Top 5 Concerns about Reporting Security Incidents: A Reality Check

Stanley “Stash” Jarocki doesn’t act like the agreement he recently signed with the FBI’s National Infrastructure Protection Center (NIPC) is a big deal. “It’s a prenuptial?nothing exotic,” says Jarocki, chairman of the Financial Services Information Sharing and Analysis Center (ISAC) and vice president of information security engineering at Morgan Stanley.

But, in fact, it’s a huge deal. With the memorandum of understanding Jarocki signed last June, the ISAC?which was formed in 1999 to give financial companies a place to exchange information about security threats out of the earshot of regulators and law enforcement?has agreed to talk at least once a week to the NIPC, a law enforcement coordination agency.

So what caused the change of heart? Jarocki says it’s because Ron Dick, head of the NIPC, is placing

the agency’s emphasis on preventing crime rather than on catching perpetrators. “Now if I call Ron’s people up and say I’ve got a problem, I’m not necessarily going to have a guy with a gun and badge here tomorrow,” says Jarocki. “He’s changed things. I’ll get a [computer] analyst before I get a criminal investigator.” The NIPC has also offered the ISAC something in return for the information it shares about security threats such as unknown viruses or new kinds of attacks on firewalls: expertise in computer forensics and data analysis.

The agreement is good news for Dick. “When it was first created, the Financial Services ISAC indicated that it would share information amongst its members and receive information from the government but found it highly unlikely that they would ever share information back to the government,” says Dick. “We have been able to demonstrate that we can protect that information, so certain sectors like the financial services sector have seen the value-added associated with two-way information sharing.” For instance, last winter the NIPC briefed the ISAC on a newly discovered vulnerability in the common Simple Network Management Protocol (SNMP). Once the vulnerability became public, the ISAC stayed in touch about attacks on SNMP-based hardware and software.

Not that the ISAC members are ready to tell the government all. When members report security incidents to the ISAC, the information is stripped of identifying information, first by a software “scrubber” that erases trademarks, acronyms and other identifying information based on lists provided by members, and then by a human one. Even so, Jarocki says companies are nervous enough about inadvertently revealing weaknesses that they will refuse to share some kinds of information?such as diagrams of network architecture?until they’re convinced that that information could not be accessed through a request under the Freedom of Information Act (FOIA). (See “Fact, Fiction and FOIA,” Page 65.)

“To Report It Is to Admit It”

While the June agreement between law enforcement and the financial services industry provides the government with what it’s wanted for years?a window into the number and types of attacks on the nation’s private computer networks?it also shines a light on the anxieties of American industry. Even in financial services, which is accustomed to filing mandatory “suspicious activity” reports with the Treasury Department about possible money laundering, companies won’t easily overcome their fear of reporting computer security incidents, both attempted attacks and actual crimes. “To report it is to admit it,” says Sandy Goldstein, CIO and COO of Capsicum Group, the technology subsidiary of law firm Pepper Hamilton in Philadelphia. “To admit it is to say that you’re not quite as secure as you want to think you are.”

According to the most recent survey by the Computer Security Institute and the San Francisco FBI, only 36 percent of respondents who experienced a computer intrusion reported it to law enforcement. Of those who didn’t, 90 percent wanted to avoid negative publicity, and 75 percent feared that competitors would use the information to their advantage.

Executives say they fear backlash from customers, shareholders and even lawyers who might respond to a publicized problem by withholding their trade, selling their stock or bringing suit. And corporate executives are also not convinced that law enforcement is either capable enough or understands business well enough to help.

CIO set out to do a reality check on those concerns. Fears about incident reporting are the long-ignored monsters under the corporate bed. Some of those monsters can be stared down, and others still need to be tamed. But with national security under intense scrutiny, none of them can be ignored.

Fear #1 I’ll call the wrong agency.

Even the CIO of the Secret Service can’t provide a clear answer about where the Secret Service’s jurisdiction over computer crime ends and the FBI’s begins. “It’s spelled out in the U.S. Code, the law of the land, Title 18,” says Secret Service CIO Bob Buchanan. “As far as CIOs from private organizations not knowing if they’re calling the right person or the right organization, I think there’s some truth in that. There are a lot of laws, and it’s probably confusing.”

