Should you share breach information?

When companies suffer a security breach today they face that core dilemma: Tell the world and hope the honesty helps others, or keep it under wraps to avoid tarnishing the brand and duck possible lawsuits? One thing is clear from the arguments below: It is time for the government to take the guesswork out of the equation.

The Experts
Peter George
Peter George

President and Chief Executive Officer, Fidelis says companies should share security breach information because that is the only way we will be able to cobble together a comprehensive picture of the threats and fight back. View debate

Philip Lieberman
Philip Lieberman

President and CEO of Lieberman Software argues that companies can’t share details of security breaches because doing so puts shareholder value at risk and may lead to lawsuits. View debate

Peter George

A critical first step

Yes companies should be required to share breach information. It is a critical first step in defending ourselves.

In May of 2011, five Democratic senators sent a letter to U.S. Securities Exchange Commission Chairwoman Mary Schapiro asking for a motion that will require companies to disclose their cyber risk. The intent is to protect investors by exposing information that will allow them to make more educated decisions. We need similar disclosure requirements about security breaches to help fortify our defenses.

The data breach quiz

Recent data breaches are a result of targeted attacks that start with a malware source and initial infection. Once inside, the program calls out to command and control systems and then moves laterally through the enterprise, infecting more hosts and seeking higher levels of privilege and direct access to valuable information. Targeted information is staged and exfiltrated across the network perimeter.

By definition, every targeted attack is unique, engineered specifically to infiltrate organizations and steal information, but they all follow similar patterns and leave trails. Collectively, we can follow these footprints and monitor the paths the bad guys use, but we need to share information about each breach to prevent future attacks.

Because of the economic potential, we know that even if we stop one attack it will just be re-routed to go after another target. The only way to battle these adversaries is to go on the offensive, and that requires sharing knowledge about the attacks - and the knowledge sharing has to span federal agencies and the private sector.

As an initial step, the government needs to create a clearing house of information that corporations can access if they agree to follow a set of rigid reporting requirements. We also need to mandate that corporations provide information about breaches to this clearinghouse. All information will be located centrally and a communication and collaboration process will be put in place to keep track of each foreign fingerprint found on a corporation's network.

Companies should disclose both cyber intrusions and the forensics about such intrusions. This is essential to preventing these attacks from compromising the viability of our businesses and our national security interests.

Got cyber insurance?

While there are times when the federal government and private sector come together, this collaboration needs to be standardized. Today the government might warn an enterprise about suspicious activity, and leave it to the company to discover what's going on within its network. But that company is not required to circle back to verify the activity and share what was learned - which means no one is the wiser. Why not disclose the information collected?

2011 will be remembered because of Anonymous, LulzSec and hacker collectives that came together. Hacker groups are smart; they collaborate, and we need to do the same.

While it's thrilling to see some teamwork on this front, the time has come to put the effort into motion. Right now the bad guys have the advantage.

Changing the balance of power requires working together better, sharing information, and committing to a better security posture by innovating technologies and improving our processes. We cannot treat breaches as individual threats anymore, but as pieces to a larger puzzle that will someday allow us to detect threats before they enter our networks.

Pearl Harbor was a crystallizing moment that proved the need for sharing military intelligence. In hindsight the government learned that this single event was the result of a major intelligence lapse: a result of misleading analysis, collection gaps and adversaries giving false information, trying to muddle in the middle of it all.

In the cyber world, we've had a series of smaller crystallizing moments that are serving as warning signs. We shouldn't need a crippling event like Pearl Harbor to prod us into action. We're seeing signs, so we cannot sit back and wait. Data breaches can be prevented with appropriate analysis, information and collaboration, and sharing information is the first step in understanding and preventing future breaches.

Since 2002 Fidelis Security Systems has been providing organizations with the network visibility, analysis and control necessary to manage advanced threats and prevent data breaches.

Philip Lieberman

Not unless you're forced to

If a corporation is to act in the best interests of its shareholders there's no benefit in sharing details of security breaches unless the disclosure is required by law or doing so would help curtail the financial loss for customers, partners or others. As to there being a fiduciary responsibility to disclose a breach, this continues to be a grey area of the law.

Exposing details of your data breach could damage shareholder value if it diminishes the corporation's reputation or triggers fines and sanctions from regulators and industry groups. The disclosure might also inhibit the organization's access to capital (both private and public) if it raises questions about corporate governance. Such disclosure may also trigger both frivolous as well as well-founded lawsuits.

By the numbers: the impact of data breaches

Recent headlines prove that any organization can fall victim, regardless of prior investments in security. And because so many of today's high-profile attacks seem motivated by some combination of politics, greed and ego, the disclosure will likely fuel more attacks.

It is the job of the government to provide clear guidance as to breach reporting requirements of corporations. The objectives of such reporting should be to provide intelligence to law enforcement, assist in apprehending the perpetrator, and help prosecute the crime. Another objective is to properly assign culpability for the breach and not further victimize the corporation and its customers.

Unfortunately, the greed of our various State Attorney Generals can result in further punishment of corporate victims under the banner of states' rights. Corporate victims find themselves fined by states for the crime of being victimized - the justification of apparently being that victim corporations are rich enough to pay.

And prosecutors seem to have the mistaken impression that it's always within corporations' power to protect private data. In effect, today's corporations are expected to erect an impenetrable defense against all attackers - including nation-state funded criminals that no one is proven capable of defeating.

A Solution

The federal government has proposed rules whereby corporations would receive immunity from prosecution if they promptly informed law enforcement about breaches and helped capture and try the perpetrators.

State and federal governments also should do a better job of issuing specific, actionable security standards to help shield compliant organizations from attack.

Evolving standards like the Consensus Audit Guidelines are a start, and the recent Securities and Exchange Commission guidance is encouraging, however until now federal and state governments have done too little to promote standards like these.

For corporations the lack of actionable, unambiguous cyber security standards effectively means that doing nothing and doing everything possible could have equal weight to a judiciary unschooled in information technology - or to prosecutors hell-bent on filling empty state coffers.

The lack of actionable corporate security requirements - and the fact that there is no safe harbor for organizations that disclose data breaches and cooperate with prosecution - creates a perverse scenario where it's simply not in a corporation's interest to divulge any more than is required by law. In fact, it can be argued that a corporate officer who discloses more than the legal minimum ought to be terminated for disregarding the organization's responsibility to its shareholders.

It is about time that the federal government publish its guidelines for the disclosure of public breaches and spell out how corporations can protect themselves from prosecution by "doing the right things".

I also believe that litigating against a corporation (whether a public or private action) that has taken reasonable care to protect its systems is both counterproductive and vexatious. But of course this doesn't stop some attorneys from "making hay" while the sun of ambiguous guidance still shines.

It's time for the federal government to put shysters that attack breached companies out of business and allow corporations to do the right thing by disclosing breaches without punishment. Today, however, companies should not share breach information.

Lieberman Software provides privileged identity management and security management solutions to customers worldwide, including 40% of the Fortune 50. 

Want more Tech Debates? Check out our archive page


Copyright © 2011 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022