Cyber Attacks Kept Under Wraps By US Business, FBI Says

By | Jun 20, 2012

While no company wants to admit that its been the target of cyber attacks, this is often a necessary part of the IT learning process. Without solid data--and, often, help from other outside agencies--midsize and even enterprise-level businesses can leave themselves open to repeated digital violations. Unfortunately, the stigma that comes along with publicly announcing such breaches has resulted in many US companies choosing not to report intrusions, theft, or damage to their networks, according to the FBI.

Break and Enter

According to a recent Reuters article, the FBI and Department of Homeland Security are now calling for more rigorous rules and enforcement in order to combat cyber breaches. Shawn Henry, a former agent for the FBI who specialized in cyber crime, said that "there have been lots of breaches in every industry that have never been publicized," with the agency working on up to 2,000 cases at a time when the public hears about only a handful, and those 2,000 representing only a fraction of those that have actually occured. As a result, important data about attackers and their methods has often gone undiscovered.

Advisors for the Department of Homeland Security want to make it mandatory for companies to disclose a cyber attack to the government, even if they choose to keep it out of the media. Japan already does so, for example, and government officials argue that the kind of data gleaned from these intrusions could be invaluable in helping expand their understanding of attack techniques. Take the example of Symantec, which had a breach in 2006 but didn't disclose it until hackers revealed some of the information they had stolen. In fact, the FBI states that in many cases, it's the agency that calls out businesses after proprietary information is found online.

Of course, stricter rules about reporting start treading on private industry freedoms and a right to conduct business as companies choose, and may be a hard fight for the Securities and Exchange Commission (SEC). Many companies will fight back against such control, arguing that their breaches are minor, par for the course, or simply not material. But is that really the case?

Power Down

A June 14, 2012, article at CNet examines potential threats to the US power grid as a result of the issuing of long-term digital certificates. These certificates are supposed to protect access to things like control systems, trading systems, and the US power grid, but right now don't have a set expiration date, despite the fact that several weaknesses in their algorithms have been found over the last decade. The North American Energy Standards Board (NAESB) is now considering just how long they should let the certificates stand without expiration and recertification, with private industry arguing for 30 years and government agencies hoping for 5 or 10.

It's worth noting that the Stuxnet cyber attacks on Iran used valid digital signatures issued by reputable companies, though it's likely they were unaware of just what they were issuing and why. Debate on both sides of the digital certificate divide is hot, with certificate providers like Lila Kee of GlobalSign arguing that a 30-year certificate presents an "easily mitigated theoretical risk with the least amount of business disruption." Jesse Hurley of the NAESB, meanwhile, says that private industry isn't taking this kind of security seriously or doing enough to make sure the right people are issued certificates.

The message here is clear for IT admins: there's more going on in the digital world than gets reported, and not every provider with a valid digital certificate is trustworthy. It is crucial not only to guard against potential intrusions--and report actual intrusions to the federal government for analysis--but just as important to rely on more than digital signatures and certificates in determining if a service provider or software vendor is safe to use. To paraphrase: A bit of digital prevention is worth a kilobyte of cure.

This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. Like us on Facebook. Follow us on Twitter.

IBM Solution Security & Resiliency

IBM IT security expertise can help medium-sized businesses develop, implement and maintain comprehensive strategies to combat ever-evolving security threats without increasing complexity, cost, or resources required for administration.

Learn More »

More on This Topic

Three Security Concerns for 2016

By Allan Pratt on Dec 4, 2015
As we near the end of 2015, what will 2016 look like in the information security sector? Undoubtedly there be an increase in data breaches across all industries, but will businesses take the high road and inform their customers and ...