Technically, in addition to its presidential duties, the Secret Service is charged with protecting the nation’s financial systems. That makes fraud and counterfeiting investigations its domain; the FBI is charged with handling intrusions, physical threats and website defacement. In reality, jurisdictional issues are complicated enough that at least once a month a group of law enforcement officials comes together under the auspices of the NIPC to “deconflict” their investigations. Maybe the Secret Service is investigating a case in Los Angeles, the FBI has opened a case in Chicago, the Office of Special Investigations is looking into an incident in Florida?and all three trails lead to the same perpetrator. At this monthly meeting, the 22 organizations represented at the NIPC try to figure out whose job is what.

Sound complicated? Try being on the inside. “I don’t believe there are any turf wars,” Buchanan says. “I think there are some ambiguities that lead to people stepping on each other’s toes.”

Instead of worrying about the right person to call, officials agree that companies should get to know a local agent from any agency.

In some cities, the FBI’s Infragard or the Secret Service’s Electronic Crimes Task Force can help. Those groups have meetings where practitioners can meet local law enforcement officials outside of a crisis situation. (To find a local chapter of either group, visit www.infragard.net or www.ectaskforce.org. A directory of local law enforcement offices is also included in CIO’s “Cyberthreat Response & Reporting Guidelines” at www.cio.com/printlinks.)

“The FBI is a word to most people. You put a face on that,” says Chicago Infragard member Willard S. Evans Jr., vice president of information technology services for Peoples Energy. “In this vehicle, you can sit down; you can ask them questions. Now I’m confident I can pick up a phone and talk to someone who is of rank in the FBI about an issue.”

Reality check: Build a relationship with an agent you can trust. Let him worry about jurisdictional issues.

Fear #2 Everyone will find out.

Nobody wants to see his company’s security problems plastered on the front page of The Wall Street Journal, so a lot of companies have latched onto a proposed exemption to the FOIA, long championed by Sen. Robert Bennett (R-Utah), as a condition for reporting security incidents. Companies fear that if they share security details with the government, that information could be made public through an FOIA request filed by competitors, journalists or watchdog groups. The proposed exemption, passed by the House in July and at press time was awaiting debate in the Senate, would, they think, guarantee that this information remain private.

Some people believe that any information shared with a government entity is accessible through an FOIA request and that the proposed exemption would protect everything. In reality, the exemption is intended to protect only information that has to do with the nation’s critical infrastructure.

Whether or not the exemption becomes law, an exemption already exists to protect records compiled for law enforcement purposes. Agents are not likely to spill the beans voluntarily, either. Not only would that hurt their ability to prosecute criminals, it would damage their relationships with the companies they were working with.

So how do security incidents become generally known? With denial-of-service attacks or website defacement, the incidents are painfully public. Other times, the person who created the security breach steps forward to boast. Still other times, customers or employees volunteer information to journalists.

Of course, when an arrest is made, it becomes part of the public record. But then the company can celebrate the fact that it did the right thing by calling law enforcement. Christopher Painter, deputy chief of the Computer Crimes and Intellectual Property Section of the Department of Justice, points to one recent case: Bloomberg, the New York City-based news and financial information company, worked with the Justice Department to issue a press release about the arrest of a man who attempted to extort company founder (and current New York City mayor) Michael Bloomberg. “It can be a good moment for the victim, showing that they’re taking action,” Painter says.

Reality check: Law enforcement agencies don’t make cases public until there’s an arrest. It’s customers and hackers who make incidents public.

Fear #3 They’ll take away our computers.

You report an incident and agents barge into your offices, slap yellow tape all over and cart off all your computers.

Of course, no one CIO spoke with actually knows anyone this has happened to, but everyone seems to know someone who knows someone to whom it did.

“I know that’s a perception out there, but I can’t think of any incident where it’s happened,” says the NIPC’s Dick. “It’s our intent to minimize as much as we can the impact on operations.”

In the past few years, law enforcement agencies have spent a considerable amount of money training computer forensics experts who can make mirrored images of affected drives and use backup tapes and logs of network machines.

Also, law enforcement agents seize the perpetrator’s computers?not the victim’s.

This is not to say you won’t lose control in other ways. Doing forensics and gathering evidence takes time. Companies might have trouble getting access to, say, subpoenaed telephone records. But investigators will try not to get in the way of the business doing business. To do otherwise would be bad PR.

