A recent example of this is the “Sibiu Cyber-Terrorists”, as they have been dubbed by the FBI (Sibiu Cyber-Terrorists). This Romanian group would hack into the databases of American companies and download personal and confidential customer information. They would then contact the company and blackmail them for $50,000 in exchange for not going public with the security breach.
Their operation was successful as company after company would wire the $50,000 rather than risk the negative publicity and loss of consumer trust and confidence.
Eventually some company said “enough is enough” and notified the FBI. Pooling resources with the Special Investigations arm of the Romanian Supreme Court they were able to set up a sting operation and apprehend the cyber-thugs.
In order to foster cooperation amongst corporations in securing the Internet and protecting the critical infrastructure of the United States various proposals have been discussed and put forth to allow an exemption from the US Freedom of Information Act for corporations reporting cyber-attack incidents. Only with sharing of such information rather than hiding it can steps be taken to prevent similar attacks in the future and possibly catch the culprits.
On the extreme opposite end of the spectrum from being exempted from the US Freedom of Information Act, Senator Dianne Feinstein (D – California) has introduced a bill (SecurityFocus Article) that would require companies to notify their customers in the event of a compromise of any personal or confidential data such as credit card numbers, social security numbers or drivers license numbers.
There are a few exemptions and loopholes, but essentially the company would have to notify affected customers “without unreasonable delay” via email or regular mail. If the cost for individual notification exceeds certain thresholds the company could opt to post a bulletin about the incident on their web site and / or alert the media to get the word out.
This is in obvious stark contrast with the Bush Administration’s and the Department of Homeland Security’s continuing efforts to pursue the US Freedom of Information Act exemption and to assure companies that everything possible is being done to protect their identity and the details of the incident from public knowledge.
If Senator Feinstein’s bill is successful and companies are compelled to disclose information of attacks, it still satisfies the Department of Homeland Security’s need for that information to be shared. The main difference is that corporations would be required to disclose information rather than persuaded to do so.