[Vision2020] An Eerie Silence on Cybersecurity

Wed Feb 27 04:18:25 PST 2013

  [image: The New York Times] <http://www.nytimes.com/>

------------------------------
February 26, 2013
An Eerie Silence on Cybersecurity

Apart from a few companies like Google, which revealed that Chinese hackers
had tried to read its users’ e-mail messages, American companies have
been disturbingly
silent<http://www.nytimes.com/2013/02/21/technology/hacking-victims-edge-into-light.html?hp&pagewanted=all&_r=0>about
cyberattacks on their computer systems — apparently in fear that this
disclosure will unnerve customers and shareholders and invite lawsuits and
unwanted scrutiny from the government.

In some cases, such silence might violate the legal obligations of publicly
traded companies to share material information about their businesses. Most
companies would tell investors if an important factory burned to the ground
or thieves made off with hundreds of millions of dollars in cash. So why do
they feel that the theft of trade secrets that are often much more valuable
do not deserve to be discussed? Companies might argue that it’s hard to
quantify the losses from cyberattacks, but that does not mean that they are
costless.

By keeping quiet, companies also make it more difficult for other
businesses and the government to protect against similar attacks. Recent
evidence suggests that cyberassaults against corporate and government
systems are becoming more frequent and more sophisticated. Bringing these
assaults into the open can make everybody more secure. President Obama’s recent
executive order<http://www.whitehouse.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity>encouraging
voluntary sharing of information is a welcome step in that
direction.

This not about shaming companies. It is about protecting these companies as
well as individuals against security breaches. A recent
study<http://onlinelibrary.wiley.com/doi/10.1002/pam.20567/abstract?systemMessage=Wiley+Online+Library+will+be+disrupted+on+23+February+from+10%3A00-12%3A00+BST+%2805%3A00-07%3A00+EDT%29+for+essential+maintenance&userIsAuthenticated=false&deniedAccessCustomisedMessage=>showed
that state laws that require companies to inform individuals about
security breaches on personal information like credit card numbers have
resulted in a modest drop in identity theft in those states. That suggests
that timely disclosures give individuals the opportunity to take action to
protect themselves and encourage corporate executives to increase efforts
to protect their systems.

In 2011, the Securities and Exchange Commission issued nonbinding
guidelines<http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm>informing
companies about their responsibilities under existing laws to
report cyberattacks; the commission has also sent letters suggesting that
companies reveal more information about the threats they encounter. If
confirmed by Congress, Mary Jo White, Mr. Obama’s choice to lead the
agency, could strengthen the commission’s efforts by making the guidelines
binding. Big investors like pension funds should also demand more data from
companies because as shareholders they lose when secrets are stolen.

As more companies reveal breaches, the stigma of doing so fades. Recent
reports in The Times that hackers in China attacked its computer
systems<http://www.nytimes.com/2013/01/31/technology/chinese-hackers-infiltrate-new-york-times-computers.html>appeared
to encourage other newspapers to admit that they had been
attacked, too. Executives should understand that openly discussing threats
helps everyone become more alert to risks, which would be in their own
long-term interest.

-- 
Art Deco (Wayne A. Fox)
art.deco.studios at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.fsr.com/pipermail/vision2020/attachments/20130227/8d7f71f8/attachment-0001.html>