Thursday, February 28, 2013

An Eerie Silence on Cybersecurity

EDITORIAL

An Eerie Silence on Cybersecurity

Apart from a few companies like Google, which revealed that Chinese hackers had tried to read its users’ e-mail messages, American companies have been disturbingly silent about cyberattacks on their computer systems — apparently in fear that this disclosure will unnerve customers and shareholders and invite lawsuits and unwanted scrutiny from the government.
ROOM FOR DEBATE

Should Companies Tell Us When They Get Hacked?

Although hacking is common, it's rare for companies to talk about it. Would disclosure make consumers safer, or just help hackers?

In some cases, such silence might violate the legal obligations of publicly traded companies to share material information about their businesses. Most companies would tell investors if an important factory burned to the ground or thieves made off with hundreds of millions of dollars in cash. So why do they feel that the theft of trade secrets that are often much more valuable do not deserve to be discussed? Companies might argue that it’s hard to quantify the losses from cyberattacks, but that does not mean that they are costless.
By keeping quiet, companies also make it more difficult for other businesses and the government to protect against similar attacks. Recent evidence suggests that cyberassaults against corporate and government systems are becoming more frequent and more sophisticated. Bringing these assaults into the open can make everybody more secure. President Obama’s recent executive order encouraging voluntary sharing of information is a welcome step in that direction.
This not about shaming companies. It is about protecting these companies as well as individuals against security breaches. A recent study showed that state laws that require companies to inform individuals about security breaches on personal information like credit card numbers have resulted in a modest drop in identity theft in those states. That suggests that timely disclosures give individuals the opportunity to take action to protect themselves and encourage corporate executives to increase efforts to protect their systems.
In 2011, the Securities and Exchange Commission issued nonbinding guidelines informing companies about their responsibilities under existing laws to report cyberattacks; the commission has also sent letters suggesting that companies reveal more information about the threats they encounter. If confirmed by Congress, Mary Jo White, Mr. Obama’s choice to lead the agency, could strengthen the commission’s efforts by making the guidelines binding. Big investors like pension funds should also demand more data from companies because as shareholders they lose when secrets are stolen.
As more companies reveal breaches, the stigma of doing so fades. Recent reports in The Times that hackers in China attacked its computer systems appeared to encourage other newspapers to admit that they had been attacked, too. Executives should understand that openly discussing threats helps everyone become more alert to risks, which would be in their own long-term interest.

No comments:

Post a Comment

Comments always welcome!