and recover all but $400,000 of the stolen money. "Certainly Citibank had to explain what was going on to the customer base and how they were running security, but no customers left as a result, and as far as I know there was no loss in shareholder value at all," says former Citibank Chief Information Security Officer Stephen Katz.So why, going on eight years later, is there still a stigma attached to being the victim of computer crime? "People are afraid of the unknown," Katz answers. "The only time a company should be concerned about reporting is if they haven\u2019t done an effective job putting in security in the first place."Of course, that\u2019s often the case. "Most of this stuff happens because basic things were not done," says Jay Ehrenreich, senior manager in the cybercrime prevention and response group of PricewaterhouseCoopers in New York City. So what should a company do if it realizes it\u2019s made a mistake? Should it fess up? That\u2019s a judgment call. But if the news is going to get out (and most significant news does), it may be in the business\u2019s best interest to report it and hope for the best. That way, if the news leaks, at least you\u2019ll be able to say that you tried to do something right.Reality check: There is a stigma attached to victimhood. But getting caught hiding a security problem isn\u2019t great for your corporate image either.Fear #5 we won\u2019t get anything out of it. Russ Lewis, CIO and executive vice president of GFI, asks himself whether reporting a security incident will be a plus for his company."If we called law enforcement, it might be more time-consuming than the fix would be," says Lewis, whose New York City-based company provides software and other services to Fortune 50 companies dealing in exotic derivatives. "If somebody hacks into my corporate websites and changes words on a page, I\u2019m not necessarily overly fussed. [But] we\u2019d notify law enforcement if [hackers] were able to go in and modify our trading data or if they caused a financial hardship to the firm. If a trail led anyplace, we might get [law enforcement] involved?if there\u2019s a value to me."That value is exactly what law enforcement wants business to see. Unfortunately, there are no numbers to prove it.Bob Weaver, deputy special agent in charge of the Secret Service\u2019s New York Electronic Crimes Task Force, thinks his agency\u2019s value proposition for business can best be demonstrated by changing the traditional, reactive approach of law enforcement to a preventative model, similar to the one his agency uses to protect the president. "Is it a good idea for the United States to have a lot of dead presidents?" he asks rhetorically.Weaver\u2019s task force, which has made more than 1,000 arrests since 1995, has a good record?so good that it was named a model for the nation in the USA Patriot Act, the broad antiterrorism legislation passed by Congress shortly after Sept. 11. But what Weaver is most proud of is the quarterly meetings of the task force where practitioners and agents from many branches of law enforcement get to know each other and share best practices."You have to break down the cultural barriers between law enforcement and the private sector," Weaver says. With the task force, agents are taught about business, and businesses get to know agents. "I understand your value set, you understand mine, and information flows both ways and not a crime has ever been committed. Now we\u2019re cookin\u2019," he says.Reality check: Law enforcement must demonstrate that sharing information can help prevent future incidents. Until it does so, the value proposition may not add up.NEW MONSTERS?Right now, you can do your own cost-benefit analysis about whether the risk of reporting a security incident is worth the potential return. But that may not be the case for long. Sen. Bennett, who introduced the FOIA exemption proposal, has long said that companies should be required to disclose to the Securities and Exchange Commission their readiness to deal with computer attacks, much as they were forced to disclose their Y2K readiness. And at a heated House committee debate over the proposed FOIA exemption last July, Rep. Janice Schakowsky (D-Ill.), after calling the exemption "a loophole big enough to drive any corporation and its secrets through," fired a warning shot: "I just want to suggest there\u2019s another option. And that is to say this information isn\u2019t voluntary, that we require it."Or maybe it already is. "We can show that reporting may be a legal duty," says Christopher Wolf, a partner for Proskauer Rose in Washington, D.C.?specifically, in cases where an incident could have a significant impact on business.And this might be the real monster under the bed. If you choose not to report security incidents, someone may end up choosing for you.