Reality check: The law takes away the perpetrator’s computers?not the victim’s.

Fear #4 We will end up looking bAD.

In the mid-’90s, in perhaps the biggest computer crime on record, Russian hackers transferred $10 million from the accounts of Citibank corporate customers into their own pockets. Citibank executives notified the authorities, who worked quietly to identify and arrest then-34-year-old Vladimir Levin and recover all but $400,000 of the stolen money. “Certainly Citibank had to explain what was going on to the customer base and how they were running security, but no customers left as a result, and as far as I know there was no loss in shareholder value at all,” says former Citibank Chief Information Security Officer Stephen Katz.

So why, going on eight years later, is there still a stigma attached to being the victim of computer crime?

“People are afraid of the unknown,” Katz answers. “The only time a company should be concerned about reporting is if they haven’t done an effective job putting in security in the first place.”

Of course, that’s often the case. “Most of this stuff happens because basic things were not done,” says Jay Ehrenreich, senior manager in the cybercrime prevention and response group of PricewaterhouseCoopers in New York City.

So what should a company do if it realizes it’s made a mistake? Should it fess up? That’s a judgment call. But if the news is going to get out (and most significant news does), it may be in the business’s best interest to report it and hope for the best. That way, if the news leaks, at least you’ll be able to say that you tried to do something right.

Reality check: There is a stigma attached to victimhood. But getting caught hiding a security problem isn’t great for your corporate image either.

Fear #5 we won’t get anything out of it.

Russ Lewis, CIO and executive vice president of GFI, asks himself whether reporting a security incident will be a plus for his company.

“If we called law enforcement, it might be more time-consuming than the fix would be,” says Lewis, whose New York City-based company provides software and other services to Fortune 50 companies dealing in exotic derivatives. “If somebody hacks into my corporate websites and changes words on a page, I’m not necessarily overly fussed. [But] we’d notify law enforcement if [hackers] were able to go in and modify our trading data or if they caused a financial hardship to the firm. If a trail led anyplace, we might get [law enforcement] involved?if there’s a value to me.”

That value is exactly what law enforcement wants business to see. Unfortunately, there are no numbers to prove it.

Bob Weaver, deputy special agent in charge of the Secret Service’s New York Electronic Crimes Task Force, thinks his agency’s value proposition for business can best be demonstrated by changing the traditional, reactive approach of law enforcement to a preventative model, similar to the one his agency uses to protect the president. “Is it a good idea for the United States to have a lot of dead presidents?” he asks rhetorically.

Weaver’s task force, which has made more than 1,000 arrests since 1995, has a good record?so good that it was named a model for the nation in the USA Patriot Act, the broad antiterrorism legislation passed by Congress shortly after Sept. 11. But what Weaver is most proud of is the quarterly meetings of the task force where practitioners and agents from many branches of law enforcement get to know each other and share best practices.

“You have to break down the cultural barriers between law enforcement and the private sector,” Weaver says. With the task force, agents are taught about business, and businesses get to know agents. “I understand your value set, you understand mine, and information flows both ways and not a crime has ever been committed. Now we’re cookin’,” he says.

Reality check: Law enforcement must demonstrate that sharing information can help prevent future incidents. Until it does so, the value proposition may not add up.

NEW MONSTERS?

Right now, you can do your own cost-benefit analysis about whether the risk of reporting a security incident is worth the potential return. But that may not be the case for long. Sen. Bennett, who introduced the FOIA exemption proposal, has long said that companies should be required to disclose to the Securities and Exchange Commission their readiness to deal with computer attacks, much as they were forced to disclose their Y2K readiness. And at a heated House committee debate over the proposed FOIA exemption last July, Rep. Janice Schakowsky (D-Ill.), after calling the exemption “a loophole big enough to drive any corporation and its secrets through,” fired a warning shot: “I just want to suggest there’s another option. And that is to say this information isn’t voluntary, that we require it.”

Or maybe it already is. “We can show that reporting may be a legal duty,” says Christopher Wolf, a partner for Proskauer Rose in Washington, D.C.?specifically, in cases where an incident could have a significant impact on business.

And this might be the real monster under the bed. If you choose not to report security incidents, someone may end up choosing for you.