An Eerie Silence on Cybersecurity

Apparently it takes an alleged Chinese threat to get the New York Times to notice Internet security problems. The Times has escalated from a recent article to an editorial.

NYTimes Editorial 26 February 2013, An Eerie Silence on Cybersecurity, notes a few exceptions, and then remarks:

American companies have been disturbingly silent about cyberattacks on their computer systems — apparently in fear that this disclosure will unnerve customers and shareholders and invite lawsuits and unwanted scrutiny from the government.

In some cases, such silence might violate the legal obligations of publicly traded companies to share material information about their businesses. Most companies would tell investors if an important factory burned to the ground or thieves made off with hundreds of millions of dollars in cash.

Maybe it’s better to have a prescribed burn of released breach information than to have a factory fire of unprescribed released information.

Why don’t companies do this?

So why do they feel that the theft of trade secrets that are often much more valuable do not deserve to be discussed? Companies might argue that it’s hard to quantify the losses from cyberattacks, but that does not mean that they are costless.

Why? Because they can, of course. Maybe more publicly visible reputation for security indicators, such as, might help.

Better reporting would also help.

By keeping quiet, companies also make it more difficult for other businesses and the government to protect against similar attacks. Recent evidence suggests that cyberassaults against corporate and government systems are becoming more frequent and more sophisticated.

If the real fear is online assaults from the Chinese government, then they’re not “hackers” (the word used in the first sentence of the editorial) then, are they? Or is the NYTimes really more concerned about corporations and governments being caught out for lax security by Anonymous?

Bringing these assaults into the open can make everybody more secure.

Is it the assaults that need bringing into the open most, or is it the lax security that makes them so easy?

President Obama’s recent executive order encouraging voluntary sharing of information is a welcome step in that direction.

Presumably that would be this executive order of 12 February 2013, Executive Order — Improving Critical Infrastructure Cybersecurity,

Sec. 4. Cybersecurity Information Sharing. (a) It is the policy of the United States Government to increase the volume, timeliness, and quality of cyber threat information shared with U.S. private sector entities so that these entities may better protect and defend themselves against cyber threats. Within 120 days of the date of this order, the Attorney General, the Secretary of Homeland Security (the “Secretary”), and the Director of National Intelligence shall each issue instructions consistent with their authorities and with the requirements of section 12(c) of this order to ensure the timely production of unclassified reports of cyber threats to the U.S. homeland that identify a specific targeted entity. The instructions shall address the need to protect intelligence and law enforcement sources, methods, operations, and investigations.

As long as we’re careful about what sort of information. Let’s avoid it turning into The Cyber Intelligence Sharing and Protection Act (CISPA), which we had to fight off last year. As the Electronic Frontier Foundation (EFF) put it in CISPA is Back:

CISPA would grant companies more power to obtain “threat” information (such as from private communications of users) and to disclose that data to the government without a warrant — including sending data to the National Security Agency.

As the NYTimes editorial says:

This not about shaming companies. It is about protecting these companies as well as individuals against security breaches. A recent study showed that state laws that require companies to inform individuals about security breaches on personal information like credit card numbers have resulted in a modest drop in identity theft in those states. That suggests that timely disclosures give individuals the opportunity to take action to protect themselves and encourage corporate executives to increase efforts to protect their systems.

Yes, let’s concentrate on companies informing individuals (and the public) about security breaches, not on companies finding out more about individuals. The editorial concludes:

Executives should understand that openly discussing threats helps everyone become more alert to risks, which would be in their own long-term interest.