Hacking Victims' ID to Stay Secret
Oct. 31, 2002
%mlink(STRY:; PHOTO:; AUDIO:%)
WASHINGTON (AP) _ Senior law enforcement officials assured technology executives Thursday that government will increasingly work to keep secret the names of companies that become victims to major hacking crimes, along with any sensitive corporate disclosures that could prove embarrassing.
The effort, described at a cybercrime conference in northern Virginia, is designed to encourage businesses to report such attacks and build public confidence in Internet security. Officials promised to use legal mechanisms, such as protective orders and sealed court filings, to shield corporate hacking victims from bad publicity.
``It's important for us to realize that you have certain concerns as victim companies that we have to acknowledge,'' FBI Director Robert Mueller said. He promised, for example, that FBI agents called to investigate hacking crimes will arrive at offices discretely without wearing official jackets with ``FBI'' emblazoned on them.
``The mere calling of us in an investigation can have an adverse impact on the image of your company,'' said Mueller, who has made cybercrime an FBI priority. In exchange for this protection, Mueller said, companies should more frequently admit to the FBI when they are victims of hacking. ``You're not enabling us to do the job,'' he said.
Government efforts to tighten Internet security and investigate online attacks have long been hampered by reluctance from companies to admit they were victims, even in cases where executives quietly paid thousands of dollars in extortion to hackers. Companies say they fear loss of trust by customers and shareholders, costs associated with a formal investigation and increased scrutiny by regulators.
New efforts to protect the identities of hacking victims also contrast markedly with traditional hacker culture, which frequently blames companies and organizations that are targets of online attacks for failing to secure their networks adequately.
``There may very well be ways that law enforcement can get a criminal sanction imposed but not have all the names of the companies made public,'' said Marty Stansell-Gamm, chief of the Justice Department's computer crime section. But she cautioned: ``That's not something that law enforcement can guarantee.''
Instead, Stansell-Gamm said companies that have publicized hacking crimes along with their own explanations have fared well with customers and shareholders.
``Companies that worry too much about public response underestimate the public's ability to assess the situation with some sophistication,'' she said. ``If a bank robber sticks a gun in a teller's face, the public is not confused about who's fault that is.''
Paul McNulty, the U.S. attorney for the Eastern District of Virginia, said government's goal is to ``prosecute cases while at the same time achieving the kinds of protection and addressing the concern that the business community rightly has.'' He pledged that prosecutors will ``minimize publicity so there is no disincentive to come forward.''
McNulty's district is home to major technology companies and one of the Internet's most important physical junctions.
He cited congressional efforts, supported by the Bush administration, to exempt from the Freedom of Information Act any details that companies might disclose to the proposed Department of Homeland Security about vulnerabilities in their operations. He said amending the law could be helpful ``in case there is a concern that reports of hacks or intrusions in federal records might find their way into the hands of those who would use that information against us.''
Another U.S. attorney, Roscoe Howard of the District of Columbia, said the Constitution requires that a criminal defendant be permitted to face the accuser at trial, but he noted that many computer-crime investigations culminate with a plea agreement, where the names of victim companies can be kept secret.
``Nobody wants to be yanked out in front of the public to say, 'Hey, I was the victim of a crime.' Most people don't want their 15 minutes,'' Howard said. ``We can protect you where we can, and we will do that when it's within the law and the constitutional rights of the defendant. When we've got individuals (as witnesses) we want to keep off the stand, we just won't use them.''