According to an item on Govtech, The FBI is looking for a little help from businesses in their effort to bring cyber criminals to justice.
Assistant AG for National Security John Carlin and FBI Director James Comey said they need more than knowing how a breach occurred. They also want to know why the bad guys are after them. So exactly what is in it for businesses to cooperate?
I assume that number one on most company’s list would be to get the bad guys, get the information back and put the perpetrator in jail for a long, long, time. Let’s analyze this.
While some cyber attacks come from inside the US, many come from foreign countries. Countries that are not terribly friendly to us. Countries like Russia, China, North Korea and other places. Do you think China is going to help us catch some cyber thieves? Not likely. Many of them are likely on the government’s payroll. The ones that are not and are doing things that the government doesn’t like will likely disappear. That problem is solved. Sending them to the US to face trial? Not gonna happen.
What are companies concerned will happen?
1. My company will be turned into a crime scene. To some extent, this is likely to happen. The Feds are going to want to collect evidence. Are they going to come thundering in and haul off all your computers? Not likely, but there are no parameters that say what they are going to do and not do. Are they going to question my employees and take their time? Likely yes.
2. I will get a lot of PR – all bad. This is likely to happen anyway unless you can keep the breach quiet. If it consists of stealing corporate intellectual property, you can probably do that, but the odds of catching the bad guys go to zero. On the other hand, once the IP is stolen, getting it back is probably not very useful, since it has likely already been copied and distributed. You cannot get the cow back in the barn.
3. The FBI is not going to understand what I am telling them and I will get frustrated. Also likely to an extent. The FBI is hiring a bunch of cyber agents, but they are not programmers and not system administrators and they have not been involved with your company to understand how your systems work. Still, they are getting much better than they were.
4. The bad guys won’t get caught. Also likely. The US just indicted a bunch of Chinese military hackers. Do you think the Chinese are going to turn them over to us. Not very likely. That indictment was a publicity stunt to try to impress the uninformed. At least we do have some idea of who was attacking us, but the odds of us getting our hands on them to put them through our legal process is as close to zero as you can get.
5. Information I don’t want to get out will get out. Partly true. Some information will be protected, but unless a judge agrees to seal an indictment or clear the courtroom before testimony, which is very unusual, some information will get out and you won’t get to decide what does and what does not.
So it is a messy situation. No easy answers. Your board will have to make some decisions. Also consider, however, that if it involves PII (like credit cards) or PHI (like medical records), the decision is mostly out of your hands unless you want to break the law – and they know where you live, so that is probably not a good plan.
Best answer – work hard to protect yourself and hope that your breaches are small.
Sorry if you were looking for a better answer.