Our Silence Is Hackers Greatest Ally

Of course, some fear is useful, even desirable. "Whos afraid of the big bad wolf?" ask two of the legendary Three Little Pigs in a popular song. It turns out that Pig Number Three used a healthy dose of fear to motivate himself to build a brick house that kept that wolf at bay. Lucky thing for the other two porkers that he had extra room when they came frantically knocking at his door after their flimsy houses had been decimated.

When it comes to hackersthose who would access computer systems for nefarious or "recreational" reasonsI would similarly suggest that fear is a healthy response, but only if its the Pig Number Three variety. Let me explain.

In September of this year, New York-based PricewaterhouseCoopers and CIO magazine announced results of a worldwide survey (47 countries, across all industries). The survey found that nearly two-thirds (64 percent) of respondents had "experienced negative security incidents in the past 12 months." These attacks included insertion of malicious code, unauthorized systems access and denial-of-service incidents.

However, the survey yielded another result that can only be characterized as disturbing41 percent of the respondents said they dont report such security incidents to anyone, including the authorities. In other words, when their systems are breached, theyre keeping their mouths shut. The question, apparently not explored by the survey, is why?

Perhaps some of those companies have been threatened by hackers with more damage if they report incidents, but my instincts tell me that most of them are just plain scared of having anyone know their systems are that vulnerable. If youre a bank or an insurance company, for example, would you want to advertise that your systems were not capable of protecting your customers money and/or private information?

Yet the survey reveals quite clearly that nearly two-thirds of companies have had breaches. Does anyone believe that banks and insurers are immune?

Consider the results of another survey from Ernst & Young in New York. They talked to some 56 North American banks and insurance companies and found that only 38 percent of those queried would rate themselves as "adequate" or better in their ability to secure critical information from malicious attack or disaster. In fact, 30 percent of the respondents describe their ability to identify information system vulnerabilities as "marginal" or "inadequate." Now that is frightening.

"The risks are increasing, and as the vulnerability and threats increase, organizations have not been able to stay up to speed in addressing them as effectively as they would like," commented William Barrett, partner and leader of E&Ys Technology & Security Risk Services Group. The solution, he added, is not necessarily spending more money on security, but doing a better job at "prioritizing" security risks and spending in the areas of highest priority.

When a companys systems are breached, however, a conspiracy of silence is the hackers best friend. When a company is mum, law enforcement loses what could be valuable information about the cyber-criminal. The hacker is able to continue his or her dirty work safe in the knowledge that more than 40 percent of the victims will never report the crime. The victims, meanwhile, publicly live the lie that their systems are impregnable. But all the while they are doubly fearful of further attacks.

Microsoft, based in Redmond, Wash., recently announced $5 million in rewards for information leading to the arrest and conviction of those who launch viruses and worms on the Internet. Hackers often use such malicious code to gain access to and/or control targeted computer systems.

One could view this announcement as a publicity stuntand that view may be justifiedbut it is a small step in the right direction. It is an attempt to get peopleand companiesto open up and share information so that cyber-criminals can be brought to justice.

When it comes to fear of cyber-attack, we can rightly cite one of the most famous remarks from Franklin Delano Roosevelt in his 1933 inaugural speech: "So, first of all, let me assert my firm belief that the only thing we have to fear is fear itselfnameless, unreasoning, unjustified terror which paralyzes needed efforts to convert retreat into advance."

Now, I am definitely not among those who would elevate the four-time president to sainthood, but I think he does say something very important here. Fear that "paralyzes needed efforts to convert retreat into advance" is just what most of the "silent 41 percent" suffer from. To save what they see as a potentially tarnished image, such firms will stay mum and allow the criminals to have still greater successes.

On the other hand, fear that motivates us to positive action is a blessing. Just ask those pigs in the brick house.

Its not easy to admit your systems have been cracked by hackers, but in this age when such events are commonplace, its not a damning indictment, either.

To quote the same FDR speech again: "This is preeminently the time to speak the truth, the whole truth, frankly and boldly." When we can bring ourselves to openly share information with authorities and othersand realize that we are fighting a common enemywe will turn the tide in the fight against cyber-criminals.

As a very wise man once said, "The truth will set you free." Report your breaches and help catch a hacker today.

Senior Editor Ara C. Trembly is NUs tech guru. He may be reached at atrembly@nuco.com.

Reproduced from National Underwriter Property & Casualty/Risk & Benefits Management Edition, December 12, 2003. Copyright 2003 by The National Underwriter Company in the serial publication. All rights reserved.Copyright in this article as an independent work may be held by the author.