U.S. Backing for Guidelines on Fighting Cybercrime

[InfoSec News <isn () c4i org>]

Forwarded from: sscalet () cio com

http://www.nytimes.com/2002/02/12/technology/12CYBE.html?ex=1014550854&ei=1&en=9b30c31569228713

February 12, 2002
By BARNABY J. FEDER

The first guidelines for responding to attacks on computer systems to
be endorsed by both the F.B.I. and the Secret Service, the main
Federal agencies fighting such crimes, were published yesterday.

The guidelines were drafted by government and private security experts
brought together by CIO magazine, a trade publication for information
technology executives.

The guidance comes at a time when the number of both government and
private organizations trying to track and fight electronic crimes has
been expanding, partly in response to Sept. 11. But experts say many
businesses continue to be reluctant to provide law enforcement
officials with enough information to pursue cybercriminals. Companies
often fear that they will lose business if security breaches become
public or that they will become the target of revenge attacks.

"People are very fearful of all the publicity that surrounds going
after someone and convicting them," said Bruce Schneier, chief
technology officer of Counterpane, a computer security company based
in Cupertino, Calif.

Such fears can be overcome in many cases, said Ronald L. Dick, the
F.B.I. official who heads the government's National Infrastructure
Protection Center. "They'll share information with us every time if
they have an inkling we can prosecute successfully," Mr. Dick said.  
Still, he said, the new guidelines should help fight fears that the
government agencies would respond to intrusion reports "by seizing
your server and putting yellow tape around it."

The 12-page CIO guidelines provide complete contact information for
businesses to report intrusions to public authorities and various
information-sharing partnerships like the 65 InfraGard chapters the
F.B.I. has helped set up around the nation. They also outline
practices that the F.B.I. and Secret Service advocate, like developing
relationships with electronic crimes experts at the agencies ahead of
time so that managers have a personal contact to take their call.

The guidelines advise against reporting minor intrusions, like the
efforts of outsiders to scan corporate systems for ways to penetrate
them. Such probes can occur hundreds or even thousand of times a month
at a major company. While such information could be useful in theory,
the guidelines say, it would swamp the current data systems of
clearinghouses like the National Infrastructure Protection Center or
the Internet Storm Center, which is operated by the SANS Institute, an
international research organization for security experts.

Breaches of computer defenses by worms, viruses, hacks and other
intrusions that cause damage are another matter. Law enforcement
officials need all the help they can get in catching up with such
activity, said Bruce A. Townsend, special agent in charge of the
Secret Service's financial crimes division.

"This is constantly evolving, unlike something like drug trafficking,"  
Mr. Townsend said.

Most experts say cybercrimes cost billions of dollars annually. Last
year, only 36 percent of those who experienced intrusions reported
them to authorities, according to an annual survey by the Computer
Security Institute and the San Francisco office of the F.B.I.

Mr. Townsend said the major part of the guidelines was not the
standardized form for reporting intrusions but the emphasis on
planning ahead. Some experts argue though that few companies will do
an adequate job in that regard unless forced to by regulatory
authorities.

"We need metrics of how prepared people are for cyberattacks and
provisions like the Securities and Exchange Commission required for
Y2K for corporate disclosure," said Harris N. Miller, president of the
Information Technology Association of America, a trade group that has
participated in organizing information-sharing groups on security
matters.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.