Feds pursue secrecy for corporate victims of hacking

[InfoSec News <isn () c4i org>]

http://www.nandotimes.com/technology/story/601028p-4652104c.html

By TED BRIDIS, Associated Press
 
WASHINGTON (October 31, 2002 6:36 p.m. EST) - Senior law enforcement
officials assured technology executives Thursday that government will
increasingly work to keep secret the names of companies that become
victims to major hacking crimes, along with any sensitive corporate
disclosures that could prove embarrassing.

The effort, described at a cybercrime conference in northern Virginia,
is designed to encourage businesses to report such attacks and build
public confidence in Internet security. Officials promised to use
legal mechanisms, such as protective orders and sealed court filings,
to shield corporate hacking victims from bad publicity.

"It's important for us to realize that you have certain concerns as
victim companies that we have to acknowledge," FBI Director Robert
Mueller said. He promised, for example, that FBI agents called to
investigate hacking crimes will arrive at offices discreetly without
wearing official jackets with "FBI" emblazoned on them.

"The mere calling of us in an investigation can have an adverse impact
on the image of your company," said Mueller, who has made cybercrime
an FBI priority. In exchange for this protection, Mueller said,
companies should more frequently admit to the FBI when they are
victims of hacking. "You're not enabling us to do the job," he said.

Government efforts to tighten Internet security and investigate online
attacks have long been hampered by reluctance from companies to admit
they were victims, even in cases where executives quietly paid
thousands of dollars in extortion to hackers. Companies say they fear
loss of trust by customers and shareholders, costs associated with a
formal investigation and increased scrutiny by regulators.

New efforts to protect the identities of hacking victims also contrast
markedly with traditional hacker culture, which frequently blames
companies and organizations that are targets of online attacks for
failing to secure their networks adequately.

"There may very well be ways that law enforcement can get a criminal
sanction imposed but not have all the names of the companies made
public," said Marty Stansell-Gamm, chief of the Justice Department's
computer crime section. But she cautioned: "That's not something that
law enforcement can guarantee."

Instead, Stansell-Gamm said companies that have publicized hacking
crimes along with their own explanations have fared well with
customers and shareholders.

"Companies that worry too much about public response underestimate the
public's ability to assess the situation with some sophistication,"  
she said. "If a bank robber sticks a gun in a teller's face, the
public is not confused about who's fault that is."

Paul McNulty, the U.S. attorney for the Eastern District of Virginia,
said government's goal is to "prosecute cases while at the same time
achieving the kinds of protection and addressing the concern that the
business community rightly has." He pledged that prosecutors will
"minimize publicity so there is no disincentive to come forward."

McNulty's district is home to major technology companies and one of
the Internet's most important physical junctions.

He cited congressional efforts, supported by the Bush administration,
to exempt from the Freedom of Information Act any details that
companies might disclose to the proposed Department of Homeland
Security about vulnerabilities in their operations. He said amending
the law could be helpful "in case there is a concern that reports of
hacks or intrusions in federal records might find their way into the
hands of those who would use that information against us."

Another U.S. attorney, Roscoe Howard of the District of Columbia, said
the Constitution requires that a criminal defendant be permitted to
face the accuser at trial, but he noted that many computer-crime
investigations culminate with a plea agreement, where the names of
victim companies can be kept secret.

"Nobody wants to be yanked out in front of the public to say, 'Hey, I
was the victim of a crime.' Most people don't want their 15 minutes,"  
Howard said. "We can protect you where we can, and we will do that
when it's within the law and the constitutional rights of the
defendant. When we've got individuals (as witnesses) we want to keep
off the stand, we just won't use them."



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.