Organizations Rarely Report Breaches to Law Enforcement

Meanwhile, FBI says it's making the process more private and more of a two-way street
Another challenge for victim organizations is knowing who to call if they do decide to report a breach: local law enforcement, the FBI, the Department of Homeland Security, or who? National cybersecurity coordinator Howard Schmidt earlier this month said he's looking at ways to provide companies information on who to contact when an incident occurs and how to protect their intellectual property. Schmidt said companies today don't have a central point of contact for reporting breach events.

So just what kind of information might the FBI supply victim organizations if they report breaches to the bureau? The FBI's Troy says the bureau recently discovered a group of attackers targeting financial institutions and informed the financial services industry of the attackers' methods. A bank later approached the bureau after finding evidence that attackers had infiltrated their systems. "We had a bank come back to us after they were patching and found evidence that attackers were trying to exploit that vulnerability," Troy says. "This two-way sharing has increased. We consider it a critical part of our mission."

Troy says the FBI is focused on identifying a threat and eliminating it. "The FBI in the last couple of years, led by the Director, has made a huge change in the way we do business ... In the past, we'd be talking about the biggest case, how it's going, and if we arrested someone yet," Troy says. Now "it's not necessarily did you put someone in jail, but did you do something to reduce the threat," he says.

But for now, most organizations are more comfortable with grass-roots, confidential efforts for sharing their attack experiences and information, such as The Bay Area CSO Council, for example, where CSOs confidentially share attack data among one another.

Unisys' Titus says these grass-roots efforts seem to work better. And it's still unclear just how the feds could coordinate a breach reporting process: "Even if we start reporting these types of activities, who's going to track them?" Titus says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Editors' Choice
Kelly Jackson Higgins 2, Editor-in-Chief, Dark Reading