By Kelly Jackson Higgins
March 30, 2010
Most organizations hit by breaches that don't require public disclosure
don't call in law enforcement -- they consider it an exposure risk, with
little chance of their gaining any intelligence from investigators about
the attack, anyway.
FBI director Robert Mueller has acknowledged this dilemma facing
organizations that get hacked, noting in a speech at the RSA Conference
last month that disclosing breaches to the FBI is the exception and not
the rule today. But the FBI will protect victim organization's privacy,
data, and will share what information it can from its investigation, he
said, rather than continue with the mostly one-way sharing that
organizations traditionally have experienced when dealing with the FBI.
Gary Terrell, president of the Bay Area CSO Council and CISO at Adobe,
says different companies have their own rules about reporting to law
enforcement. "[Many] won't talk to law enforcement without an NDA
[non-disclosure agreement]," says Terrell, who was speaking on behalf of
the Council. "The FBI has a hard time signing it. That hasn't been
successful so far, so sharing with the FBI has been minimal."
He says the feds have their own communications "protocol" for sharing
classified information, but they don't have a standard and confidential
way to work with the private sector on breach investigations. And until
the feds can work with NDAs, there won't be much back-and-forth between
companies and these agencies about breaches, he predicts.
Register now for HITBSecConf2010 - Dubai, the premier
deep-knowledge network security event in the GCC,
featuring keynote speakers John Viega and Matt Watchinski!