Large organizations should prepare themselves for more-clever and more-targeted attacks against their security infrastructures this year. That’s the one thing law-enforcement officials, security experts, and industry executives agree on. Everything else — from the proper way to assess damages after a security breach to whether or not companies should report these breaches to the Federal Bureau of Investigation — seems to be up for debate.
“We are currently seeing attacks like we have never seen before,” says Bruce Helman, unit chief overseeing technology issues for the FBI’s Counterintelligence division. “Many are coming from Eastern Europe and are more sophisticated and more difficult to detect.” Increasingly, Helman says, these attacks are perpetrated for money rather than hacker thrills and boasting rights as was the case in years past. Hacker groups have added financial savvy to their technical skills and have become masters of blackmail, and of negotiating with companies to extort the maximum amount of cash from them.
Until recently, Helman says, many of these groups didn’t know how to calculate their demands and asked for absurdly small amounts of money for either returning sensitive data or stopping automated attacks. Now, he says, they routinely demand $10,000 to $50,000, and many companies are more than willing to pay up in order to hush up the security breach. As in all forms of blackmail, a one-time payment is no guarantee against future demands, nor does it ensure that hackers won’t sell the data anyway. In addition, reluctance to bring authorities into the picture leaves those same hackers free to try their schemes over and over again. The FBI has run an information-sharing program called Infragard since 1996, and while 68 of the country’s 100 largest companies have participated, insiders acknowledge that there is plenty of hesitation about admitting to weakness or breaches.
Analysts say companies have understandable motives for keeping things quiet. First, given new regulatory requirements to protect data, admitting to a breach could lead to fines, lawsuits, and government investigation. Second, companies that deal in sensitive customer data know public knowledge of such security leaks could damage their business. The San Diego–based consumer-rights group Privacy Rights Clearinghouse says that more than 51 million Americans have had their personal data, including financial account numbers, Social Security numbers, and driver’s license information, breached in more than 95 separate incidents since February 2005. These incidents have involved large organizations such as ChoicePoint, Wachovia, Bank of America, CardSystems, Northwestern University, and even the Department of Justice and the Federal Deposit Insurance Corp.
But the “keep it under your hat” approach to security breaches may soon be impossible. Many companies, particularly in the health-care and financial-services arenas, now operate under strict regulations that require them to report such attacks without delay. California’s data security notification law, one of the toughest in the nation, has inspired more than a dozen bills in Congress in an effort to take such regulations nationwide. If companies find the current climate onerous, they aren’t saying so. “We are obligated to report any [security breaches] under Sarbanes-Oxley,” says David Valcik, vice president of technology services at Fort Smith, Arkansas- based Beverly Enterprises Inc., a nationwide provider of long-term care and assisted living to the elderly and disabled. “But we also want to assist in tracking down these types of threats” to keep them from happening again, he says.