Tip of the Iceberg: 107,655 Cybersecurity Incidents in 2011

Tuesday, June 19, 2012

Joel Harding


According to a Reuters report, here, cybersecurity experts claim most security incidents are not reported.

I’m going to put on my cybersecurity cynic hat for a second and say a loud “BS” for one reason cited in the article.

“The justification they used for not announcing is that they only do business with the U.S. government and it doesn’t really matter that the Chinese stole all their IP because the U.S. government will never buy from China, so it wasn’t really material to them,” said Alperovitch, who declined to name the company.  (Dmitri Alperovitch, founder and chief technology officer of CrowdStrike)

When I read this I almost got sick, the obtuse logic defies all credibility.  The important thing the author, Andrea Shalal-Esa, must have left out is ‘he said while rolling his eyes’. 

If a company CEO or even a spokesperson had said this to me, privately, I would have to probably physically suppress my laughter, as this honestly sounds like a politician answering a direct question.

“There have been lots of breaches in every industry that have never been publicized,” said Shawn Henry, the FBI’s former top cyber cop, who joined a new cyber security company, CrowdStrike, in April.

Henry said the FBI was working on 2,000 active cyber cases when he retired from the agency in March. “There’s only a handful of cases that anybody has ever heard about,” he said.

These 2,000 cases encompass only the tip of the iceberg of cybersecurity business or government espionage, theft and other criminal intrusions into corporate systems.

I honestly hate to cite an article in which I am quoted, but in this article by Taylor Amerding, I cover many of the reasons a corporation might not disclose what should be considered highly proprietary and sensitive information.

To disclose this information to the government risks the information becoming known to competitors, which may be used against them in competition for the same clients.  A competitor can say they have a better security record than you, causing you to potentially lose a contract.

This causes a problem in perception, brand or reputation management of your company, forcing you to commit valuable resources to fix the damage to your reputation.

So what?

What is needed is a level playing field for all corporations.  Initially all corporations need to disclose cybersecurity incident data to the government so that a systemic defense is possible, otherwise our overall economy is not secure.

If corporations only voluntarily share their information, only a small percentage will be compliant and we will not see a comprehensive picture, we might not see systemic trends.

Cross-posted from To Inform is to Influence

Possibly Related Articles:
Information Security
breaches Enterprise Security Disclosure Regulation Cyber Security Attacks Network Security Mandatory Reporting Computer Intrusion
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.