U.S. Backing for Guidelines on Fighting Cybercrime

R. A. Hettinga rah at shipwright.com
Tue Feb 12 17:06:36 EST 2002


http://www.nytimes.com/2002/02/12/technology/12CYBE.html?todaysheadlines=&pagewanted=print



February 12, 2002


U.S. Backing for Guidelines on Fighting Cybercrime


By BARNABY J. FEDER


he first guidelines for responding to attacks on computer systems to be
endorsed by both the F.B.I. and the Secret Service, the main Federal
agencies fighting such crimes, were published yesterday.

The guidelines were drafted by government and private security experts
brought together by CIO magazine, a trade publication for information
technology executives.

The guidance comes at a time when the number of both government and private
organizations trying to track and fight electronic crimes has been
expanding, partly in response to Sept. 11. But experts say many businesses
continue to be reluctant to provide law enforcement officials with enough
information to pursue cybercriminals. Companies often fear that they will
lose business if security breaches become public or that they will become
the target of revenge attacks.

"People are very fearful of all the publicity that surrounds going after
someone and convicting them," said Bruce Schneier, chief technology officer
of Counterpane, a computer security company based in Cupertino, Calif.

Such fears can be overcome in many cases, said Ronald L. Dick, the F.B.I.
official who heads the government's National Infrastructure Protection
Center. "They'll share information with us every time if they have an
inkling we can prosecute successfully," Mr. Dick said. Still, he said, the
new guidelines should help fight fears that the government agencies would
respond to intrusion reports "by seizing your server and putting yellow
tape around it."

The 12-page CIO guidelines provide complete contact information for
businesses to report intrusions to public authorities and various
information-sharing partnerships like the 65 InfraGard chapters the F.B.I.
has helped set up around the nation. They also outline practices that the
F.B.I. and Secret Service advocate, like developing relationships with
electronic crimes experts at the agencies ahead of time so that managers
have a personal contact to take their call.

The guidelines advise against reporting minor intrusions, like the efforts
of outsiders to scan corporate systems for ways to penetrate them. Such
probes can occur hundreds or even thousand of times a month at a major
company. While such information could be useful in theory, the guidelines
say, it would swamp the current data systems of clearinghouses like the
National Infrastructure Protection Center or the Internet Storm Center,
which is operated by the SANS Institute, an international research
organization for security experts.

Breaches of computer defenses by worms, viruses, hacks and other intrusions
that cause damage are another matter. Law enforcement officials need all
the help they can get in catching up with such activity, said Bruce A.
Townsend, special agent in charge of the Secret Service's financial crimes
division.

"This is constantly evolving, unlike something like drug trafficking," Mr.
Townsend said.

Most experts say cybercrimes cost billions of dollars annually. Last year,
only 36 percent of those who experienced intrusions reported them to
authorities, according to an annual survey by the Computer Security
Institute and the San Francisco office of the F.B.I.

Mr. Townsend said the major part of the guidelines was not the standardized
form for reporting intrusions but the emphasis on planning ahead. Some
experts argue though that few companies will do an adequate job in that
regard unless forced to by regulatory authorities.

"We need metrics of how prepared people are for cyberattacks and provisions
like the Securities and Exchange Commission required for Y2K for corporate
disclosure," said Harris N. Miller, president of the Information Technology
Association of America, a trade group that has participated in organizing
information-sharing groups on security matters.
Home | Back to Technology | Search | Help 	Back to Top


Copyright 2002 The New York Times Company | Privacy Information
-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com



More information about the cryptography mailing list