[ISN] Feds pursue secrecy for corporate victims of hacking

From: InfoSec News (isnat_private)
Date: Fri Nov 01 2002 - 01:12:02 PST

  • Next message: InfoSec News: "[ISN] IG: State Department flunks systems security"

    By TED BRIDIS, Associated Press
    WASHINGTON (October 31, 2002 6:36 p.m. EST) - Senior law enforcement
    officials assured technology executives Thursday that government will
    increasingly work to keep secret the names of companies that become
    victims to major hacking crimes, along with any sensitive corporate
    disclosures that could prove embarrassing.
    The effort, described at a cybercrime conference in northern Virginia,
    is designed to encourage businesses to report such attacks and build
    public confidence in Internet security. Officials promised to use
    legal mechanisms, such as protective orders and sealed court filings,
    to shield corporate hacking victims from bad publicity.
    "It's important for us to realize that you have certain concerns as
    victim companies that we have to acknowledge," FBI Director Robert
    Mueller said. He promised, for example, that FBI agents called to
    investigate hacking crimes will arrive at offices discreetly without
    wearing official jackets with "FBI" emblazoned on them.
    "The mere calling of us in an investigation can have an adverse impact
    on the image of your company," said Mueller, who has made cybercrime
    an FBI priority. In exchange for this protection, Mueller said,
    companies should more frequently admit to the FBI when they are
    victims of hacking. "You're not enabling us to do the job," he said.
    Government efforts to tighten Internet security and investigate online
    attacks have long been hampered by reluctance from companies to admit
    they were victims, even in cases where executives quietly paid
    thousands of dollars in extortion to hackers. Companies say they fear
    loss of trust by customers and shareholders, costs associated with a
    formal investigation and increased scrutiny by regulators.
    New efforts to protect the identities of hacking victims also contrast
    markedly with traditional hacker culture, which frequently blames
    companies and organizations that are targets of online attacks for
    failing to secure their networks adequately.
    "There may very well be ways that law enforcement can get a criminal
    sanction imposed but not have all the names of the companies made
    public," said Marty Stansell-Gamm, chief of the Justice Department's
    computer crime section. But she cautioned: "That's not something that
    law enforcement can guarantee."
    Instead, Stansell-Gamm said companies that have publicized hacking
    crimes along with their own explanations have fared well with
    customers and shareholders.
    "Companies that worry too much about public response underestimate the
    public's ability to assess the situation with some sophistication,"  
    she said. "If a bank robber sticks a gun in a teller's face, the
    public is not confused about who's fault that is."
    Paul McNulty, the U.S. attorney for the Eastern District of Virginia,
    said government's goal is to "prosecute cases while at the same time
    achieving the kinds of protection and addressing the concern that the
    business community rightly has." He pledged that prosecutors will
    "minimize publicity so there is no disincentive to come forward."
    McNulty's district is home to major technology companies and one of
    the Internet's most important physical junctions.
    He cited congressional efforts, supported by the Bush administration,
    to exempt from the Freedom of Information Act any details that
    companies might disclose to the proposed Department of Homeland
    Security about vulnerabilities in their operations. He said amending
    the law could be helpful "in case there is a concern that reports of
    hacks or intrusions in federal records might find their way into the
    hands of those who would use that information against us."
    Another U.S. attorney, Roscoe Howard of the District of Columbia, said
    the Constitution requires that a criminal defendant be permitted to
    face the accuser at trial, but he noted that many computer-crime
    investigations culminate with a plea agreement, where the names of
    victim companies can be kept secret.
    "Nobody wants to be yanked out in front of the public to say, 'Hey, I
    was the victim of a crime.' Most people don't want their 15 minutes,"  
    Howard said. "We can protect you where we can, and we will do that
    when it's within the law and the constitutional rights of the
    defendant. When we've got individuals (as witnesses) we want to keep
    off the stand, we just won't use them."
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Fri Nov 01 2002 - 04:25:16 PST