Cyber Crime · cyber security · Cybercrime · Cybersecurity

Tip of the Iceberg: 107,655 Cybersecurity Incidents Reported in FY 2011

Computer security old school
Computer security old school (Photo credit: sridgway)

According to a Reuters report, here, cybersecurity experts claim most security incidents are not reported.

I’m going to put on my cybersecurity cynic hat for a second and say a loud “BS” for one reason cited in the article.

“The justification they used for not announcing is that they only do business with the U.S. government and it doesn’t really matter that the Chinese stole all their IP because the U.S. government will never buy from China, so it wasn’t really material to them,” said Alperovitch, who declined to name the company.  (Dmitri Alperovitch, founder and chief technology officer of CrowdStrike)

When I read this I almost got sick, the obtuse logic defies all credibility.  The important thing the author, Andrea Shalal-Esa, must have left out is ‘he said while rolling his eyes’.  If a company CEO or even a spokesperson had said this to me, privately, I would have to probably physically suppress my laughter, as this honestly sounds like a politician answering a direct question.

“There have been lots of breaches in every industry that have never been publicized,” said Shawn Henry, the FBI’s former top cyber cop, who joined a new cyber security company, CrowdStrike, in April.

Henry said the FBI was working on 2,000 active cyber cases when he retired from the agency in March. “There’s only a handful of cases that anybody has ever heard about,” he said.

These 2,000 cases encompass only the tip of the iceberg of cybersecurity business or government espionage, theft and other criminal intrusions into corporate systems.

I honestly hate to cite an article in which I am quoted, but in this article by Taylor Amerding, I cover many of the reasons a corporation might not disclose what should be considered highly proprietary and sensitive information.

To disclose this information to the government risks the information becoming known to competitors, which may be used against them in competition for the same clients.  A competitor can say they have a better security record than you, causing you to potentially lose a contract. This causes a problem in perception, brand or reputation management of your company, forcing you to commit valuable resources to fix the damage to your reputation.

So what?

What is needed is a level playing field for all corporations.  Initially all corporations need to disclose cybersecurity incident data to the government so that a systemic defense is possible, otherwise our overall economy is not secure. If corporations only voluntarily share their information, only a small percentage will be compliant and we will not see a comprehensive picture, we might not see systemic trends.